Data Protection, SAR and GDPR Compliance
We advise on all aspects of compliance with the Data Protection Act 1998 and related legislation such as the Privacy and Electronic Communications Regulation 2003.
Our areas of expertise include:
- Application of the Privacy Regulations to marketing campaigns
- Assistance with investigations and proceedings brought by the Information Commissioner’s Office
- Contracts relating to data processing by third parties and data security
- Evaluating whether you have consent or other entitlement to deal with personal data
- General interpretation and advice relating to all data protection legislation
- Transferring data overseas
Getting ready for the General Data Protection Regulation
The General Data Protection Regulation (GDPR) was finally adopted in 2016 by the European Union institutions and becomes law with direct effect on 25 May 2018.
The GDPR is the most far-reaching reform of data protection law in over three decades. It will replace the Data Protection Act 1998 in its entirety.
Key reforms include the need for consider the data protection aspects of everything you do “by design” and “by default” based on privacy impact assessments, notification of data security breaches to the Information Commissioner’s Office and tighter rules relating to data subject consent. Risks and liabilities are increased if you contract out to other parties any data processing activities. Financial and other penalties for not complying with the GDPR will be significantly greater.
Brexit is unlikely to have any long-term effect on the shape of future data protection laws in the UK, so charities must begin planning for compliance now.
We can help with the following:
- Advising in respect of your transition to the new compliance requirements
- Helping you build in data protection by design and by default in all of your activities and processes
- Supporting your data protection officer
- Reviewing your privacy impact assessments
We regularly draft and/or review a wide range of business agreements, terms and conditions and compliance policy documents for charities and many of these will regulate the manner in which intellectual property rights or personal data are used. We act for charities that both receive and supply goods and services, so we understand critical issues from both perspectives.
Subject Access Requests
It is common for charities to receive Subject Access Requests (SARs) from service users or staff. The Data Protection Act 1998 provides living individuals with the right to request disclosure of their personal data which is being processed by the charity. This right will be preserved under the GDPR. While the purpose of this right is to check the accuracy of personal data, the motivation behind such requests may vary depending on the circumstances.
SARs can generate a substantial administrative burden but we will support you so that you are not distracted from the daily business of running the charity. We will guide you through the charity’s response to such requests, ensuring that it complies with its statutory duties and does not breach the data rights of any third party in the process. We will help you identify which data fall within the scope of the SAR, where statutory exemptions apply and in presenting the disclosure in accordance with essential statutory requirements.
Please contact one of our specialists who will be happy to discuss your matter with you:
Gordon Reid: 01483 464224
Laurie Heizler: 01483 464272
Ben Collingwood: 01483 464204
Kenji Batchelor: 01483 464248