Data Protection
Lawyers

Personal data breaches occur when persons data has been accidentally or unlawfully:

• Destroyed
• Lost
• Altered

Disclosed without authorisation, whether that be accidentally or deliberately.

What is required when a breach happens?
Under the GDPR, it is required that when certain types of breaches involving personal data occur, these will need to be reported to the relevant supervisory authority within 72 hours of becoming aware of it. Following on from this, should the breach be of such a high risk to the data subject, they should be informed without delay.

Records will need to be maintained by the party who is liable for the breach. The way in which you will need to assess the breach is to identify the risk the breach poses to the data subject’s rights and freedoms as well as the severity of that risk. We would recommend legal advice is taken at that stage, if not, documentation is key to being able to justify why a breach has not been reported.

However, with appropriate measures to prepare for, manage and react to data breaches and ultimately reduce the possibility of their occurrence, it is possible that certain breaches do not have to be reported. It is therefore key to establish how in your day to day business, breaches could occur. It is very easy for these to happen, for example leaving your phone on the train or sending an email to the wrong recipient. Certain scenarios require simple solutions; however this will not always be the case.

Should a breach need to be reported, Article 33 of the GDPR sets out what needs to be reported when a breach occurs, this includes:

• The nature and extent of the personal breach.
• Who your Data Protection Officer or other point of contact is, and their contact details.
• What are the likely consequences of this data breach.
• Measures taken by yourself as the controller to address and mitigate the effects of the breach itself.

Any failure to disclose a breach, even if this be due to internal analysis suggesting it does not need to be reported, may result in the aforementioned fines. Therefore advice should always be sought in these scenarios.

Our skilled dispute resolution team can help individuals and businesses to resolve disputes relating to data protection. This may include disputes about the processing of personal data, the right to erasure, and the right to object to processing.

We can help businesses to comply with data protection legislation, such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This includes advising on data collection practices, data storage and security, and data sharing.

In order to demonstrate compliance with the GDPR and, perhaps more importantly, to mitigate any enforcement action by the Information Commissioner’s Office, businesses should put in place:

• Privacy notices (both internal and external) telling staff and the outside world what they are doing with their personal data.
• A data handling policy which sets out the businesses policies and practices staff must follow when handling personal data. This document will protect the business if a staff member acts beyond their powers and causes a data protection breach.
• Processing agreements in any situation when a controller / processor relationship arises. This document is required under the GDPR and will have a list of prescriptive clauses that must be contained within it setting out the responsibilities of the processor to the controller.
• A data protection officer (if required under the GDPR).
• A process to consider international transfers of personal data to ensure they are lawful by, for example, putting in place standard contractual clauses or other appropriate safeguard.
• A process to test their internal reporting pathways so if, for example, a data subject access request is received at reception there is a pathway to make sure it is provided to the responsible individual in order it can be dealt with in the required timeframes.
• A process to regular test the security of personal data including the IT systems and physical security at the business premises.
• A training program to ensure staff are aware of their responsibilities and are adequately trained in relation to data protection.

The right to make a data subject access request (DSAR) is a key element of the protections contained in the UK General Data Protection Regulation (UKGDPR).

Although a right of an individual to access data held about them has long been a part of data protection legislation, the development of digital technology has led to a massive expansion in the amount and nature of the data being processed, particularly in the employment context.

We have seen a particular increase in the number of DSARs being brought by employees. These requests are frequently made in the context of an ongoing or potential dispute or tribunal or court claim.

It is also important that employers have key documentation in place before getting to the stage of receiving and handling a data subject access request, as this sets the foundation for the legal basis on which they are processing employee data and the steps to take when an employee seeks to enforce their data rights.

Subject access requests (SARs) are a fundamental aspect of data protection regulations, granting individuals the right to access and understand how their personal data is being used. The UK data legislation does not set out formal requirements for a valid request and therefore an individual can make a SAR verbally or in writing. It is therefore important that you are able to recognise when a SAR has been made against other routine verbal enquiries. Our services focus around assisting businesses in efficiently and compliantly handling such requests in a timely manner. You will have a legal deadline within which you must respond to all SARs.

While SARs are most commonly made in a consumer or employment context, they can also arise outside of this relationship and be made in a professional services context, for example when a former client makes a request to their former advisor.

Whatever the context, with our expertise, businesses can confidently manage SARs, demonstrating commitment to data transparency and privacy.

We work with clients to understand their data flows and how they use data. This enables us to provide a compliance report.

An audit, on site or remotely, to assess current data compliance and to recommend steps toward compliance. This is undertaken through a tailored audit or questionnaire.

Outsourced Legal Solutions
By outsourcing your legal requirements this could result in cost savings by reducing operational costs, giving you access to specialised expertise and reducing your administrative burden to enable you to focus on your core competencies.

Our services include:

• Data Audit
• Commercial Audit
• Commercial Contract Audit
• Intellectual Property Audit
• Intellectual Property Management
• Immigration Audit