GDPR & data protection

The General Data Protection Regulation (GDPR) will come into force in the UK on 25 May 2018. The GDPR is a new law that significantly extends and strengthens the current law regarding data privacy. The new regime is, in part, intended to force a cultural change in how organisations protect the personal data of private individuals and bring the law up to date with advances in technology. It is much stricter than the current regime and the ICO will have the power to impose much greater financial penalties for non-compliance of up to 4% of your annual global turnover for the preceding financial year or £18 million – whichever is greater. 

All organisations that hold and process personal data must be compliant.  They will also be required to actively demonstrate compliance with the new regulations. It is crucial that all organisations take action now in order to adequately prepare for the GDPR as well as maintaining and demonstrating compliance from 25 May 2018 onwards. 

 

loading staff

Preparing for GDPR

Preparing for GDPR can be a real challenge and will be a huge task for many organisations. The GDPR is likely to have a particularly significant impact upon sectors that routinely handle significant amounts of sensitive personal (special categories of) data such as medical records. It may be mandatory for you to appoint a Data Protection Officer for your organisation under the GDPR.  You may be uncertain about the new regulations and how to practically apply them within your organisation.  The challenge also extends way beyond the immediate weeks and months following the implementation of the GDPR.  All organisations will face the challenge of adequately maintaining compliance in the future. 

We are here to help you

If you are preparing your organisation for the GDPR or find yourself facing a complaint, court proceedings or an ICO investigation for breach of a data protection or if you are simply keen to ensure that your organisation has adequate procedures in place to minimise the risk of a breach occurring, then we can help.  Call us now on 0203 816 9274.

We can assist with a wide range of specific services, including:

 

Data Protection Officer (DPO) Services

There’s a lot to think about when it comes to complying with data protection law…

 

We are here to take away the stress – allowing you to concentrate on your business.

 

Data Protection Officer (DPO) Services by Stephensons. Outsourced DPO services for business

 

One of our data protection experts can act as your DPO and handle everything from audits to staff training.  As lawyers, we can also handle issues that many DPO’s can’t – such as defending legal claims and representing you at court. 

 

Services included:

 

  • Data processing/GDPR compliance audit
  • Addressing compliance issues arising from audit
  • Drafting/updating necessary data protection policies
  • Data protection impact assessments
  • Drafting/updating privacy notices
  • Conducting staff training
  • Dealing with subject access requests
  • Dealing with other issues relating to the rights of data subjects e.g. requests relating to the “right to be forgotten”
  • Dealing with complaints relating specifically to data protection matters
  • First point of contact with the ICO
  • Reporting, monitoring and advising on data breaches and providing regular reports relating to data protection matters to the board

What are the advantages to outsourcing your DPO role to us?

 

  • Peace of mind.  As a law firm, we are uniquely placed to handle all aspects of your compliance with data protection law – including compliance with the General Data Protection Regulation (GDPR).
  • Cost effective. Our services are competitively priced and can save you the cost of employing a DPO as well as the other costs involved such as training.
  • We can handle your legal representation* as well as your compliance meaning that you won’t have to worry about finding specialist lawyers to assist with a data privacy case.
  • Our regulatory, commercial and employment law teams work closely together to provide you with a comprehensive service.  We can provide you with practical advice and assistance regarding all areas of law that affect the day to day running of your business – working together to provide you with an efficient and highly cost effective service.  We also work closely with Stephensons Risk Management Ltd to assess and provide for all your insurance needs – often an easy win when it comes to ensuring that your insurance cover meets your needs for the best possible price*. 

*Cost of legal representation/litigation, commercial and employment law advice and services and advice and services from Stephensons Risk Management Ltd not included with this service.

Data Protection/GDPR compliance audits for mergers and acquisitions

If your organisation is looking to acquire another business or should you be planning to merge with another company, compliance with data protection law including the GDPR will be an important aspect of your due diligence.  If you are looking to ensure that you or the company that you are interested in acquiring are compliant, we can assist you with a compliance audit.  We can offer competitive fixed fee services for our compliance audits. 

Data protection/GDPR compliance audit and advice

If you are currently preparing for the GDPR or if you are otherwise concerned about your organisation’s compliance with data protection laws, whether your policies and procedures are adequate, whether your staff have adequate training and whether your organisation may be vulnerable to a data breach, then we can help by reviewing your process and procedures.  We can then advise you regarding the areas where you may be vulnerable and explain what you should do to minimise the risk. 

 

As part of a data protection audit, we will visit you on-site and talk to you about your current procedures.  We will review any current data protection policies you have and examine all areas where your organisation carries-out data processing activities.  We will then provide you with a written report to show you the results and identify the areas where you may need to improve in order to be compliant.

 

If you are preparing for the GDPR, a data protection audit is the ideal starting point and is an essential step in demonstrating your compliance and conforming to the GDPR’s accountability principle. 

Data protection impact assessments (DPIA)

Data protection impact assessments assist organisations to plan for significant changes by anticipating how planned changes might impact upon compliance with data protection laws and the legal rights of individuals when it comes to data privacy.  They incorporate the “privacy by design” principle by putting data privacy compliance at the heart of new projects and ventures.  They enable businesses to anticipate problems and avoid the costs that can come with non-compliance.  Looking to the future, they will enable organisations to comply with the privacy by design requirements of the GDPR. 

 

Situations where you should definitely conduct a data protection impact assessment include projects that will utilise new or upgraded technology or that involve any high risk processing i.e. processing that is likely to adversely affect the rights and freedoms of individuals.  Examples included systematic and extensive processing, profiling, processing that will influence decisions relating to legal rights, large scale processing of sensitive personal data (known as “special categories” of data under the GDPR) or processing personal data relating to criminal convictions or offences and large scale systematic monitoring of public areas  including the use of CCTV or other surveillance methods and systems.

 

If you are engaged in processing of this nature or if you are embarking on a new project, we can assist you with a DPIA and help you prepare properly.  

Drafting and amending data protection policies, procedures and privacy notices

Policies and procedures are a critical part of any organisation’s compliance with data privacy law.  They are likely to be the first port of call for the ICO should there be an investigation.  They are also likely to form an important part of defending any legal claims brought against your organisation relating to data privacy issues.

 

It is essential that you have adequate policies and procedures in place.  The detail of your data protection policies will depend on the nature of your organisation and the types of data processing activities that you engage in.  Depending on the nature of your business, you may have a number of policies relating to different aspects of data protection or a single policy covering up to 30 different aspects of data protection.


We can help you to identify what policies and procedures you should have in place – depending on the nature of your business and how to implement them.  We can assist you with drafting, amending and updating policies where required as well as staff training. 

Drafting and amending contracts, service level agreements and terms and conditions

The GDPR requires you to ensure that contracts and service user agreements with your third party processors make adequate provision for data privacy issues.  You will be required to ensure that your agreements set out clearly the rights and obligations of each party.  Ensuring that your agreements are up to date and property drafted will not only help you to ensure compliance with the GDPR, they will also assist you in seeking redress if a data processor mishandles data for which you are the data controller and in defending complaints and litigation brought by an individual for a data breach.  This will be critical under the GDPR given that data controllers will be jointly responsible for data breaches committed by their data processors. 

 

We can assist you with reviewing, drafting, amending and updating contracts, service level agreements and terms and conditions.  

Data protection compliance health-check

If you are not presently facing any complaints or legal claims but you are concerned about your organisation’s compliance with data protection laws and are looking for an indication as to whether you are compliant, contact us now for a health-check.  We will talk to you about your current data processing and identify areas that you should address to improve compliance. 

Staff training

Staff training is an essential part of ensuring compliance with data protection law.  The vast majority of data breaches occur due to human error.  Training your staff regularly can help to ensure that your employees are aware of their obligations under the law and know how to spot potential problems.  Being able to demonstrate that you have trained your staff properly is a crucial element of ensuring your compliance with the General Data Protection Regulation (GDPR) and is likely to be one of the first things that a regulator would want to see in the event of an investigation.  We recommend that you train new staff on induction and provide regular refresher training to existing staff. 

 

We can provide you with user-friendly, plain speaking and straight-forward training on all aspects of data protection law including the GDPR.  We can provide longer, more in-depth sessions or short refresher sessions depending on your needs, however, all sessions are designed to be practical and easy to follow.  We can provide you with bespoke training that is specific to your sector so that your staff receive practical guidance designed to assist them in their day-to-day roles. 

Subject access requests (SAR)

If you have received a subject access request (SAR) and you are unsure about how to deal with it, then we can advise you.  It is important to deal with such requests in accordance with the rules specified by the law. Failure to do so could lead to complaints and potentially fines being imposed. This could also leave you vulnerable to compensation claims being brought against your organisation via the courts.  The rules regarding what information you have to provide in response to a SAR can be complex.  We can advise you if you have received a SAR.  We can also respond to the data subject on your behalf. 

Assistance with complaints and ICO investigations

If a customer or client has made a complaint against your organisation concerning a breach of data protection, then we can help. We can advise you fully about how to deal with a complaint. We can advise you regarding the individual circumstances of the complaint and deal with the matter on your behalf. It is important to respond to complaints adequately and promptly. Failure to respond properly could result in further costly action being taken against your company.

If a complaint has been referred to the Information Commissioner’s Office (ICO), then we can help you with this. We can advise you fully regarding the complaint and what steps you should take. We can correspond with the ICO on your behalf.

Assistance with data protection breaches, defending data protection litigation and defending ICO prosecutions

If your organisation has breached data protection or if you’re concerned that a breach may have occurred, then we can assist you.  We can advise you on how to contain the breach and what steps you should take immediately following a breach to minimise damage and prevent the breach from happening again.  We can also advise you on when you are required to report a breach to the ICO and the data subject(s) affected. 

We can advise you fully regarding each individual case and assist you in taking the appropriate action. If your organisation is sued or if you have received a letter from a customer, or a solicitor acting on their behalf, informing you that they intend to sue your company for an alleged breach of the Data Protection Act, misuse of private information or breach of confidence, then we can assist. We can advise you fully regarding the claim, how you might be able to defend against it and what you should do in response. We can write to complainants and their solicitors on your behalf and represent you at all stages in the case including any court proceedings and hearings.

We're widely accredited for our work - regulatory & criminal justice

  • Legal 500

It is our business to deliver legal services that work for our clients, you can trust our specialists to take care of things on your behalf. Over the years our regulatory and criminal justice team has been recognised by industry awards and accredited for their excellence.

Memberships & accreditations

8.7 out of 10
Trustpilot logo4-stars on trustpilot Based on count 380

We're Great

It is our business to deliver legal services that work for our clients, and you can trust our specialists to take care of things on your behalf.

Our Trustpilot reviews

I am very pleased with all the help and advice given by Stephensons. They have been excellent with their communication whether by emails or telephone calls and explain in detail everything I need to know. I highly recommend them.
View from a regulatory client

Houses of multiple occupancy - changes to mandatory licensing

On 1 October 2018, new regulations relating to the housing of multiple occupancy (HMO) will come into force. For landlords, this could mean that your property could fall under the new mandatory rules and require a HMO licence. The current position ...

Read more

Third win in a row for Stephensons at prestigious conveyancing awards

For the third consecutive year, the national law firm Stephensons has been named the winner of the Best Marketing, Website and Social Media category at the LFS Conveyancing Awards. The awards, which were held on September 19th at the VOX Conference...

Read more

Data protection team reorder

  • Stuart Crook
  • Carl Johnson

We're always here for you

As an award-winning top 150 law firm, with over 450 staff based in offices across the country, you're never far from the advice you need.

Find your nearest Stephensons office and arrange a meeting

As an award-winning top 150 law firm, with over 450 staff based in offices across the country, you're never far from the advice you need.