Data Protection and Privacy
Data Protection and Privacy

Data Protection and Privacy

With technology becoming increasingly more integrated into the business world, it’s integral that businesses have incorporated data protection and privacy considerations into their company.

This page of our website focusses our relevant data protection and privacy services related to various data protection regulatory policies, privacy program creation and management as well as outsourcing DPOs. More importantly, we can also help you train your employees in data protection and privacy to ensure a more well-rounded service.

GDPR Advisory Service

Searching for technical GDPR expertise? Abbiss Cadres provides business-focused, pragmatic advice on all aspects of implementing the UK and EU GDPR. We offer a range of privacy services, from one-off queries to project management and full implementation of global personal data protection solutions.

Our team can undertake a baseline data protection compliance assessment, identify meaningful risks and provide practical remediations. We assist with requirements to demonstrate accountability measures and develop company-specific policies and procedures that comply with applicable laws and generate consumer, partner and employee confidence.

Privacy Program Creation and Management

Is your business lacking in-house resources or technical expertise? Outsource your Privacy Program to Abbiss Cadres. We can liaise directly with key stakeholders to create, manage, and implement an end-to-end global data protection program based on an applicable framework. We operationalise your Privacy Program to ensure it’s a turnkey fit.

We can undertake a Data Protection audit/assessment, raise awareness of key issues internally, and train employees on data protection, privacy, and GDPR. Our team can monitor data flows and international transfers of personal data, draft appropriate policies, and assist with implementation. We can also create records of Processing (as may be required under GDPR), embed Privacy by Default and Design, assess third party Vendor/Supplier for data protection compliance, create an incident response plan, and provide advice on data subject access requests.

Outsourced DPO

Do you need to appoint a Data Protection Officer under Article 37 GDPR? Our outsourced DPO service is flexible and tailored to your company and its specific operations. Abbiss Cadres can fulfil specific requirements under GDPR including informing and advising the company on GDPR obligations; monitoring compliance with GDPR and internal policies; and managing internal data protection activities. We can also be responsible for training your staff, conducting internal audits, advising on data protection impact assessments, as well as serving as the point of contact for Supervisory Authorities.

Local Representative Service

Do you need to appoint a Local Representative? If you offer goods or services to individuals in the UK or monitor their behaviour but you do not have an establishment in the UK, then you probably will. You can appoint us as your Local Representative for compliance with Article 27 of the UK GDPR and we’ll serve as the local point of contact for individual data subjects and the Information Commissioner’s Office.

Training Services

How well has your organisation trained your staff to be GDPR compliant? We can provide company-wide or small team training either remotely or in-person. Content can be tailored to suit your organisation and can include GDPR specific training, general personal data protection, privacy awareness training or general legal privacy requirements.

Data Protection-related Policy Suite

Are your organisation’s policies regarding data protection thorough enough? We can conduct a review of existing policies to ensure they comply with UK GDPR requirements or we can draft policies based upon organisational practices and requirements.

Data Protection Audit

How well is your organisation is meeting its data protection obligations? Have you identified data protection risks? We can perform a data protection GDPR compliance assessment, reporting back with a gap analysis with pragmatic remediations.

Brexit Data Protection Review

How has Brexit impacted your data protection practices? Our team can help you understand the framework of the UK GDPR and EU GDPR regulations and what that means for your company. We can assess how your company processes personal data and how it has been impacted by Brexit. We can outline necessary changes, evaluate if the new requirement for a Local Representative impacts your business, update documentation, and review privacy impact assessments for cross border processing and restricted transfers.

Global Mobility Personal Data Review

What steps does your company need to take to keep your employee and customer data safe across borders? We provide expert guidance on data protection and privacy components of staff global mobility and remote working, the structure of your global data protection program, legal compliance across applicable privacy regimes, and outsourced DPO service for UK and GDPR compliance.

M&A Data Protection Audit

Is your organisation undergoing or planning a merger or an acquisition? The UK and EU GDPR can make this process even more complex. We can review data protection and privacy issues throughout the entirety of corporate transactions, including the use of VDRs, sharing personal data with a potential buyer, and the conflict with TUPE disclosure requirements.

FAQs

What is the General Data Protection Regulation (“GDPR”)? What purpose does it serve?

The EU General Data Protection Regulation (“GDPR”) standardized and set guidelines for the collection and processing of personal data, requiring businesses to protect the personal data and privacy of European Union (EU) citizens. Following Brexit, the UK has retained the GDPR into domestic law, which is now called UK GDPR.

Considered one of the strictest privacy laws in the world, the GDPR imposes obligations on any organisation that collects data about individuals in the UK (or the EU)002C even if a company is outside the UK (or EU.) Organisations must not only be mindful of how and what information is collected, they also need to document procedures used to safeguard data, be transparent about security measures, and ensure that sufficient adequate data processing agreements are in place.

The data the GDPR protects includes personal information that relates to an identified or identifiable individual, such as a name, address, and/or ID numbers, as well as web data such as location, IP address, cookie data, and RFID tags. ‘Special Category’ Information is also protected, including health, genetic, and biometric data, religious beliefs, membership in a trade union, political opinions, racial or ethnic data, and sexual orientation/practices: the GDPR prohibits the processing of special category data unless certain provisions are in place.

At the heart of the GDPR is the importance of privacy rights of individuals, especially in this digital age where almost everything about an individual is shared and stored online. The regulations attempt to give people, whether they are customers, clients, patients, or employees, more control over their data while outlining how organizations should collect, store, and use that data.

Health, genetic, and biometric data, religious beliefs, political opinions, racial or ethnic details, membership in a trade union, and sexual practices and orientation are considered special category data. Because of the sensitive nature of this data, the GDPR requires additional protection of this information.

Both the EU and UK GDPR have seven core data protection principles for the lawful processing of personal data.

  1. Lawfulness, fairness and transparencyInformation must be used in a manner that is lawful, fair, and transparent. When information is given, data subjects must be told why the data is collected and how it will be used. Additionally, a company must be able to provide details to individuals about what information they have collected about them when asked.
  2. Purpose limitationThe purpose for collection must be identified at the point of collection and not subsequently changed unless it is compatible with the original purpose.
  3. Data minimisationEnsure personal data processed is adequate, relevant, and limited to what is necessary.
  4. AccuracyKeep personal data accurate and up to date.
  5. Storage limitationKeep personal data in an identifiable form only for as long as needed to fulfil its original collection purpose.
  6. Appropriate securityImplement the Confidentiality, Integrity, Availability triad to ensure appropriate security measures protect the data. Organisations are charged with safeguarding personal information collected from their data subjects. They also must invest in a safety plan to protect this information from security breaches.
  7. AccountabilityOrganisations must be able to demonstrate their compliance.

The Information Commissioner’s Office (“ICO”) is the UK’s independent regulatory office in charge of overseeing compliance with the UK GDPR. The ICO’s significant investigative, corrective and enforcement power include the ability to:

  • order Controllers and Processors to prove their GDPR compliance;
  • perform a data protection audit;
  • stop an organization from processing personal data;
  • access premises, issue warnings, and suspend data flows to third countries;
  • impose financial penalties.

Organisations are required to use appropriate technical and organizational measures to ensure confidentiality, integrity and availability of systems and services and the personal data processed within them, test the effectiveness of such safety measures, and encrypt data and devices whenever possible.

Note, if data can be truly anonymized, then it is outside the scope of GDPR. If data cannot be anonymized, companies should consider pseudonymisation.

Those companies who violate the GDPR’s privacy and security standards face steep fines. Depending on the nature, gravity, and duration of the noncompliance, fines can be up to £17.5 million (€20 million in the EU) or 4% of annual global turnover – whichever is greater – for infringements.

In the digital era, cross-border data access, use, and exchange are needed to sustain and develop global commerce and share health and safety information. Manufacturing, retail, services, agriculture, and even medical research on COVID are all reliant on data and the global flow of that data.

Granted by the European Commission to countries outside the European Economic Area (EEA), and by the UK to areas outside of the UK and EEA, data adequacy is a status awarded to a country who has proven that it provides a level of personal data protection comparable to strict GDPR standards. Once a country has been awarded this, information is allowed to pass freely between it and the EEA or the UK without additional safeguards required.

Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission to allow for the free flow of personal data from the EU into the UK to continue past 30 June 2021, when the ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement is set to expire.

When sending personal data outside of the UK to jurisdictions (like the United States) that are not considered “adequate”, appropriate safeguards must be put in place prior to transfer in order to protect personal data the same way as it would be in the UK.

At present, an ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement allows for the free flow of personal data from the EU into the UK. It is set to expire on 30 June 2021.

Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission. In February, after nine months of assessing the UK’s domestic law and practice on personal data protection, the Commission determined that the UK does ensure essentially equivalent personal data protection to that provided under the General Data Protection Regulation (GDPR).

The next stage is for the European Data Protection Board to provide a non-binding opinion, and after taking the opinion into account, the Commission will then send the draft decision to EU Member States for formal approval: the European Commission may then adopt the decision.

International Reach

Taxis at airport
Learn more

What Clients Say

Abbiss Cadres assisted ARC in the design and implementation of an employee share scheme based on Enterprise Management Incentives (EMI). Their support was invaluable and went beyond the simple mechanics…
Abbiss Cadres are ‘go to’ experts for law and tax advice on equity-based remuneration structures. We have worked with the Abbiss Cadres team on a range of complex multi-disciplinary projects…
Abbiss Cadres are one of the few firms that can offer high quality tax, legal and operational advice on both UK and cross-border employment matters. Their team members have a…
Abbiss Cadres’ unique multi-disciplinary approach has enabled my team to ensure that we hit the ground running in the UK – our first international location. They proved extremely valuable in…
As an ambitious, fast growing business we needed to work with a partner who could support all our needs in relation to our expansion into the European market. Glassdoor is…