Our offices are closed between Christmas and New Year, click to see our opening times.

Find out more

Information Law

Our Data Protection and GDPR team advises on all aspects of the General Data Protection Regulation (GDPR), data protection compliance, Freedom of Information Act (FOIA) and delivers dynamic and practical advice to clients across a wide variety of sectors including education, housing, healthcare, charities, retail and e-commerce.

More about Data Protection and GDPR

Our expertise is well demonstrated by our contributions to publications such as advice for educational institutions from The Key and the Department for Education GDPR Toolkit. In addition, our Data Protection and GDPR Law team have published two books - 'GDPR for School: A Practical Guide' and 'Covid-19, Homeworking and the Law'.

Advice tailored to you

Our Data Protection and GDPR team advises on all aspects of the General Data Protection Regulation (GDPR), data protection compliance, Freedom of Information Act (FOIA) and delivers dynamic and practical advice to clients across a wide variety of sectors including education, housing, healthcare, charities, retail and e-commerce.

Our Expertise

Our Expertise

  • Providing outsourced data protection officer services to a range of both private and public sector organisations;

  • Advising and handling personal data breaches including immediate mitigation, advice relating to notification of the ICO and individuals where appropriate and remedial steps to mitigate the fallout of any personal data breach;

  • Handling complaints to and liaising with the ICO on behalf of clients in respect of complaints made to the ICO about the way in which requests under the GDPR, FOIA and the EIR have been handled and the alleged misuse of personal data. In particular, we recently defended a client in relation to a complaint made to the ICO about its handling of a FOIA which led to the finding by the ICO that there had been no breach of the FOIA;

  • Drafting contractual agreements including data processing agreements, data sharing agreements and drafting contractual clauses in commercial agreements to ensure the relevant FOIA, data protection and EIR clauses are included and/or are fit for purpose;

  • Providing training courses and seminars to staff. We regularly provide tailored training sessions to educational clients to ensure staff are aware of developments and legal issues affecting their day-to-day role.

  • As Data Protection and GDPR often ties in with Information Technology policies and agreements, we also offer a range of other services for your business. Click here to see our IT services.

Additional Information

Data Protection and GDPR Services

We can tailor our services to suit each client's requirements. As examples we have undertaken:

  • One-off external compliance reviews

  • Document and policy reviews

  • Bespoke staff and Board training

  • Handling complex information requests (often in the context of disputes or litigation)

  • Reactive compliance support

Data Protection Officer support services are operated as a retainer with contact time and a document review included, plus incident support.

Information Law FAQs

What are the consequences of not complying with the GDPR?

The consequences of failing to comply with the GDPR are serious. Organisations can be fined up to a maximum of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In addition, individuals have the right to claim compensation if they suffer distress or loss as a result of a breach of the GDPR.

Do we need a DPO?

The GDPR requires an organisation to appoint a DPO if it is a public authority, carries regular and systematic monitoring of individuals on a large scale or if it processes special categories of personal data on a large scale. However, you can decide to appoint a DPO in order to assist in your organisation's ability to comply with the GDPR even if you are not legally obliged to do so.

What documents do we need to be GDPR compliant?

The GDPR places an emphasis on an organisation's accountability for how it uses personal information. This means that you will need to demonstrate that you are GDPR compliant by ensuring a culture of data protection throughout your organisation. This includes having appropriate measures and records in place to demonstrate your compliance. This may include a data protection policy, data breach policy and procedure, subject access policy and procedure, data retention policy, record of processing activity, privacy notices and contractual arrangements with suppliers to ensure GDPR compliance. More or less documentation may be required depending on the nature of your organisation.

Do we need to keep a record of processing activity?

Most organisations are required to maintain a record of their processing activities, covering areas such as the reasons why they are processing personal data, data sharing and how long information is kept for. If organisations have less than 250 employees, they will be exempt from the requirement to keep a record of processing activity unless their processing activities are risky, frequent or include special categories of personal data. As employers, the information organisations obtain from employees often contains special categories of personal data and therefore it will be rare that an organisation can rely on this exemption. Therefore, most organisations will be required to keep a record of processing activity.

Does every single breach of the GDPR need to be reported?

It is mandatory to report a personal data breach under the GDPR to the Information Commissioners Office (ICO) if it's likely to result in a risk to individual's rights and freedoms. Therefore, if the data breach poses a risk to an individual (e.g. risk of discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage) then the data breach should be reported to the ICO within 72 hours.

Can we carry on using existing consents obtained under the Data Protection Act 1998?

The GDPR does not require organisations to automatically refresh any existing consents. However, the GDPR does make it clear that if you want to rely on consent obtained pre-GDPR (under the Data Protection Act 1998) the consents must meet the GDPR standard (e.g. affirmative, opted-in consent). If the consent does not meet the GDPR higher standard or the consents are poorly documented members will need to seek fresh GDPR compliant consent in order to comply with the GDPR.

Is business to business marketing affected?

The rules on consent and marketing do not apply to 'corporate subscribers' (e.g. companies, LLPs, and government bodies). The GDPR only applies to living individuals and therefore a company does not fall within this definition. However, the definition of 'corporate subscribers' does not include sole traders. Sole traders will have the same protection as individuals under the GDPR. In addition, it should be noted that individuals working for a company are protected under the GDPR. Therefore, if marketing correspondence is being sent to a personal corporate email address (e.g. [email protected]) rather than a generic company email address (e.g. [email protected]), that individual will have data protection rights under the GDPR and have the right to stop any marketing being sent to that type of email address.

How long do consents last?

The GDPR does not set a specific time limit for consent. It will degrade over time and it certainly does not last forever. Organisations will need to keep consents under review and consider refreshing consents at user-friendly intervals.

What are the consequences of not complying with the GDPR?

The consequences of failing to comply with the GDPR are serious. Organisations can be fined up to a maximum of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In addition, individuals have the right to claim compensation if they suffer distress or loss as a result of a breach of the GDPR.

Do we need a DPO?

The GDPR requires an organisation to appoint a DPO if it is a public authority, carries regular and systematic monitoring of individuals on a large scale or if it processes special categories of personal data on a large scale. However, you can decide to appoint a DPO in order to assist in your organisation's ability to comply with the GDPR even if you are not legally obliged to do so.

What documents do we need to be GDPR compliant?

The GDPR places an emphasis on an organisation's accountability for how it uses personal information. This means that you will need to demonstrate that you are GDPR compliant by ensuring a culture of data protection throughout your organisation. This includes having appropriate measures and records in place to demonstrate your compliance. This may include a data protection policy, data breach policy and procedure, subject access policy and procedure, data retention policy, record of processing activity, privacy notices and contractual arrangements with suppliers to ensure GDPR compliance. More or less documentation may be required depending on the nature of your organisation.

How can we maintain data protection compliance whilst staff are working from home?

Many organisations will have a significant, if not entire, proportion of their workforce working remotely. Whilst staff work remotely, organisations still have legal obligations to ensure technical and organisational measures are in place to keep personal information secure. We recommend reviewing all your remote working policies, provide training on your remote working policies to those members of staff who do not usually work remotely, raise awareness of the importance of data protection - in particular of the risk of handling paper documents outside the office, the risk of theft of personal devices and the importance of encrypting emails containing confidential or sensitive information and remind staff of your data breach procedure and the importance of reporting breaches to your employer.

Is it safe to allow staff to access our systems from their own personal devices?

As there is now a significant proportion of the workforce working remotely, many organisations are permitting staff to work remotely on their own personal devices (commonly known as 'Bring Your Own Device' or BYOD). Organisations should consider how staff are to access the organisation's network while working remotely. Whether access to data should be restricted via a specific app or the use of encrypted email protocols should be considered by organisations. Also, accessing the organisation's network via an unsecure "coffee house" network could increase the risk of data being lost. Therefore, use of a secure VPN when not connected to the organisation's network should be a fundamental requirement. We recommend reviewing your BYOD policy and consider what training staff need to enable business continuity whilst ensuring personal information remains secure.

Do we need to keep a record of processing activity?

Most organisations are required to maintain a record of their processing activities, covering areas such as the reasons why they are processing personal data, data sharing and how long information is kept for. If organisations have less than 250 employees, they will be exempt from the requirement to keep a record of processing activity unless their processing activities are risky, frequent or include special categories of personal data. As employers, the information organisations obtain from employees often contains special categories of personal data and therefore it will be rare that an organisation can rely on this exemption. Therefore, most organisations will be required to keep a record of processing activity.

Does every single breach of the GDPR need to be reported?

It is mandatory to report a personal data breach under the GDPR to the Information Commissioners Office (ICO) if it's likely to result in a risk to individual's rights and freedoms. Therefore, if the data breach poses a risk to an individual (e.g. risk of discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage) then the data breach should be reported to the ICO within 72 hours.

Can we carry on using existing consents obtained under the Data Protection Act 1998?

The GDPR does not require organisations to automatically refresh any existing consents. However, the GDPR does make it clear that if you want to rely on consent obtained pre-GDPR (under the Data Protection Act 1998) the consents must meet the GDPR standard (e.g. affirmative, opted-in consent). If the consent does not meet the GDPR higher standard or the consents are poorly documented members will need to seek fresh GDPR compliant consent in order to comply with the GDPR.

Is business to business marketing affected?

The rules on consent and marketing do not apply to 'corporate subscribers' (e.g. companies, LLPs, and government bodies). The GDPR only applies to living individuals and therefore a company does not fall within this definition. However, the definition of 'corporate subscribers' does not include sole traders. Sole traders will have the same protection as individuals under the GDPR. In addition, it should be noted that individuals working for a company are protected under the GDPR. Therefore, if marketing correspondence is being sent to a personal corporate email address (e.g. [email protected]) rather than a generic company email address (e.g. [email protected]), that individual will have data protection rights under the GDPR and have the right to stop any marketing being sent to that type of email address.

How long do consents last?

The GDPR does not set a specific time limit for consent. It will degrade over time and it certainly does not last forever. Organisations will need to keep consents under review and consider refreshing consents at user-friendly intervals.

Our dedicated Governance, Procurement & Information team

daniel-milnes.jpg

Partner, Governance, Procurement & Information

Daniel Milnes

Gemma Duxbury.jpg

Partner, Governance, Procurement & Information

Gemma Duxbury

Laura Rae.jpg

Solicitor, Governance, Procurement & Information

Laura Rae

Contact Us

If you have an enquiry then please fill in your details and someone will contact you.

0800 689 0831 - Monday - Friday: 09:00 - 17:00

Request a call back

Please note that our offices will be closed from midday, Friday 20th December 2024

The offices will be open as usual on Monday 23rd December 2024.

The offices will then be closed from Tuesday 24th December through to Wednesday 1st January (inc), reopening as usual from 2nd January 2025.

The emergency contact number during this time is - 01772 220022 or 01254 675050.