Get legal and compliance advice on your data privacy documentation and commercial agreements to comply with data protection law.
Our legal team can review, update or draft the full range of bespoke data protection documentation, commercial agreements and HR documents, and provide advice on international data transfers, including SCCs (standard contractual clauses).
Reviewing and updating your data protection documentation and commercial agreements to align with the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 can be a time-consuming and legally complex task.
Regularly review and update your data privacy documentation and commercial agreements to reflect changes in the law and the way your organisation operates. Your privacy documentation needs to accurately reflect the kind of data you collect; how you collect, process and store it; how long you keep it for; and your reasons for doing so. You might also have to consider which markets you operate in and how your documentation and commercial agreements need to be updated in relation to applicable data protection laws.
Our legal team can help you with a wide range of data privacy documentation, including bespoke documentation. This includes support with the following:
The GDPR gives individuals more control over how their personal data is used. If your organisation processes personal data, you must provide individuals, including your employees, with information about how your organisation processes that data and how it applies data protection principles via privacy notices.
There are several advantages to doing this: it prevents confusion about the way personal data is being used, ensures a level of trust between the organisation and the individual, and is a public indication of how seriously you take privacy and the level of your compliance.
We can review and advise on your existing privacy notice(s) or draft one that is specific to your business needs.
One of the most discussed aspects of the GDPR is the “opt-in” vs “opt-out” change. When relying on consent to send marketing messaging, data subjects must opt-in (tick a box) as opposed to opting out (unticking a box). It is essential to get this consent in a legal way, and document it properly.
Article 30 of the GDPR sets out specific activities that you are expected to document in relation to data processing. It includes the purposes of your data processing, categories of individuals, categories of personal data and lawful basis of your data processing.
We can help you gather this information, mapping your personal data and creating and maintaining your Article 30 record.
There are many requirements relating to handling a data breach, such as reporting some breaches to the ICO (Information Commissioner’s Office) within 72 hours. In order to comply with these requirements, your data breach handling procedure should be compliant with the GDPR and strictly adhered to in the event of a breach.
We provide data breach advice and policies and procedures, and can help ensure that your organisation knows when it is necessary to report a breach and what information it needs to provide when reporting the breach to a data protection authority.
DSARs must be handled correctly and efficiently, as an organisation only has one month to respond. In addition to reviewing or drafting DSAR procedures, policies, forms and responses, we also offer DSAR as a Service, where we manage the whole process for you.
Where personal data is transferred from your organisation to another, you must have adequate contracts in place to ensure the data will only be processed as you intend and in accordance with data protection law.
Data processing agreements are required whenever an organisation uses a processor; the GDPR sets out what must be included in the organisation’s contract with the processor.
Data sharing agreements should be concluded with other data controllers with which you routinely share personal data. They will set out the responsibilities of each data controller to help mitigate your risk under the data sharing arrangement.
We can help you assess whether you are transferring data to a processor, a joint controller or another independent controller, and ensure that you have the correct agreement in place.
We will review and advise on your existing contracts or agreements, or draft new ones according to your requirements.
In order to process any personal data, you must first identify a lawful basis for processing, such as to meet contractual obligations, legitimate interest, consent or to protect the subject’s vital interests.
Your lawful basis for processing should be included in your privacy notice and Article 30 record of processing activities. We can help you identify your lawful basis for processing and ensure consent is lawful.
Where consent is used as your lawful basis of processing, we can review your consent practices and your existing consents and help refresh consents that do not meet the required standard.
Whenever you use legitimate interest as the lawful basis of your processing, you must complete a legitimate interests assessment. We can advise on and assist in that process.
Since the COVID-19 pandemic began, homeworking has become mainstream, but many organisations do not have the appropriate policies in place to protect their data and other assets. We can draft homeworking policies that ensure your employees work as efficiently at home as they did at the office, while protecting your assets.
For an international data transfer to be allowed under the GDPR, the level of data protection afforded by the organisation receiving the data must be fundamentally the same as the protections under the GDPR. This is required whether the international data transfer is to a third party or within your organisation.
The international transfer of personal data needs to use an appropriate safeguarding mechanism. There are two common mechanisms for doing this: SCCs (known before the GDPR as model contractual clauses) and BCRs.
We can advise whether SCCs or BCRs are most appropriate and help you implement them in order to bring your data transfers in line with the GDPR.
We advise clients in a variety of sectors on privacy, data retention and information security policies. We can help you negotiate the complexities of international data transfers and ensure you have the right safeguards in place. This includes SCCs and managing BCR registrations with data protection authorities.
Enjoy the benefits of paying by purchase order with a GRCI Law corporate account. Apply online today or call our service centre team on +44 (0)333 900 5555.
"We selected GRCI Law in 2019 as our Data Protection Officer (DPO) and EU/UK GDPR Representatives to ensure compliance with the GDPR for clinical trials we are conducting in the EU and UK. They’ve been instrumental in providing the necessary data privacy guidance required to obtain Ethics Committee and Regulatory approvals for our trials. They continue to provide strategic and timely advice on the evolving GDPR landscape, and proactively keep us informed of data protection guidance and regulations as they become available. GRCI Law has been our trusted partner in GDPR compliance, and we can wholeheartedly endorse their services for European and UK clinical trials."
- Nestor Gonzales, Senior Director, Quality and Compliance
Nevakar Injectables, Inc.
Led by our management team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we provide DPO, breach, data privacy management, and data subject access request support, and associated non-reserved legal services.
We offer legal risk and compliance consultancy advice that you can trust, but without the burden of administrative duties and expenses that law firms must bear in order to carry out certain ‘reserved legal activities’, such as litigation, conveyancing and advocacy.
If you have any queries or you’re unsure of how to progress, please get in touch with our team of experts who will be able to assist with your enquiry and provide guidance options.