Discrete Legal Advice Around GDPR
We provide discrete legal advice around GDPR including responding to data breaches. We help clients with everything from getting to grips with the complexities of compliance questionnaires from third parties, drafting governance and compliance structures as well as the review of specific contracts for HR or third parties such as new IT systems.
Privacy Impact Assessments (PIAs)
You might be building a new IT system, developing a new app or buying a new product. Under GDPR, you must show that you are thinking about data protection from the outset of the development of a new project or initiative. A PIA allows you to identify the risks to the data subjects of how you use personal data while developing the system, in order to take steps to reduce or eliminate risks and identify those within the organization who should be accountable.
Responding to Data Breaches
From the theft of a laptop to a hack or an email attachment being sent to the wrong recipient, personal data breaches are inevitable. The key is how you respond to them. Under GDPR, personal data breaches must be reported to the regulator within 72 hours.
We advise businesses including those in technology, professional services and membership organisations on how to respond to data protection breaches. We also help them pro-actively design and test breech response plans to reduce risk and use best practice in in their data protection policies, procedures and wider governance.
We have also helped firms to deal with the immediate aftermath of a Data Protection Breach and comply with their various legal and regulatory responsibilities.
Personal Data Storage
Under GDPR, data should be used for its specific purpose then deleted after a reasonable length of time, bearing in mind any other statutory responsibilities. Having an effective data retention policy that reflects the storage and deletion of different types of data sets is now essential. Indefinite spamming of decades old email contacts is no longer an option!
Specific Informed Consent
This is essential to confirm the basis of processing personal data. Under GDPR, personal data can only be processed under one of 6 headings:
- Specific Informed Consent
- Legitimate Interest
- Vital Interest
- Public Task
- Legal Obligation
A practical impact is that where a website may take registrations for a newsletter. “Bulk consent” via a single tick – box is no longer acceptable when a data subject signs up for a newsletter or service where their data might be used for several different purposes. Consent is required for each specific activity that the data will be used for and personal data should only to be used for the purpose it was collected for.
Personal Data Cannot Leave EEA
If you are using servers in the cloud to host personal data, personal data of EU Citizens cannot leave the European Economic Area (EEA). There are mechanisms for allowing personal data to leave the EEA including model contract clauses and binding corporate rules, as well as the EU/US Privacy Shield where the US is involved, but as a rule personal data needs to remain in the EEA – hence companies from Facebook to Apple, Microsoft and Google operating extensive data storage facilities in Europe.
Right to Be Forgotten
An organisation must demonstrate that it has deleted all unnecessary data related to an individual and that they will not be contacted by the organisation again. Where personal data is stored on multiple systems or on infrastructure that does not allow for a “hard” deletion of data, effective plans need to be in place to comply with the spirit of the right to be forgotten.
Right to Data Portability
This means ensuring that a data subject can receive a full set of their data in a format of their choosing (i.e. in a usable format and on the media of their choice).
Subject Access Request (SAR)
Subjects are entitled to receive a full copy of their personal data within thirty days of a request. Organisations need to be able to handle a potential increase in the volume SARs in good time.
Appointment of a Data Protection Office (DPO)
Under GDPR all organisations with more than 250 staff need a mandatory DPO to be appointed and registered with the regulator while smaller organisations may also need to appoint a DPO given the volume or sensitivity of the data that they are handling. We provide training and support for DPOs.
Website Privacy Policies
These must reflect how personal data is collected, stored, retained, transmitted and deleted. They also need to confirm how a user can avail themselves of the various right that they have under GDPR.
Website Cookie Schedules
Many website cookies obtain user data such as IP addresses and supply data to third parties. Cookies must be clearly listed on your company’s website and consent obtained for their use even if they are just analytic or session cookies.