Information & Data Protection Law
Every business has the responsibility of managing, controlling and protecting personal information and data of clients, staff and third-party providers.
Our data protection team works with clients to ensure their businesses are compliant with data protection regulations, and also advise those who have found themselves in breach of these.
Some areas we have particular expertise in are as follows:
- Compliance Process Design: Tailoring compliance processes, including notices and policies, to meet legal standards.
- Policy and Procedure Review: Conducting thorough reviews of internal and external policies and procedures.
- Contract Review: Analysing data protection clauses within contracts to ensure compliance.
- Data Handling Obligations: Ensuring adherence to obligations regarding data handling and processing.
- Data Breach Advisory: Providing guidance on managing data breaches and notifying the ICO as required.
- Subject Access Requests: Assisting with data subject access requests and navigating new rights under GDPR.
- Compensation Defence: Defending against compensation claims made by individuals.
- Data Retention Management: Advising on data retention schedules and appropriate record destruction timelines.
- Database Transactions: Facilitating the buying and selling of databases in compliance with legal requirements.
How to Engage our Data Protection Solicitors
As a first step, we either offer an initial no cost no obligation 20-minute video call to first discuss your circumstances, following which we can then provide you with a relevant fee estimate, or if the situation is more straightforward and you are more looking for initial advice and guidance, we may instead offer a fixed fee appointment.
To book one of these, please send an initial email to wewillhelp@jonathanlea.net (with a brief description of the matter) and one of our team will liaise with you to fix a time to speak to an appropriate specialist and send you a calendar invite accordingly.
-
What are the relevant data protection laws?
-
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018 (DPA)
- The Privacy and Electronic Communications Regulations 2003 (PECR)
-
What should I include in my business’ data protection policy?
-
Whilst there is no legal obligation to develop a data protection policy, having one can be very useful for ensuring your business’ compliance with regulations so we highly recommend implementing one. We would recommend including factors such as:
- An outline of your approach to ensuring GDPR compliance
- The importance of information and data protection
- Identification of the person responsible for data protection (Data Protection Officer)
- What staff training will take place and how frequently training will occur
- Where and how data will be stored
- How often the policy document will be reviewed
-
When is it lawful to process personal data?
-
There are six lawful ‘bases’, as per Article 6 GDPR under which personal data can be processed:
- Consent: the individual has consented to the use of their personal data
- Contract: data processing is needed to perform a contractual obligation
- Legal obligation: to ensure compliance with a legal obligation
- Vital interests: in protection of the ‘vital interests’ of the relevant individual
- Public interest: data processing is in the public interest
- Legitimate interest: it is necessary for the purposes of the legitimate interests of the controller or a third party, except where these are overridden.
-
How long should personal data be retained?
-
Personal data should only be stored for the necessary duration to fulfil its intended purpose. Once this has been achieved, it should be securely deleted.
-
What should I do if I receive a Data Subject Access Request (DSAR)?
-
Firstly, it is important to verify the identity of the individual requesting the data. Once their identity has been verified, their information should be gathered and clearly presented to them within one month.
-
What should I do if my business is in breach of data protection law?
-
You should promptly contact the individuals concerned with the breach if it poses a high risk to them and report the breach to the Information Commissioner’s Office within 72 hours of becoming aware of the breach.
-
What could happen if my business does not comply with data protection laws?
-
Failure to comply with data protection regulations can have serious implications for your business, including hefty fines, potential lawsuits from affected individuals, and restrictions on your ability to process data, all of which can damage your reputation. Therefore, compliance is essential.
-
Do I need to appoint a Data Protection Officer?
-
Your business will need a Data Protection Officer if it is a public body or where its core activities involve regular, large-scale monitoring of data, or the data you are processing relates to criminal convictions and offences.
Our Information and Data Protection Team
What Our Clients Say
Request a Free
No Obligation
20 Minute Call
This introductory call is to discuss your matter so we can provide a well-considered quote.
However, please be aware that the free 20 minute call is at our discretion. If you are more looking for advice and guidance on an initial call, we may instead offer a one-hour fixed fee appointment instead.
Our fixed fee appointments are between £200 – £300 + VAT depending on the seniority of the solicitor taking the call.
