DATA PROTECTION
Services
Data protection affects almost every business in every sector. Regardless of their size, companies must comply with the principles, rights and obligations of the General Data Protection Regulation (GDPR). Navigating your way through the guidance on your own can be a daunting experience and getting it wrong can be a very costly mistake. The issues can be complex and many businesses benefit from specialist support to ensure they are fully compliant.
How we can help:
Our team of data protection solicitors at Jamieson Law are experts in GDPR compliance. We cover all aspects of UK GDPR, EU GDPR and the California Consumer Privacy Act. If you are a UK, Irish, New York or California based business owner, we’re here to advise you.
Starting a new business?
Our GDPR specialists will explain how data protection law affects your business, providing advice that is tailored to your exact needs. We’ll walk you through your obligations, breaking down the process into simple and manageable steps. We will then help you get the right policies, procedures and processes in place. With our support, you and your business will be compliant with all current legislation from the start of your journey.
Already an established business?
If you are an established business, keeping your company’s data protection policies and procedures up to date is essential. Our team of solicitors offer a GDPR health check, carrying out a comprehensive audit of your existing business practices. Taking into account the nature of your business and the type of data you handle; we will identify any areas of weakness or non-compliance. We will then provide you with targeted advice and a plan of action to get you back to full GDPR compliance.
Data protection can seem like an overwhelming subject for many businesses, but it doesn’t have to be. With our support, you’ll be GDPR compliant and set up for success.
For more information on the types of data protection services we offer, explore our bite-sized examples below, or contact us for a free initial consultation.
Registering with the Information Commissioner's Office (if UK based)
What is the Information Commissioner’s Office and why should I be registering with them?
The ICO is the UK’s independent authority which was set up to uphold data and information rights. This office deals with data protection and freedom of information in the UK.
Any organisation or sole trader that processes personal data must register with the ICO and pay a data protection fee (unless exempt). Mostly all businesses process personal data in one way or another, so it is likely you will need to register. This is an annual fee that ranges from £40-£2,900, although it’s likely to be between £40-60.
Take the ICO self-assessment here - https://ico.org.uk/for-organisations/data-protection-fee/
Ensuring the correct clauses are in their contracts
Do I need data protection clauses in my contracts?
It is definitely a good idea to cover this in your contracts (depending on what type of contract you’re talking about; client contracts and employment contracts should almost definitely cover this). This could be a clause in your contract that covers how you process and store data, how long for etc, ensuring to the other party that you are data protection regulation compliant.
Doing regular reviews of their own internal data security procedures
How often should I be reviewing my businesses internal data protection procedures?
These should be reviewed at LEAST once a year, but we’d recommend doing this quarterly. Remember that you need to keep up to date with new requirements and changes that are implemented.
Registering with the Data Protection Commission- (if Ireland based)
What is the Data Protection Commissioner and why should I be registering with them?
The DPC is the Data Protection Commissioner, a national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. Some organisations have to register with the DPC and they are also required to appoint a DPO (Data Protection Officer). Although, not everyone has to register with the DPC. You can check if you need to register here: https://www.dataprotection.ie/
Carrying out due diligence on their data processors
Why do I need to carry out due diligence on my data processors?
Carrying out due diligence checks on data processors is a requirement under GDPR/UK GDPR. This is to guarantee that data processors will implement the appropriate and proper technical and organisational measures to meet data protection requirements.
We can undertake due diligence checks for you, including data security checks, audit requests etc.
Putting data processing agreements in place
What is a Data Processing Agreement?
This is an agreement between the data processor and data controller of a company. The data controller is the person / business who determines the purpose, and the way personal data is processed, and the processor is anyone who processes personal data on behalf of the controller.
GDPR/UK GDPR requires any data processing carried out by a data processor for a data controller should be written in a contract – this contract is the Data Processing Agreement. This regulates the activities of data processors regarding personal data.
Having the right privacy policy and cookies policy in place
Do I need a privacy policy and a cookies policy?
If you have a website and you collect personal information, you need a privacy policy and a cookies policy. All companies processing data of EU or UK citizens need to tell users how their personal data is used. A privacy policy outlines what personal information you are collecting and how you use it. You need to tell website users if you set up cookies and explain what they do.
You need consent from users. This means you need a cookies banner that pops up on your website every time someone visits it.
If you don’t have these policies, it means you are not making your website users aware of how you’ll be using and disclosing their data, which can lead to ICO fines.
Preparing internal GDPR policies
What are internal data protection policies and why do I need them?
Internal data protection policies (or internal GDPR policies as they were previously called) are used to inform an organisations’ staff how the business complies with data protection rules and what steps they need to take to make sure the data is protected.
These are necessary for a number of reasons, including data storage, subject access requests, when personal data IS personal data and when it’s not, who to escalate things to if there is a problem etc.
Data protection affects almost every business in every sector. Regardless of their size, companies must comply with the principles, rights and obligations of the General Data Protection Regulation (GDPR). Navigating your way through the guidance on your own can be a daunting experience and getting it wrong can be a very costly mistake. The issues can be complex and many businesses benefit from specialist support to ensure they are fully compliant.
How we can help:
Our team of data protection solicitors at Jamieson Law are experts in GDPR compliance. We cover all aspects of UK GDPR, EU GDPR and the California Consumer Privacy Act. If you are a UK, Irish, New York or California based business owner, we’re here to advise you.
Starting a new business?
Our GDPR specialists will explain how data protection law affects your business, providing advice that is tailored to your exact needs. We’ll walk you through your obligations, breaking down the process into simple and manageable steps. We will then help you get the right policies, procedures and processes in place. With our support, you and your business will be compliant with all current legislation from the start of your journey.
Already an established business?
If you are an established business, keeping your company’s data protection policies and procedures up to date is essential. Our team of solicitors offer a GDPR health check, carrying out a comprehensive audit of your existing business practices. Taking into account the nature of your business and the type of data you handle; we will identify any areas of weakness or non-compliance. We will then provide you with targeted advice and a plan of action to get you back to full GDPR compliance.
Data protection can seem like an overwhelming subject for many businesses, but it doesn’t have to be. With our support, you’ll be GDPR compliant and set up for success.
For more information on the types of data protection services we offer, explore our bite-sized examples below, or contact us for a free initial consultation.
Registering with the Information Commissioner’s Office (if UK based)
What is the Information Commissioner’s Office and why should I be registering with them?
The ICO is the UK’s independent authority which was set up to uphold data and information rights. This office deals with data protection and freedom of information in the UK.
Any organisation or sole trader that processes personal data must register with the ICO and pay a data protection fee (unless exempt). Mostly all businesses process personal data in one way or another, so it is likely you will need to register. This is an annual fee that ranges from £40-£2,900, although it’s likely to be between £40-60.
Take the ICO self-assessment here - https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
Registering with the Data Protection Commission- (if Ireland based)
What is the Data Protection Commissioner and why should I be registering with them?
The DPC is the Data Protection Commissioner, a national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. Some organisations have to register with the DPC and they are also required to appoint a DPO (Data Protection Officer). Although, not everyone has to register with the DPC. You can check if you need to register here: https://www.dataprotection.ie/
Having the right privacy policy and cookies policy in place
Do I need a privacy policy and a cookies policy?
If you have a website and you collect personal information, you need a privacy policy and a cookies policy. All companies processing data of EU or UK citizens need to tell users how their personal data is used. A privacy policy outlines what personal information you are collecting and how you use it. You need to tell website users if you set up cookies and explain what they do.
You need consent from users. This means you need a cookies banner that pops up on your website every time someone visits it.
If you don’t have these policies, it means you are not making your website users aware of how you’ll be using and disclosing their data, which can lead to ICO fines.
Ensuring the correct clauses are in their contracts
Do I need data protection clauses in my contracts?
It is definitely a good idea to cover this in your contracts (depending on what type of contract you’re talking about; client contracts and employment contracts should almost definitely cover this). This could be a clause in your contract that covers how you process and store data, how long for etc, ensuring to the other party that you are data protection regulation compliant.
Carrying out due diligence on their data processors
Why do I need to carry out due diligence on my data processors?
Carrying out due diligence checks on data processors is a requirement under GDPR/UK GDPR. This is to guarantee that data processors will implement the appropriate and proper technical and organisational measures to meet data protection requirements.
We can undertake due diligence checks for you, including data security checks, audit requests etc.
Doing regular reviews of their own internal data security procedures
How often should I be reviewing my businesses internal data protection procedures?
These should be reviewed at LEAST once a year, but we’d recommend doing this quarterly. Remember that you need to keep up to date with new requirements and changes that are implemented.
Preparing internal GDPR policies
What are internal data protection policies and why do I need them?
Internal data protection policies (or internal GDPR policies as they were previously called) are used to inform an organisations’ staff how the business complies with data protection rules and what steps they need to take to make sure the data is protected.
These are necessary for a number of reasons, including data storage, subject access requests, when personal data IS personal data and when it’s not, who to escalate things to if there is a problem etc.
Putting data processing agreements in place
What is a Data Processing Agreement?
This is an agreement between the data processor and data controller of a company. The data controller is the person / business who determines the purpose, and the way personal data is processed, and the processor is anyone who processes personal data on behalf of the controller.
GDPR/UK GDPR requires any data processing carried out by a data processor for a data controller should be written in a contract – this contract is the Data Processing Agreement. This regulates the activities of data processors regarding personal data.
FREQUENTLY ASKED QUESTION ABOUT
Data Protection
Data protection, and the legislation governing it, controls how organisations use personal information. Anyone managing personal data must ensure that the data they hold is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- accurate and, where necessary, kept up to date
- kept no longer than is necessary
- used in a way that is adequate, relevant, and limited to only what is necessary
- handled in a way that ensures appropriate security
Personal data covers things like locations, names, addresses, like an email address, IP address or your home address.
The Data Protection Act (DPA) 2018 governs data protection in the UK.
You’ve probably heard of General Data Protection Regulation (GDPR). This is an EU law that the UK implemented via the Data Protection Act 2018.
The DPA 2018 is the UK’s version of GDPR.
General Data Protection Regulation is an EU law governing data protection and privacy. The UK implemented GDPR into its own domestic law via the Data Protection Act 2018.
GDPR is known as the toughest privacy security law in the world, due to its stringent rules and regulations relating to the collecting and processing of data in the EU.
GDPR does not apply in the UK. The UK’s own regulation, the Data Protection Act 2018, contains GDPR requirements, rights, and obligations. This means that, post-Brexit, not much has changed for UK businesses.
The EU recognises the Data Protection Act 2018 and the EU retained law version of GDPR as offering the same level of protection as GDPR, which means information can flow freely between the EU and the UK.
It probably is genuine. The ICO go through Companies House to see who has, and who hasn’t, registered with them. If you’ve received a letter, despite having had your business for a while, this is probably what has happened.
If you aren’t sure, always get in contact with the ICO or check their website.
Data protection breaches are one of the most common pitfalls for businesses. The fines can be large, even if the breach is unintentional.
The UK Data Protection Act 2018 set a maximum fine of £17.5 million, or 4% of annual global turnover (whichever is greater).
Under EU GDPR, the maximum fine is €20 million or 4% annual global turnover.
This is California’s version of GDPR. Introduced in 2018, it is sometimes known as the CCPA. It’s not as strict as GDPR and should be considered if you or your clients are based in California.
FOLLOW
UK office: G2, 2 Milverton Grange, Glasgow G46 7AU
Ireland office: Cushenstown, Garristown, Meath A42 FY83
