Knowing exactly what you need to do to be GDPR compliant is one thing; putting in place the practical measures to prevent data breaches is another. The rules are wide ranging. Robust and proportionate processes, relative to your commercial objectives, are essential to mitigate risks from diverse threats.

Our team’s deep data protection knowledge has developed over years of work in this complex and evolving area of law. We can support your in-house teams and data protection officers, either as a one-off exercise or through ongoing advisory support. Here are some examples of how we can help:

• Advising on vulnerabilities and what you need to do to fix them.
• Compiling a data asset register to keep track of your data processing activities.
• Drafting protocols for staff responding to consent queries and subject access requests (SAR/DSAR).
• Drafting GDPR-compliant contracts with clauses to control how contractors use personal data and protect your business in the case of a data breach.
• Advising on the best way forward when you wish to change how you use personal data.
• Putting in place an effective response strategy in case of a data breach.

GDPR gives individuals specific rights over their personal data, but the rules are more complex than simply responding to a customer’s request. We can help you understand the commercial impacts of how these rights affect your business so you can prevent data breaches while keeping all the data you’re entitled to keep.

Businesses don’t have a choice about GDPR compliance—it’s a critical legal obligation. Developing an organisation-appropriate strategy is essential to avoiding costly penalties and maintaining customer trust.

Data protection is not a one-time task or a simple tick box exercise; it requires ongoing diligence and attention to detail. Our team is here to help streamline your compliance efforts and prevent an unnecessary diversion of resources. We can help you:

• Conduct compliance risk assessments and bespoke data-protection audits.
• Develop privacy policies that communicate the way you process data in a GDPR-compliant way while protecting your business interests.
• Draft and review contractual terms and conditions, including reviews of data sharing agreements.
• Conduct privacy impact assessments, for example, ahead of moving data out of your organisation to outsourced IT or business suppliers.
• Navigate legal updates as and when they arise, such as in relation to international data transfers, ensuring you have everything in place to remain compliant.
• Analyse and adapt practices to comply with similar legislation in other jurisdictions that may affect your organisation.

The extent to which a data breach affects your business will largely depend on how efficiently it is detected, contained and managed. While the GDPR does not explicitly require a business to have a breach response plan in place, having one can stop you going into panic mode and ensures that your organisation can anticipate and manage the consequences that may follow.

Our experienced team can assist you from the moment that a breach is first identified to the conclusion of ICO investigations and beyond. We can help you:

• Verify whether a data breach has occurred and whether reporting is necessary.
• Where relevant, report a self-identified breach to the ICO within the 72 hour time limit.
• Contain the breach quickly to prevent further damage.
• Positively engage with the ICO following an individual complaint or breach notification.
• Respond to information requests from the ICO.
• Navigate an ICO investigation.
• Negotiate settlements with data subjects affected by the breach.
• Manage the reputational impact of the data breach.
• Prepare for any civil litigation that may follow a data breach.

We have valuable insight into the way complaints are handled by the regulator and can engage appropriately on your behalf to mitigate the fallout from the breach. We can also recommend strategies to prevent future breaches—saving you time, money and your reputation.

Data Processing Agreements (DPAs) set clear expectations between data controllers and data processors to delineate accountability under GDPR. They’re often used alongside a master service agreement when services are contracted out that involve processing personal data on behalf of the customer.

DPAs can be complex. Blindly accepting the other party’s DPA may leave you exposed. How do you know the data will be deleted at the correct time, or if appropriate technical measures are in place? Have you done your due diligence on the provider to check whether breaches have previously occurred? Are you clear on the chain of liability for international data transfers?

As data protection experts, we can help you evaluate the actual risk against the proposed service activities, and give advice on any areas that need attention. We can also draft, check and negotiate DPAs that clearly articulate all responsibilities and obligations, reducing the potential for disputes or misunderstandings down the line.

When an individual asks to see their personal information, you, as an organisation, have one month to comply with their request, free of charge. This can be extended to two months in limited circumstances where you’re swamped with requests from the data subject or are dealing with a particularly complex case. Either way, dealing with SARs can be a significant burden on your time-pressed team.

Not every request will be legitimate, and not every request will require full disclosure. Some might fall under a statutory exemption, for example. It’s critical to determine this early on so you move quickly with validated requests.

After identifying the specifics of an SAR, our team can help you formulate an appropriate response and assemble the information you need to supply. This might include redacting confidential information before sending a response to the data subject. We can also advise on how to manage particularly burdensome requests or those you believe are made in bad faith.

The ICO has the power to take enforcement action against a controller or processor if they fail to comply with data subject access requests. Alongside handling specific requests, we can help you streamline the process for searching and reviewing the data and train your team on best practices to ensure SARs get handled consistently and efficiently.

Any business that manages payroll from Romania or IT support from India will, quite obviously, be transferring personal data overseas. Less obviously, Software-as-a-Service vendors that store personal data in the cloud may also be transferring data from one country to another. To maintain your compliance with GDPR, it’s important to understand how far your responsibilities extend and then put proper measures in place.

Transfer risk assessments may need conducting before any personal data crosses UK borders. Data transfers to certain “approved” third countries are permissible without any further safeguards; for other countries, you’ll need to comply with specific contractual clauses. These may be set out in the International Data Transfer Agreement or another mechanism, depending on whose personal data is being transferred and where.

Our specialist data protection solicitors can help you make sense of these complex rules. We’ll make sure you’re using the correct mechanism for international data transfer, and that the rules themselves are appropriate to your business. We can also draft bespoke data processing agreements when you need them to ensure a level of security appropriate to the risk.