Data Protection Compliance

If your business deals with people living in the UK or EU then it will be subjected to stringent data protection rules which control how information capable of identifying them is collected, used and stored.

This includes information about your staff, your customers and suppliers, prospective purchasers and even individual contracts within your professional network.

Compliance with the rules — contained in the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) — is crucial, as fines for non-observance can be up to €20 million or four per cent of your worldwide annual turnover, which ever is higher.

At IMD Solicitors, our commercial solutions lawyers are on hand to advise you on your data protection obligations and to offer support if you run into difficulties.

We are easily accessible, with offices across the UK and Europe and can usually work for a fixed-fee so there are no nasty surprises when it comes to cost.

Key UK and EU data protection obligations

Headline requirements include:

• ensuring you have a lawful basis for the collection and processing of personal data — such as a legitimate business need, express consent from the person concerned, a contractual entitlement or a legal obligation;
• being open and honest about the personal data you gather, the purpose for which it will be used and for how long it will be stored;
• publishing a privacy notice so people are clear on your personal data policy;
• responding promptly to requests from individuals who want to know what data you hold about them known as subject access requests);
• ensuring prompt compliance with requests for the rectification or erasure of data from individuals who have a right to insist on this;
• putting in place procedures to ensure personal data is accurate at the point of collection and is kept up-to-date, that is is only retained for as long as needed and that once redundant it is securely destroyed; and
• reporting notifiable breaches of the data protection ruled to the appropriate regulatory body and, where required, to affected individuals.

How can we help

Our services include:

• advising new start-ups on data protection requirements;
• carrying our data protection audits for established businesses to ascertain current levels of compliance and any gaps that need to be plugged;
• undertaking data protection reviews as part of the legal due diligence process during a business merger or acquisition or when entering a joint venture;
• drafting data protection policies and procedures, including privacy notices and staff manuals on arrangements for data retention and destruction;
• ensuring marketing activities are GDPR and DPA compliant and that where they take place online they also meet the requirements of the EU Privacy and Electronic Communications Regulations;
• negotiating GDPR and DPA-compliant contracts with third parties with whom personal data will be shared, including under outsourcing arrangements;
• providing support with the processing of complex subject access requests;
• resolving complaints from individuals about how their personal data has been handled or your refusal to comply with a request for data rectification or erasure;
• liaising with the UK data protections regulator — the Information Commissioners Office — following an alleged breach of the data protection rules;
• defending civil proceedings brought by an individual seeking compensation for a failure to respect their data protection rights; and
• devising a damage limitation strategy to contain the financial and reputational fallout where a confirmed data breach has occurred.

We can also provide training for your staff to help them understand the data protection rules you are bound by and the importance of complying with any policies, procedures or safeguards you introduce to ensure your obligations are met.