GDPR Contract and Legal Services

The GDPR gives individuals more control over how their personal data is used. If your organisation processes personal data, you must provide individuals, including your employees, with information about how your organisation processes that data and how it applies data protection principles via privacy notices.

There are several advantages to doing this: it prevents confusion about the way personal data is being used, ensures a level of trust between the organisation and the individual, and is a public indication of how seriously you take privacy and the level of your compliance.

We can review and advise on your existing privacy notice(s) or draft one that is specific to your business needs.

Internal policies and statements are just as important as external notices when it comes to documenting GDPR compliance. Your privacy policy gives your employees an understanding of how personal information will be treated by the organisation. Getting this right is a key part of compliance.

One of the most discussed aspects of the GDPR is the “opt-in” vs “opt-out” change. When relying on consent to send marketing messaging, data subjects must opt-in (tick a box) as opposed to opting out (unticking a box). It is essential to get this consent in a legal way, and document it properly.

Article 30 of the GDPR sets out specific activities that you are expected to document in relation to data processing. It includes the purposes of your data processing, categories of individuals, categories of personal data and lawful basis of your data processing.

We can help you gather this information, mapping your personal data and creating and maintaining your Article 30 record.

There are many requirements relating to handling a data breach, such as reporting some breaches to the ICO (Information Commissioner’s Office) within 72 hours. In order to comply with these requirements, your data breach handling procedure should be compliant with the GDPR and strictly adhered to in the event of a breach.

We provide data breach advice and policies and procedures, and can help ensure that your organisation knows when it is necessary to report a breach and what information it needs to provide when reporting the breach to a data protection authority.

DSARs must be handled correctly and efficiently, as an organisation only has one month to respond. In addition to reviewing or drafting DSAR procedures, policies, forms and responses, we also offer DSAR as a Service, where we manage the whole process for you.

Where personal data is transferred from your organisation to another, you must have adequate contracts in place to ensure the data will only be processed as you intend and in accordance with data protection law.

Data processing agreements are required whenever an organisation uses a processor; the GDPR sets out what must be included in the organisation’s contract with the processor.

Data sharing agreements should be concluded with other data controllers with which you routinely share personal data. They will set out the responsibilities of each data controller to help mitigate your risk under the data sharing arrangement.

We can help you assess whether you are transferring data to a processor, a joint controller or another independent controller, and ensure that you have the correct agreement in place.

We will review and advise on your existing contracts or agreements, or draft new ones according to your requirements.

In order to process any personal data, you must first identify a lawful basis for processing, such as to meet contractual obligations, legitimate interest, consent or to protect the subject’s vital interests.

Your lawful basis for processing should be included in your privacy notice and Article 30 record of processing activities. We can help you identify your lawful basis for processing and ensure consent is lawful.

Where consent is used as your lawful basis of processing, we can review your consent practices and your existing consents and help refresh consents that do not meet the required standard.

Whenever you use legitimate interest as the lawful basis of your processing, you must complete a legitimate interests assessment. We can advise on and assist in that process.

Since the COVID-19 pandemic began, homeworking has become mainstream, but many organisations do not have the appropriate policies in place to protect their data and other assets. We can draft homeworking policies that ensure your employees work as efficiently at home as they did at the office, while protecting your assets.

For an international data transfer to be allowed under the GDPR, the level of data protection afforded by the organisation receiving the data must be fundamentally the same as the protections under the GDPR. This is required whether the international data transfer is to a third party or within your organisation.

The international transfer of personal data needs to use an appropriate safeguarding mechanism. There are two common mechanisms for doing this: SCCs (known before the GDPR as model contractual clauses) and BCRs.

We can advise whether SCCs or BCRs are most appropriate and help you implement them in order to bring your data transfers in line with the GDPR.