Obligation to comply with the UK GDPR / GDPR
Being outside the UK or EEA does not absolve an organisation of responsibility for compliance with the UK GDPR / GDPR. Whether as a consequence of the extra-territorial scope provisions at Article 3 UK GDPR / GDPR, which extend the obligations to controllers and processors outside the UK / EEA, respectively, which offer goods and services to individuals in the UK / EEA or monitor the behaviour of individuals in the UK / EEA, or otherwise as a consequence of contractual obligations imposed under data processing agreements or standard contractual clauses, organisations around the world may be required to comply with the requirements of the UK GDPR / GDPR.
Our consultants advise on the application of the UK GDPR / GDPR to your organisation, the risk associated with non-compliance, and how to establish a framework for data protection compliance, and we can also act as your UK representative.
Supervisory Authority
At Handley Gill, we advise organisations on their obligation to register with relevant supervisory authorities, including the Information Commissioner, under the General Data Protection Regulation, UK GDPR and Data Protection Act 2018.
For those organisations subject to the GDPR, we advise on their main establishment and the appropriate supervisory authority.
We support organisations in developing their strategy for engaging with the relevant supervisory authority, whether as part of a regular programme or on a one-off basis as a result of an obligation to consult in connection with high risk processing or to report a data breach, for example.
UK Representative
Organisations located outside the UK, which process personal data in the context of offering goods and services to individuals in the UK or monitor the behaviour in the UK of individuals in the UK, may be required by Article 27 UK GDPR to appoint a UK representative.
At Handley Gill, we advise organisations on their obligations to appoint a UK representative and offer UK representative services.
Data Protection Officer
Article 37 GDPR / Article 37 UK GDPR require that both data controllers and data processors appoint a Data Protection Officer if they are processing personal data as a public authority or body or if their core activities involve:
· the large scale processing of special categories of personal data;
· the large scale processing of criminal conviction and offence data; or,
· regular and systematic monitoring of data subjects on a large scale.
Many organisations which are not obliged to appoint a Data Protection Officer (DPO) nevertheless choose to appoint one to build trust and provide a point of focus for data protection oversight, whereas others will want to encapsulate similar responsibilities without the additional burdens that come with appointing a formal DPO.
At Handley Gill, our consultants advise organisations on their obligations to appoint a Data Protection Officer, and provide outsourced Data Protection Officer and data protection management services on a retained or pay as you use basis. Our consultants are also able to provide data protection locum services.
Data Protection Training
While neither the GDPR nor the UK GDPR explicitly require organisations to train staff, staff training is the underpinning of any programme to implement protective measures in respect of personal data.
At Handley Gill, we can provide and, if required, deliver our introductory data protection training package for staff, as well as design and deliver bespoke data protection training packages for specific teams, like Human Resources, Customer Services, and Developers.
Our consultants have a range of industry expertise, and we can provide specialist training on the application of data protection legislation to the legal industry, processing for the special purposes of journalism, art or literature, and law enforcement processing, for example.
Our consultants also provide training and continuing professional development packages for legal and data protection professionals.
Our services also extend to preparing and delivering board briefings to support the C-Suite in managing their obligations as directors in respect of data protection risk, and to secure their support in embedding a culture of data protection and information security across the organisation, and to identify and capitalise on the opportunities that an effective data protection compliance framework offers.
Design & Development
At Handley Gill, our consultants work with product and service designers and developers to support them in adopting ‘Privacy by Design’ at the outset by translating legal obligations into practical features, to enable them to comply with the requirement under Article 25 GDPR / Article 25 UK GDPR to implement data protection by design and default, as well as to comply with the requirements of the Children’s Code / Age Appropriate Design Code where necessary.
Our consultants prepare legitimate interests assessments, data protection impact assessments, advising on the lawfulness of processing activities under data protection and other related law, identify the risk posed by processing activities and recommend proportionate mitigations to reduce risk to an acceptable level, including data minimisation and pseudonymisation, and consult with data subjects and other third parties.
Where processing nevertheless poses a high risk to data subjects, our consultants can advise on the requirement for and conduct any mandatory consultation with the Information Commissioner or other supervisory authority.
Data Collection & Exploitation
Article 5 UK GDPR / GDPR requires that personal data be processed fairly, lawfully, transparently and for a specific and explicit purpose or compatible purposes. As well as conducting a data audit to prepare records of processing activities, and preparing internal data protection standards and data handling requirements, our consultants can prepare legitimate interests assessments, data protection impact assessments (DPIAs), advise on the appropriate lawful basis(es) for processing personal data, draft privacy notices, advise on and prepare consent mechanisms, prepare template and draft bespoke data processing agreements and data sharing agreements, and advise on and negotiate the terms of data processing and data sharing agreements presented by third parties. Our consultants also advise on supplier / vendor risk management and restricted international data transfers.
In connection with compliance with the requirements of the Privacy and Electronic Communications Regulations (PECR), our consultants advise on and design cookie consent mechanisms and draft cookie policies, and advise on issues relating to the use of third-party cookies which result in international data transfers, such as Google Analytics.
Our consultants also advise on the data protection implications of merger and acquisition (M&A) activity, including in the context of administrations, and notification requirements in relation to transfers of data to a new controller.
We can act as a data intermediary, providing data stewardship functions to provide independent assurance, and also act as a consultee to represent the rights of data subjects where direct consultation is impossible or inappropriate.
Supplier & Vendor (Supply Chain) Risk Management
Data controllers are required by Article 28 GDPR / Article 28 UK GDPR to ensure that any data processors they engage offer sufficient guarantees to protect the rights of data subjects and implement the technical and organisational protective measures necessary to process personal data securely.
In practice, this means that data controllers must establish, and data processors must engage with, due diligence processes, data processor onboarding, monitoring, audit and exit procedures.
But it’s not only data processors, but all third party organisations, particularly the supply chain, that pose a risk to data security.
At Handley Gill, we support our clients to establish and implement due diligence frameworks, devise and assess procurement requirements (including ITTs and RFPs), prepare template and bespoke data processing contracts and data sharing agreements, create governance and oversight programmes, design and conduct audit and monitoring procedures, and advise on remedial action.
Restricted International Data Transfers
To ensure the protection of personal data, restrictions are imposed on the transfer of personal data outside of the UK under the UK GDPR and the EEA under the GDPR. The application of the rules on transfers under Articles 44 – 49 GDPR / Article 44 – 47 and 49 UK GDPR by the courts has resulted in significant complexity and uncertainty.
Our consultants offer pragmatic solutions and can advise on potential routes for and the risk associated with restricted transfers and ensure that appropriate records and safeguards are maintained, conducting international data transfer risk assessments using our bespoke template, and preparing data processing and sharing agreements, including incorporating approved standard contractual clauses or the Information Commissioner’s International Data Transfer Agreement or Addendum.
Governance & Oversight
Data protection compliance doesn’t end once it has been determined that processing is fair and lawful.
Monitoring the risk posed by data processing activities as they evolve, maintaining the register of data processing activities, establishing and conducting a programme of audits of suppliers / vendors, revisiting data protection impact assessments (DPIAs) and responding to data subject rights requests and complaints are all necessary components of a successful data protection compliance framework. Our consultants can support you in establishing and conducting these activities to enable you to effectively identify and manage data protection risk throughout your organisation.
We also work with organisations to enable them to leverage their data protection compliance arrangements to support their Environment, Social and Governance (ESG) accountability goals.
Data Subject Rights
As well as being entitled to be provided with information relating to the processing of their personal data under Articles 12-14 GDPR / Articles 12-14 UK GDPR, subject to certain exceptions data subjects have the right to be informed whether their personal data is being processed by a data controller and if so to be provided with a copy of the personal data and other information about the processing activities (Article 15 GDPR / Article 15 UK GDPR), the right to the correction or clarification of inaccurate or incomplete personal data (Article 16 GDPR / Article 16 UK GDPR), the right to the erasure of personal data (the right to be forgotten) (Article 17 GDPR / Article 17 UK GDPR), the right to the temporary restriction of the processing of personal data (Article 18 GDPR / Article 18 UK GDPR), the right to have a copy of personal data provided to a data controller returned to the data subject in a commonly used machine readable format (data portability) (Article 20 GDPR / Article 20 UK GDPR), the right to object to processing based on legitimate interests or necessity for the performance of a task carried out in the public interest (Article 21(1) GDPR / Article 21(1) UK GDPR), the right to object to direct marketing (Article 21(2) GDPR / Article 21(2) UK GDPR), and the right not to be subjected to solely automated decision making having legal or similarly significant effects (Article 22 GDPR / Article 22 UK GDPR).
Our consultants can support you in training staff on identifying requests to exercise data subject rights, establishing procedures for manging such requests, and can advise on the obligation to respond and draft responses themselves. In connection with data subject access requests our consultants can advise on appropriate searches, review and redact relevant documents and prepare disclosure; where organisations utilise e-discovery platforms, we are happy to work with these.
We are happy to put in place fixed fee or retainer arrangements in relation to data subject access requests.
Data Breaches
The best time to manage a data breach is before it happens. It is inevitable that organisations will be subjected to cyber attacks on a daily basis, and it is impossible to guarantee against an attack being successful. It is therefore imperative that organisations establish a clear framework for the identification and management of cyber incidents and data breaches, and that this is rehearsed in advance. Our consultants can devise and support you to rehearse an incident response plan, designing bespoke packages where required.
When a breach occurs, our consultants bring their expertise to supplement your existing resources, and can work with you to establish and liaise with forensic cyber security, public relations and call centre resources, and to project manage your response. Our consultants will advise on potential liability, advise on the requirement for and prepare notifications to the Information Commissioner and other supervisory and regulatory authorities, advise on the requirement for and draft notifications to affected data subjects and, liaise with the Information Commissioner throughout any investigation.
Our consultants also facilitate post-breach reviews, to make recommendations as to any necessary remedial action and lessons learned.
Regulatory Enforcement
If a data breach or allegation of unlawful processing results in a regulatory investigation leading to potential enforcement action, including the service of information, assessment or enforcement notices, or the exercise of powers or entry and inspection, our consultants can advise you on your strategy (mindful of the prospect of ensuing litigation) and liaise with the Information Commissioner and other supervisory authorities.
Our consultants have successfully acted on behalf of clients to avoid the imposition of fines or other penalties, both prior to and following the service of a notice of intent. Where penalties have been imposed, our consultants have represented clients to secure the significant reduction or set aside of penalties before the First Tier Tribunal (Information Rights).
Law Enforcement Processing
The processing of personal data for the law enforcement purposes is governed by Part 3 Data Protection Act 2018 and, while many concepts are drawn from the UK GDPR, there are unique provisions applicable to processing this processing by competent authorities, such as police forces. These include specific provisions relating to logging, and the international transfer of personal data.
Our consultants have significant experience advising law enforcement entities on their obligations, from advising on the lawfulness of processing, preparing inter-force data sharing agreements, drafting data processing agreements, conducting data protection impact assessments, liaising with the Information Commissioner in relation to international data transfers, establishing governance and oversight mechanisms etc.
Processing for the Special Purposes of Journalism, Art or Literature
While the starting point is that processing personal data for the special purposes of journalism, art or literature should comply with the requirements of the UK GDPR, the Data Protection Act 2018 establishes at Schedule 2, Part 5, paragraph 26 that in many instances compliance is not necessary where it is reasonably believed that compliance with the relevant requirement would be incompatible with the special purposes. Contrary to common belief and practice, however, that is not tantamount to a blanket exemption from the requirement to comply, but requires that organisations consider specific processing operations to determine whether and to what extent compliance may be achieved.
From conducting reviews of journalistic activities and designing and implementing compliance frameworks, to conducting data protection impact assessments and advising on safeguards in the context of specific undercover investigations, advising on responding to data subject requests pre- and post- publication, and handling subsequent complaints and investigations, at Handley Gill our consultants have immersive experience in the practise of journalism and the protection of freedom of expression and provide expert guidance on navigating data protection legislation without derailing your journalistic activities.
Handley Gill's specialist data protection consultants consider the status of CJEU judgments in UK law after the Labour government intervened to prevent section 6 Retained EU Law (Revocation and Reform) Act 2023 from coming into force and amending the European Union (Withdrawal) Act 2018, and consider several CJEU judgments addressing the processing of special category personal data, the interaction between data protection and competition law, the conduct and balancing of legitimate interests assessments, data minimisation and the status of supervisory authority decisions.