Business /

Data protection

Supporting you in ensuring compliance with data protection legislation

As technology has advanced in recent years data, and specifically personal data, has become a central component of the vast majority of businesses. At the same time, a more strictly regulated legal framework has developed around privacy and data protection.

Make an enquiryMeet the teamData protection

  • Key contact

    Patrick Wheeler

    Patrick Wheeler

    Partner - Head of IP & Data Protection

    ArrowView profile

  • The Team

    Our lawyers have the expertise and experience to provide you with creative, personalised solutions in a clear and understandable way.

    ArrowMeet the team

  • Our Publications

    Discover a wealth of invaluable guidance in the form of guides and brochures written by our expert lawyers.

    ArrowSee our downloads

  • Cookie Taste Test

    We are offering a free taste test to let you know quickly whether or not your website’s existing cookies recipe is compliant with the latest requirements under UK laws.

    ArrowTake the test

Ensure your data protection practices are up to date with our CB Comply training package

About

Compliance as a competitive advantage

Regardless of size or location, businesses must ensure they are collecting, storing and using individuals’ personal data lawfully. Whilst it may seem onerous, good practice with regard to data privacy is, and will continue to be, crucial for your business from both a regulatory and reputational perspective, and strong compliance can certainly give you a competitive advantage.

Since the coronavirus pandemic, many businesses have implemented hybrid working procedures, adding another layer of complexity when it comes to securing personal data and preventing breaches.

If you are uncertain of the current compliance position of your business or think there may be areas of data security still to be addressed and improved, you need advisers who can devise a practical and effective compliance strategy for your business now and in the future.

Our Data Protection team support businesses across a wide range of industries in ensuring compliance with data protection legislation, including the GDPR and Data Protection Act 2018.

We offer a range of services, including:

  • An assessment of your business to evaluate your current policies and procedures and identify any GDPR compliance requirements;
  • Helping you to create and implement a pragmatic compliance programme, tailored specifically to your business and aligned with your commercial objectives;
  • If a data breach does occur, or if you receive a data subject access request, our DSAR and breach response support will assist you in dealing with the incident swiftly and efficiently, ensuring the least possible disruption to your business and your clients; and
  • Providing GDPR training to staff and/or management to ensure that data protection issues and potential issues can be recognised and dealt with before they become major challenges to your business.

Data protection work highlights

wine bottles
Data protection

Advising a wine platform

We advised a wine platform on their online terms and conditions and related documentation.

Data subject access requests (DSARs)

We have assisted several clients with the assessment, analysis, preparation and response to wide ranging data subject access responses (DSARs), including the analysis and categorisation of very substantial quantities of data. We have also advised on a wide variety of UK GDPR policies and procedures, impact assessments and data transfer documentation.

Providing commercial advice on data protection agreements

Advising a global multinational on data processing agreements and other data privacy-related matters.

Spotlight

E-Commerce Agreements

As the opportunities for digital businesses grow, so does the legislation. E-commerce regulations, distance selling regulations, consumer protection from unfair trading, electronic marketing regulations, GDPR and their international equivalents – all these regulations need to be complied with before you can sell online.

We specialise in helping businesses navigate the complex area of e-commerce law, including the additional complexities associated with operating your businesses in foreign countries over the web. Our advice includes:

  • Website and mobile app development agreements
  • Hosting agreements
  • IT services contracts
  • Software licence agreements
  • Terms and conditions of sale to consumers, including cooling-off periods and cancellation
  • Website terms of use
  • Protecting intellectual property on the site (images, content, artwork)
  • Privacy and cookies policies
  • Data processing agreements and agreements governing international transfers of personal data
  • Contracting with overseas customers, clients and suppliers
  • Compliance with industry-specific regulatory requirements, such as secondary ticketing for events
  • Agreements for platforms acting as an online intermediary service
  • Harmonisation between your terms of business and other commercial contracts, such as distribution agreements.

Our commercial solicitors have experience drafting all types of e-commerce agreements, with a thorough understanding of laws relating to online trading. Whatever your commercial objectives, we are confident we have a solution that achieves the dual goals of preserving the customer experience while ensuring your company is well protected from risk.

About

Cookie Taste Test

We are offering a free taste test to let you know quickly whether or not your website’s existing cookies recipe is compliant with the latest requirements under UK laws.

You will receive a follow-up email with your baking results and the chefs’ personal review of your cookies.

TAKE THE TEST

Jump to the top of the Data protection page

Breach prevention

Knowing exactly what you need to do to be GDPR compliant is one thing; putting in place the practical measures to prevent data breaches is another. The rules are wide ranging. Robust and proportionate processes, relative to your commercial objectives, are essential to mitigate risks from diverse threats.

Our team’s deep data protection knowledge has developed over years of work in this complex and evolving area of law. We can support your in-house teams and data protection officers, either as a one-off exercise or through ongoing advisory support. Here are some examples of how we can help:

  • Advising on vulnerabilities and what you need to do to fix them.
  • Compiling a data asset register to keep track of your data processing activities.
  • Drafting protocols for staff responding to consent queries and subject access requests (SAR/DSAR).
  • Drafting GDPR-compliant contracts with clauses to control how contractors use personal data and protect your business in the case of a data breach.
  • Advising on the best way forward when you wish to change how you use personal data.
  • Putting in place an effective response strategy in case of a data breach.

GDPR gives individuals specific rights over their personal data, but the rules are more complex than simply responding to a customer’s request. We can help you understand the commercial impacts of how these rights affect your business so you can prevent data breaches while keeping all the data you’re entitled to keep.

Compliance

Businesses don’t have a choice about GDPR compliance—it’s a critical legal obligation. Developing an organisation-appropriate strategy is essential to avoiding costly penalties and maintaining customer trust.

Data protection is not a one-time task or a simple tick box exercise; it requires ongoing diligence and attention to detail. Our team is here to help streamline your compliance efforts and prevent an unnecessary diversion of resources. We can help you:

  • Conduct compliance risk assessments and bespoke data-protection audits.
  • Develop privacy policies that communicate the way you process data in a GDPR-compliant way while protecting your business interests.
  • Draft and review contractual terms and conditions, including reviews of data sharing agreements.
  • Conduct privacy impact assessments, for example, ahead of moving data out of your organisation to outsourced IT or business suppliers.
  • Navigate legal updates as and when they arise, such as in relation to international data transfers, ensuring you have everything in place to remain compliant.
  • Analyse and adapt practices to comply with similar legislation in other jurisdictions that may affect your organisation.

Data breach response

The extent to which a data breach affects your business will largely depend on how efficiently it is detected, contained and managed. While the GDPR does not explicitly require a business to have a breach response plan in place, having one can stop you going into panic mode and ensures that your organisation can anticipate and manage the consequences that may follow.

Our experienced team can assist you from the moment that a breach is first identified to the conclusion of ICO investigations and beyond. We can help you:

  • Verify whether a data breach has occurred and whether reporting is necessary.
  • Where relevant, report a self-identified breach to the ICO within the 72 hour time limit.
  • Contain the breach quickly to prevent further damage.
  • Positively engage with the ICO following an individual complaint or breach notification.
  • Respond to information requests from the ICO.
  • Navigate an ICO investigation.
  • Negotiate settlements with data subjects affected by the breach.
  • Manage the reputational impact of the data breach.
  • Prepare for any civil litigation that may follow a data breach.

We have valuable insight into the way complaints are handled by the regulator and can engage appropriately on your behalf to mitigate the fallout from the breach. We can also recommend strategies to prevent future breaches—saving you time, money and your reputation.

Data processing agreements

Data Processing Agreements (DPAs) set clear expectations between data controllers and data processors to delineate accountability under GDPR. They’re often used alongside a master service agreement when services are contracted out that involve processing personal data on behalf of the customer.

DPAs can be complex. Blindly accepting the other party’s DPA may leave you exposed. How do you know the data will be deleted at the correct time, or if appropriate technical measures are in place? Have you done your due diligence on the provider to check whether breaches have previously occurred? Are you clear on the chain of liability for international data transfers?

As data protection experts, we can help you evaluate the actual risk against the proposed service activities, and give advice on any areas that need attention. We can also draft, check and negotiate DPAs that clearly articulate all responsibilities and obligations, reducing the potential for disputes or misunderstandings down the line.

Data subject access requests

When an individual asks to see their personal information, you, as an organisation, have one month to comply with their request, free of charge. This can be extended to two months in limited circumstances where you’re swamped with requests from the data subject or are dealing with a particularly complex case. Either way, dealing with SARs can be a significant burden on your time-pressed team.

Not every request will be legitimate, and not every request will require full disclosure. Some might fall under a statutory exemption, for example. It’s critical to determine this early on so you move quickly with validated requests.

After identifying the specifics of an SAR, our team can help you formulate an appropriate response and assemble the information you need to supply. This might include redacting confidential information before sending a response to the data subject. We can also advise on how to manage particularly burdensome requests or those you believe are made in bad faith.

The ICO has the power to take enforcement action against a controller or processor if they fail to comply with data subject access requests. Alongside handling specific requests, we can help you streamline the process for searching and reviewing the data and train your team on best practices to ensure SARs get handled consistently and efficiently.

Data transfers across borders

Any business that manages payroll from Romania or IT support from India will, quite obviously, be transferring personal data overseas. Less obviously, Software-as-a-Service vendors that store personal data in the cloud may also be transferring data from one country to another. To maintain your compliance with GDPR, it’s important to understand how far your responsibilities extend and then put proper measures in place.

Transfer risk assessments may need conducting before any personal data crosses UK borders. Data transfers to certain “approved” third countries are permissible without any further safeguards; for other countries, you’ll need to comply with specific contractual clauses. These may be set out in the International Data Transfer Agreement or another mechanism, depending on whose personal data is being transferred and where.

Our specialist data protection solicitors can help you make sense of these complex rules. We’ll make sure you’re using the correct mechanism for international data transfer, and that the rules themselves are appropriate to your business. We can also draft bespoke data processing agreements when you need them to ensure a level of security appropriate to the risk.

Data protection Publications

Data protection insights

View all insights

Back

Need some more information? Make an enquiry below



    Data protection key contacts

    Data protection

    Data protection

    Data protection

    Supporting you in ensuring compliance with data protection legislation

    As technology has advanced in recent years data, and specifically personal data, has become a central component of the vast majority of businesses. At the same time, a more strictly regulated legal framework has developed around privacy and data protection.

    • Key contact

      Patrick Wheeler

      Patrick Wheeler

      Partner - Head of IP & Data Protection

      ArrowView profile

    • The Team

      Our lawyers have the expertise and experience to provide you with creative, personalised solutions in a clear and understandable way.

      ArrowMeet the team

    • Our Publications

      Discover a wealth of invaluable guidance in the form of guides and brochures written by our expert lawyers.

      ArrowSee our downloads

    • Cookie Taste Test

      We are offering a free taste test to let you know quickly whether or not your website’s existing cookies recipe is compliant with the latest requirements under UK laws.

      ArrowTake the test

    Ensure your data protection practices are up to date with our CB Comply training package

    Compliance as a competitive advantage

    Regardless of size or location, businesses must ensure they are collecting, storing and using individuals’ personal data lawfully. Whilst it may seem onerous, good practice with regard to data privacy is, and will continue to be, crucial for your business from both a regulatory and reputational perspective, and strong compliance can certainly give you a competitive advantage.

    Since the coronavirus pandemic, many businesses have implemented hybrid working procedures, adding another layer of complexity when it comes to securing personal data and preventing breaches.

    If you are uncertain of the current compliance position of your business or think there may be areas of data security still to be addressed and improved, you need advisers who can devise a practical and effective compliance strategy for your business now and in the future.

    Our Data Protection team support businesses across a wide range of industries in ensuring compliance with data protection legislation, including the GDPR and Data Protection Act 2018.

    We offer a range of services, including:

    • An assessment of your business to evaluate your current policies and procedures and identify any GDPR compliance requirements;
    • Helping you to create and implement a pragmatic compliance programme, tailored specifically to your business and aligned with your commercial objectives;
    • If a data breach does occur, or if you receive a data subject access request, our DSAR and breach response support will assist you in dealing with the incident swiftly and efficiently, ensuring the least possible disruption to your business and your clients; and
    • Providing GDPR training to staff and/or management to ensure that data protection issues and potential issues can be recognised and dealt with before they become major challenges to your business.

    Data protection work highlights

    wine bottles
    Data protection

    Advising a wine platform

    We advised a wine platform on their online terms and conditions and related documentation.

    Data subject access requests (DSARs)

    We have assisted several clients with the assessment, analysis, preparation and response to wide ranging data subject access responses (DSARs), including the analysis and categorisation of very substantial quantities of data. We have also advised on a wide variety of UK GDPR policies and procedures, impact assessments and data transfer documentation.

    Providing commercial advice on data protection agreements

    Advising a global multinational on data processing agreements and other data privacy-related matters.

    SPOTLIGHT

    E-Commerce Agreementsopen

    As the opportunities for digital businesses grow, so does the legislation. E-commerce regulations, distance selling regulations, consumer protection from unfair trading, electronic marketing regulations, GDPR and their international equivalents – all these regulations need to be complied with before you can sell online.

    We specialise in helping businesses navigate the complex area of e-commerce law, including the additional complexities associated with operating your businesses in foreign countries over the web. Our advice includes:

    • Website and mobile app development agreements
    • Hosting agreements
    • IT services contracts
    • Software licence agreements
    • Terms and conditions of sale to consumers, including cooling-off periods and cancellation
    • Website terms of use
    • Protecting intellectual property on the site (images, content, artwork)
    • Privacy and cookies policies
    • Data processing agreements and agreements governing international transfers of personal data
    • Contracting with overseas customers, clients and suppliers
    • Compliance with industry-specific regulatory requirements, such as secondary ticketing for events
    • Agreements for platforms acting as an online intermediary service
    • Harmonisation between your terms of business and other commercial contracts, such as distribution agreements.

    Our commercial solicitors have experience drafting all types of e-commerce agreements, with a thorough understanding of laws relating to online trading. Whatever your commercial objectives, we are confident we have a solution that achieves the dual goals of preserving the customer experience while ensuring your company is well protected from risk.

    COOKIE TASTE TEST

    We are offering a free taste test to let you know quickly whether or not your website’s existing cookies recipe is compliant with the latest requirements under UK laws.

    You will receive a follow-up email with your baking results and the chefs’ personal review of your cookies.

    TAKE THE TEST

    Jump to the top of the Data protection page.

    Breach prevention

    Knowing exactly what you need to do to be GDPR compliant is one thing; putting in place the practical measures to prevent data breaches is another. The rules are wide ranging. Robust and proportionate processes, relative to your commercial objectives, are essential to mitigate risks from diverse threats.

    Our team’s deep data protection knowledge has developed over years of work in this complex and evolving area of law. We can support your in-house teams and data protection officers, either as a one-off exercise or through ongoing advisory support. Here are some examples of how we can help:

    • Advising on vulnerabilities and what you need to do to fix them.
    • Compiling a data asset register to keep track of your data processing activities.
    • Drafting protocols for staff responding to consent queries and subject access requests (SAR/DSAR).
    • Drafting GDPR-compliant contracts with clauses to control how contractors use personal data and protect your business in the case of a data breach.
    • Advising on the best way forward when you wish to change how you use personal data.
    • Putting in place an effective response strategy in case of a data breach.

    GDPR gives individuals specific rights over their personal data, but the rules are more complex than simply responding to a customer’s request. We can help you understand the commercial impacts of how these rights affect your business so you can prevent data breaches while keeping all the data you’re entitled to keep.

    Compliance

    Businesses don’t have a choice about GDPR compliance—it’s a critical legal obligation. Developing an organisation-appropriate strategy is essential to avoiding costly penalties and maintaining customer trust.

    Data protection is not a one-time task or a simple tick box exercise; it requires ongoing diligence and attention to detail. Our team is here to help streamline your compliance efforts and prevent an unnecessary diversion of resources. We can help you:

    • Conduct compliance risk assessments and bespoke data-protection audits.
    • Develop privacy policies that communicate the way you process data in a GDPR-compliant way while protecting your business interests.
    • Draft and review contractual terms and conditions, including reviews of data sharing agreements.
    • Conduct privacy impact assessments, for example, ahead of moving data out of your organisation to outsourced IT or business suppliers.
    • Navigate legal updates as and when they arise, such as in relation to international data transfers, ensuring you have everything in place to remain compliant.
    • Analyse and adapt practices to comply with similar legislation in other jurisdictions that may affect your organisation.

    Data breach response

    The extent to which a data breach affects your business will largely depend on how efficiently it is detected, contained and managed. While the GDPR does not explicitly require a business to have a breach response plan in place, having one can stop you going into panic mode and ensures that your organisation can anticipate and manage the consequences that may follow.

    Our experienced team can assist you from the moment that a breach is first identified to the conclusion of ICO investigations and beyond. We can help you:

    • Verify whether a data breach has occurred and whether reporting is necessary.
    • Where relevant, report a self-identified breach to the ICO within the 72 hour time limit.
    • Contain the breach quickly to prevent further damage.
    • Positively engage with the ICO following an individual complaint or breach notification.
    • Respond to information requests from the ICO.
    • Navigate an ICO investigation.
    • Negotiate settlements with data subjects affected by the breach.
    • Manage the reputational impact of the data breach.
    • Prepare for any civil litigation that may follow a data breach.

    We have valuable insight into the way complaints are handled by the regulator and can engage appropriately on your behalf to mitigate the fallout from the breach. We can also recommend strategies to prevent future breaches—saving you time, money and your reputation.

    Data processing agreements

    Data Processing Agreements (DPAs) set clear expectations between data controllers and data processors to delineate accountability under GDPR. They’re often used alongside a master service agreement when services are contracted out that involve processing personal data on behalf of the customer.

    DPAs can be complex. Blindly accepting the other party’s DPA may leave you exposed. How do you know the data will be deleted at the correct time, or if appropriate technical measures are in place? Have you done your due diligence on the provider to check whether breaches have previously occurred? Are you clear on the chain of liability for international data transfers?

    As data protection experts, we can help you evaluate the actual risk against the proposed service activities, and give advice on any areas that need attention. We can also draft, check and negotiate DPAs that clearly articulate all responsibilities and obligations, reducing the potential for disputes or misunderstandings down the line.

    Data subject access requests

    When an individual asks to see their personal information, you, as an organisation, have one month to comply with their request, free of charge. This can be extended to two months in limited circumstances where you’re swamped with requests from the data subject or are dealing with a particularly complex case. Either way, dealing with SARs can be a significant burden on your time-pressed team.

    Not every request will be legitimate, and not every request will require full disclosure. Some might fall under a statutory exemption, for example. It’s critical to determine this early on so you move quickly with validated requests.

    After identifying the specifics of an SAR, our team can help you formulate an appropriate response and assemble the information you need to supply. This might include redacting confidential information before sending a response to the data subject. We can also advise on how to manage particularly burdensome requests or those you believe are made in bad faith.

    The ICO has the power to take enforcement action against a controller or processor if they fail to comply with data subject access requests. Alongside handling specific requests, we can help you streamline the process for searching and reviewing the data and train your team on best practices to ensure SARs get handled consistently and efficiently.

    Data transfers across borders

    Any business that manages payroll from Romania or IT support from India will, quite obviously, be transferring personal data overseas. Less obviously, Software-as-a-Service vendors that store personal data in the cloud may also be transferring data from one country to another. To maintain your compliance with GDPR, it’s important to understand how far your responsibilities extend and then put proper measures in place.

    Transfer risk assessments may need conducting before any personal data crosses UK borders. Data transfers to certain “approved” third countries are permissible without any further safeguards; for other countries, you’ll need to comply with specific contractual clauses. These may be set out in the International Data Transfer Agreement or another mechanism, depending on whose personal data is being transferred and where.

    Our specialist data protection solicitors can help you make sense of these complex rules. We’ll make sure you’re using the correct mechanism for international data transfer, and that the rules themselves are appropriate to your business. We can also draft bespoke data processing agreements when you need them to ensure a level of security appropriate to the risk.

    Data protection insights

    View all insights

    Need some more information? Make an enquiry below.

      Subscribe

      Please add your details and your areas of interest below

      Specialist sectors:

      Legal services:

      Other information:

      Jurisdictions of interest to you (other than UK):



      Message us on WhatsApp (calling not available)

      Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

      I accept Close

      Close
      Scroll up

      Get in touch

      Get in touch using our form below.



        Business Close
        Private Wealth Close
        Hot Topics Close