For businesses large and small, the need to address data protection and General Data Protection Regulation (GDPR) vulnerabilities have never been more pressing. From May 2018, the GDPR will sanction fines for breaches of either 4% of your business’s global turnover or up to €20million – whichever is greater. This could have very serious consequences for your business; our specialist solicitors can help.
We regularly assist businesses of all sizes with data protection and GDPR issues. Our team will not only provide a comprehensive assessment, inventory and mapping of your data and audit your business but support you in all aspects related to data protection. To discuss your specific needs and concerns with an expert practitioner who can help, call us today on 0151 659 1070 or complete our online enquiry form and we will get back to you right away.
Our data protection & GDPR services in Liverpool, Wirral and Merseyside
As a GDPR practitioner, we can provide you with data mapping and an inventory, and then perform your Data Protection Impact Assessment to suit your business. We can:
- Conduct a data audit for your business
- Provide you with ongoing advice on access to and use of sensitive personal data in accordance with GDPR
- Support and guide you in relation to rules regarding cookies and cookie policies
- Advise in respect of data sharing, particularly in respect of sensitive data such as medical records online
- Deal with data subject access requests
- Handle privacy and Electronic Communications issues
- Assess and draft privacy notices
- Advise on social media issues
- Assist with reputational damage
- Provide guidance on electronic marketing and e-Communications, including supply chains
- Advise when a third party seeks to access the data of one of your customers, and informing you as to what your duties and responsibilities are
We can also provide advice on employment issues that concern data protection and the GDPR. This includes but is not limited to, updating employment contracts, updating privacy notices and providing advice on Data Subject Access Requests.
To put our service more simply, we look at your businesses risk profile, taking account of key aspects such as staff, training, systems, business type and third-party interactions. We will then determine the most suitable plan to assess the risk to your business from a legal and regulatory perspective entwined with technical and insurance coverage.
Data impact and privacy assessments
We will spend time with your business to go through your requirements to ensure compliance with the regulations. Data Protection Impact Assessments (DPIAs) assist your business to identify the most compliant ways to fulfil its data protection obligations and meet individuals’ expectations of privacy. They are integral to an organisation’s approach to privacy. The GDPR sets out those circumstances in which it is mandatory for a DPIA to be carried out.
Data protection & GDPR FAQs
When will my business need to carry out a DPIA?
GDPR mandates that you carry out a DPIA when using new technologies, including web-based applications and where processing the information in respect of this is likely to result in a high risk to the rights and freedoms of individuals.
What Is 'high risk processing?'
This could involve things like extensive or systematic activities such as profiling, large scale processing of special categories of data or personal data relating to criminal convictions or offences. It also includes large levels of personal data at regional and national levels affecting a large number of individuals where there is a high risk to the rights and freedoms of those individuals based on the sensitivity of the processing. This can include widespread and systematic monitoring of public places by CCTV. The Article 29 Working Party, which includes data protection authorities from each EU Member State, has provided guidance on high risk processing and DPIAs and this has been used in regulatory enforcement as well as civil actions.
What information is contained within the DPIA?
The GDPR does not set down specific requirements as to how an organisation is to conduct its DPIA. However, it does require a description of the processing operations and the purposes. Where applicable, it should also set down the legitimate interests pursued by the controller.
There are four elements that a DPIA assessment must contain:
- a systematic description of the processing operations and their purposes;
- an assessment of the necessity and proportionality;
- an assessment of the risks; and
- the measures needed to address the risks.
How can I be certain as to what kind of assessment my business needs?
Every organisation is different and therefore will use and control different levels of data. To assist with determining the right type of DPIA process for your business, it is useful to establish what information your business has, and therefore Data Flow Mapping and a Data Inventory are invaluable to develop processes and systems.
Naturally, it follows that not all processes and systems will require the same type of assessment. The type of assessment you require to be conducted is dependent on the type of processing activity being assessed, as well as your business' aims with respect to privacy and data protection compliance.
What if there is a breach of the data I hold?
The GDPR sets down two levels of fines:
1) The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83 relating to:
- Integrating data protection ‘by design and by default’
- Records of processing activities
- Cooperation with the supervising authority
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
- Data Protection Impact Assessment
- Prior consultation
- Designation, position or tasks of the Data Protection Officer
2) The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) relating to:
- The basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
What if my company holds a ‘Cyber Insurance’ policy?
Having a policy of cyber liability insurance in no way absolves you from obligations under the GDPR; however, depending on the policy, it may help to some extent. Therefore, we can advise you on insurance information and governance in accordance with policy wording, underwriting advice etc.
Contact our data protection and GDPR practitioners
Data protection and GDPR compliance is a highly specialised and complex area of law with potentially serious consequences. It is essential that if you have concerns about the information your organisation holds that you contact a team of specialist practitioners to work with you. We make the process as straightforward as possible with minimal disruption to your business. To discuss your specific concerns with our team, call today on 0151 659 1070 or complete our online enquiry form and we will get back to you right away.