GDPR Consultancy Services

The Data Protection Act 1998 has been replaced by the Data Protection Act 2018 which incorporates the General Data Protection Regulation 2016 (GDPR) – EU legislation which harmonises the rules across the European Union concerning how personal data is used.

The new legislation builds on the 1998 principles, but the main differences concern giving the data subjects (individuals like you) greater rights over their personal data.

The legislation came into force on 25 May 2018, but whilst the Information Commissioner’s Office (ICO) wanted businesses to work towards compliance by this date, it was never to be viewed as a deadline but rather the start of a new regime for your business.

Every business, whether large or small, should be compliant with GDPR and must keep all internal decisions and policies concerning personal data under constant review.

What we offer

Are you trying to get your head around what GDPR actually is?

Are you struggling to understand what impact GDPR has on your business?

You are not alone – there is so much information available online that it is difficult to know where to look and what to focus on first.

We would be delighted to meet the key people in your business to give you a brief overview of the law, but more importantly to discuss with you how you use personal data.  Every business has different types of personal data and uses personal data in different ways, so we recommend that each business has a working party of people from different parts of your organisation so that you have different views.  That initial discussion will enable us to get a good picture of how you use data from the people on ground.

Once you understand the key points and we have discussed the issues likely to be relevant to your organisation, the working party will need to carry out a data mapping exercise.  This will enable you to understand how you receive or obtain personal data, how each part of your business uses that data, where it is stored and where and why you send personal data outside your organisation.  We can help you undertake a data mapping exercise and then analyse the results with you so that you can plan the practical next steps.

Lots of organisations are concerned about GDPR and whether it will stifle their ability to do business: we will provide you with the practical, commercial tools to navigate compliance to ensure that you are still able to carry on your business.

Data protection in employment

In an employment context, data protection/privacy policies will need to be updated and clearly communicated to staff.  Awareness and training are essential to safeguard against data breaches and potential fines.  Information will need to be provided to staff regarding the processing of their personal data and their rights under the new data protection legislation.

Due to the imbalance of power between employer and employee, seeking consent of the employees is unlikely to be applicable as most organisations will be able to process most personal information relying on a lawful basis such as legitimate interest.  However, equal opportunities policies should be reviewed as they record special category data to ensure that they are not linked to staff or a candidate.

Some organisations monitor staff, which can be a “high risk” activity and would normally require a data protection privacy impact assessment to be undertaken.  Also, this may require explicit consent from staff unless there is a lawful basis for processing the personal information.

Staff making a data subject access request (SAR) has proved to be problematic for many organisations.   This is likely to continue, as under the new data protection legislation  there is no longer a fee to pay and the time to comply with a SAR has been reduced from 40 days to one month.  An organisation can refuse to comply with a SAR but there are certain conditions that must be met and we can advise you on this if you receive a SAR.

Charities and data protection

Personal data is fundamental to the work of many charities.  As well as being critical to fundraising campaigns, it is essential for communications with service users, members and other stakeholders.

The new GDPR will require every charity to take action of some sort, but in many ways it is not a new issue and a common-sense approach can be applied. Fundamentally, every individual whose personal data you hold must understand what you are using it for, and your use of the data must be reasonable. The GDPR is not overly prescriptive and if you are involved in running a charity you can, in the light of the GDPR, the ICO’s guidance and your charity’s circumstances, make your own decisions about what data you collect and why, who you share it with and how you protect it.

There is a lot to consider, and GDPR will bring compliance challenges on top of the already increasingly tough stance on data protection being taken by the ICO, the Charity Commission and the Fundraising Regulator. We can support you by examining how the GDPR will affect your charity and help you to gear up for the GDPR in relation to any potential areas of vulnerability.

Corporate and commercial data protection

We offer a broad range of services, depending on what you need: after carrying out the data mapping exercise, you may need to revise your privacy policy, your terms and conditions of sale and/or purchase, and you might need to review other contractual arrangements with customers and/or suppliers.  We can give you bespoke fee options for any drafting assistance you might need.

Have you had requests from customers and/or suppliers asking you what you have done to demonstrate compliance with GDPR?  As well as responding to these requests, it might be appropriate for you to direct some queries to third parties so that you are comfortable with anyone to whom you pass personal data – we can discuss and plan this with you so that you can satisfy yourself that businesses with whom you contract are also taking their responsibilities seriously.

You might also need to consider raising awareness of data protection issues within your organisation – we would be delighted to hold small workshops with your staff, or help you prepare for delivering workshops yourself.

And do not forget: GDPR is here to stay, so you need to remain vigilant as changes take place within your business to ensure that the internal rules and processes you put in place are followed and any new processes are put in place at the relevant times.  We are here to provide you with practical guidance at every step.

General Data Protection Regulation (GDPR) Training Packages

IBB’s data protection and GDPR lawyers can keep your business or organisation on the right side of the GDPR obligations. If you would like advice on the new regulations, GDPR training packages or any of our other services please call 03456 381381 or email corporate@ibblaw.co.uk.