SA Law's Data & Privacy team comprises data protection, employment, commercial and litigation teams, allowing us to give the full spectrum of advice from supplier relationships to staff issues and managing client data correctly.
We can help you and your business with a range of compliance issues and related matters including:
- UK General Data Protection Regulation (UK GDPR) compliance
- Privacy & Electronic Communications Regulations (PECR) compliance
- Critical compliance advice in corporate transactions
- Strategic advice during on merger and harmonisation of databases following acquisition
- Data protection policies, privacy notices and compliance documents, including advising on opt-ins and opt-outs
- Advising and assisting on responding to Data Subject Access Requests (DSAR), often in the context of other litigation;
- Advising companies on how to handle and manage data breaches and your ICO reporting obligations;
- Compliance audits to ensure your business is complying with its UK GDPR and Data Protection Act 2018 obligations;
- The structuring of contracts and compliance procedures
- Partnership, joint venture (JV) and affinity arrangements
- Advising on privacy and compliance matters for website platforms and mobile applications, including the use of cookies;
- Freedom of Information (FOI) Act and compliance, including drafting FOI clauses in contracts and advising on how to respond to information requests.
What is the UK GDPR and Data Protection Act 2018?
The UK GDPR is the retained EU legislation previously known as the GDPR, now sometimes referred to as the EU GDPR. The Data Protection Act 2018 is the UK statute which provides a framework for data protection law in the UK (replacing the Data Protection Act 1998). The legislation set outs the key obligations and requirements for the way personal data is handled when dealing with customers, employees, suppliers and other individuals, and the consequences for UK organisations if they do not comply.
What now?
This legislation is now 4 years old so now is a good time to review your practices with respect to Data Protection & Data Privacy. The ICO have reported record fines in recent years for failures to comply with the law in this area so it is important to ensure considerations around data, privacy, security, risk and compliance are an integral part of your business operations.
Whilst retaining the EU GDPR as the UK GDPR helped ensure the UK was successful in securing an adequacy decision from the EU on 28 June 2021, it was always envisaged that the UK would look to diverge from the EU GDPR more significantly post-Brexit. The Government have now committed to dealing with this during the present Parliamentary term by way of a new Data Reform Bill. At this stage, the exact mechanics of the new Bill are not known, however the general premise is expected to include measures that are less prescriptive with a view to removing some of the more onerous data protection obligations UK businesses currently face. It is hoped that this will allow businesses to take a more risk-based approach to their own data protection measures that are proportionate to their individual business needs and resources, with a move away from the ‘one-size fits all’ model. At this stage however, the existing regulations still stand and fines continue to be distributed by the ICO for non-compliance (in addition to the increasing number of civil claims being issued in the court by individuals who have suffered data breaches). Ultimately, we would expect that if you are already confident with your UK GDPR compliance, any changes brought about by changes in the law should be relatively limited in their impact, although we will need to watch this space carefully.
Also waiting in the wings is the long-awaited reform of PECR, in particular on the use of cookies and online consent for the processing and handling of personal data.
If you would like any advice in this area, please do not hesitate to contact a member of the Data Protection & Privacy Team.
