Many businesses collect and process personal data in their daily operations. Sensible and lawful management of this data is crucial to maximise its commercial value and to reduce the risks involved.

As big data and personal data plays an increasingly important role for businesses, so too has the regulatory framework grown. In 2018 alone, the UK’s Data Protection Act (2018) took effect, together with the European Union’s General Data Protection Regulations (GDPR). Likewise, several pieces of enhanced consumer privacy legislation were passed in the United States.  Accordingly, companies are now required to comply with increasingly tighter legal requirements regarding their use of personal data, including mandatory policies and notifications of breaches.

We assist our clients in navigating through this complex area, with risk-based and comprehensive advice, informed by our experience of communications, technology and international issues. We often work in cooperation with leading technology consultants to achieve practical and technical solutions. This enables our clients to align their commercial strategy with the applicable data protection requirements and manage the legal risks.

If companies fail to comply with the data regulations, they face significant sanctions, fines and prosecution – or even legal claims from the owners of the data. We offer our clients practical legal advice, and have particular expertise in the following areas:

  • Commercial Negotiations. We review, negotiate and draft a wide range of commercial contracts, always with the view to minimise any potential risks arising from other parties, consumers, and regulatory authorities;
  • Data subject requests. We assist our clients with both routine data subject access requests, as well as more complicated or contentious requests arising in employment contexts. We also provide the internal policies and guidance;
  • Data breaches. We have assisted several international communications and digital asset management companies with the aftermath of data security incidents, including reporting to the relevant authorities. We also provide in-depth internal policy documents related to IT security and breach mitigation;
  • International data transfers. We provide clients with the advice and solutions needed to facilitate restricted transfers of personal data outside the UK and the EEA through compliant transfer mechanisms such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) and Binding Corporate Rules (BCRs). We also provide data exporters with a range of compliance toolkits and guidance such as mapping data flows and conducting tailored transfer risk assessments in order to implement the appropriate transfer mechanism; and
  • Corporate documents and employee policies. We have extensive experience drafting a wide range of privacy-related policies and notices. In particular, we regularly provide clients with bespoke privacy notices for their websites and apps, employee privacy policies, recruitment and HR documents, data retention policies, acceptable use and monitoring policies, and social media guidelines.

For further information, you can download our Data Protection Brochure, or contact Jose Saras.