Data Protection and Privacy
With technology becoming increasingly more integrated into the business world, it’s integral that businesses have incorporated data protection and privacy considerations into their company.
This page of our website focusses our relevant data protection and privacy services related to various data protection regulatory policies, privacy program creation and management as well as outsourcing DPOs. More importantly, we can also help you train your employees in data protection and privacy to ensure a more well-rounded service.
Searching for technical GDPR expertise? Abbiss Cadres provides business-focused, pragmatic advice on all aspects of implementing the UK and EU GDPR. We offer a range of privacy services, from one-off queries to project management and full implementation of global personal data protection solutions.
Our team can undertake a baseline data protection compliance assessment, identify meaningful risks and provide practical remediations. We assist with requirements to demonstrate accountability measures and develop company-specific policies and procedures that comply with applicable laws and generate consumer, partner and employee confidence.
Is your business lacking in-house resources or technical expertise? Outsource your Privacy Program to Abbiss Cadres. We can liaise directly with key stakeholders to create, manage, and implement an end-to-end global data protection program based on an applicable framework. We operationalise your Privacy Program to ensure it’s a turnkey fit.
We can undertake a Data Protection audit/assessment, raise awareness of key issues internally, and train employees on data protection, privacy, and GDPR. Our team can monitor data flows and international transfers of personal data, draft appropriate policies, and assist with implementation. We can also create records of Processing (as may be required under GDPR), embed Privacy by Default and Design, assess third party Vendor/Supplier for data protection compliance, create an incident response plan, and provide advice on data subject access requests.
Do you need to appoint a Data Protection Officer under Article 37 GDPR? Our outsourced DPO service is flexible and tailored to your company and its specific operations. Abbiss Cadres can fulfil specific requirements under GDPR including informing and advising the company on GDPR obligations; monitoring compliance with GDPR and internal policies; and managing internal data protection activities. We can also be responsible for training your staff, conducting internal audits, advising on data protection impact assessments, as well as serving as the point of contact for Supervisory Authorities.
Do you need to appoint a Local Representative? If you offer goods or services to individuals in the UK or monitor their behaviour but you do not have an establishment in the UK, then you probably will. You can appoint us as your Local Representative for compliance with Article 27 of the UK GDPR and we’ll serve as the local point of contact for individual data subjects and the Information Commissioner’s Office.
How well has your organisation trained your staff to be GDPR compliant? We can provide company-wide or small team training either remotely or in-person. Content can be tailored to suit your organisation and can include GDPR specific training, general personal data protection, privacy awareness training or general legal privacy requirements.
Are your organisation’s policies regarding data protection thorough enough? We can conduct a review of existing policies to ensure they comply with UK GDPR requirements or we can draft policies based upon organisational practices and requirements.
How well is your organisation is meeting its data protection obligations? Have you identified data protection risks? We can perform a data protection GDPR compliance assessment, reporting back with a gap analysis with pragmatic remediations.
How has Brexit impacted your data protection practices? Our team can help you understand the framework of the UK GDPR and EU GDPR regulations and what that means for your company. We can assess how your company processes personal data and how it has been impacted by Brexit. We can outline necessary changes, evaluate if the new requirement for a Local Representative impacts your business, update documentation, and review privacy impact assessments for cross border processing and restricted transfers.
What steps does your company need to take to keep your employee and customer data safe across borders? We provide expert guidance on data protection and privacy components of staff global mobility and remote working, the structure of your global data protection program, legal compliance across applicable privacy regimes, and outsourced DPO service for UK and GDPR compliance.
Is your organisation undergoing or planning a merger or an acquisition? The UK and EU GDPR can make this process even more complex. We can review data protection and privacy issues throughout the entirety of corporate transactions, including the use of VDRs, sharing personal data with a potential buyer, and the conflict with TUPE disclosure requirements.
The EU General Data Protection Regulation (“GDPR”) standardized and set guidelines for the collection and processing of personal data, requiring businesses to protect the personal data and privacy of European Union (EU) citizens. Following Brexit, the UK has retained the GDPR into domestic law, which is now called UK GDPR.
Considered one of the strictest privacy laws in the world, the GDPR imposes obligations on any organisation that collects data about individuals in the UK (or the EU), even if a company is outside the UK (or EU.) Organisations must not only be mindful of how and what information is collected, they also need to document procedures used to safeguard data, be transparent about security measures, and ensure that sufficient adequate data processing agreements are in place.
The data the GDPR protects includes personal information that relates to an identified or identifiable individual, such as a name, address, and/or ID numbers, as well as web data such as location, IP address, cookie data, and RFID tags. ‘Special Category’ Information is also protected, including health, genetic, and biometric data, religious beliefs, membership in a trade union, political opinions, racial or ethnic data, and sexual orientation/practices: the GDPR prohibits the processing of special category data unless certain provisions are in place.
At the heart of the GDPR is the importance of privacy rights of individuals, especially in this digital age where almost everything about an individual is shared and stored online. The regulations attempt to give people, whether they are customers, clients, patients, or employees, more control over their data while outlining how organizations should collect, store, and use that data.
Health, genetic, and biometric data, religious beliefs, political opinions, racial or ethnic details, membership in a trade union, and sexual practices and orientation are considered special category data. Because of the sensitive nature of this data, the GDPR requires additional protection of this information.
Both the EU and UK GDPR have seven core data protection principles for the lawful processing of personal data.
- Lawfulness, fairness and transparency – Information must be used in a manner that is lawful, fair, and transparent. When information is given, data subjects must be told why the data is collected and how it will be used. Additionally, a company must be able to provide details to individuals about what information they have collected about them when asked.
- Purpose limitation – The purpose for collection must be identified at the point of collection and not subsequently changed unless it is compatible with the original purpose.
- Data minimisation – Ensure personal data processed is adequate, relevant, and limited to what is necessary.
- Accuracy – Keep personal data accurate and up to date.
- Storage limitation – Keep personal data in an identifiable form only for as long as needed to fulfill its original collection purpose.
- Appropriate security – Implement the Confidentiality, Integrity, Availability triad to ensure appropriate security measures protect the data. Organisations are charged with safeguarding personal information collected from their data subjects. They also must invest in a safety plan to protect this information from security breaches.
- Accountability – Organisations must be able to demonstrate their compliance.
The Information Commissioner’s Office (“ICO”) is the UK’s independent regulatory office in charge of overseeing compliance with the UK GDPR. The ICO’s significant investigative, corrective and enforcement power include the ability to:
- order Controllers and Processors to prove their GDPR compliance;
- perform a data protection audit;
- stop an organization from processing personal data;
- access premises, issue warnings, and suspend data flows to third countries;
- impose financial penalties.
Organisations are required to use appropriate technical and organizational measures to ensure confidentiality, integrity and availability of systems and services and the personal data processed within them, test the effectiveness of such safety measures, and encrypt data and devices whenever possible.
Note, if data can be truly anonymized, then it is outside the scope of GDPR. If data cannot be anonymised, companies should consider pseudonymisation.
Those companies who violate the GDPR’s privacy and security standards face steep fines. Depending on the nature, gravity, and duration of the noncompliance, fines can be up to £17.5 million (€20 million in the EU) or 4% of annual global turnover – whichever is greater – for infringements.
In the digital era, cross-border data access, use, and exchange are needed to sustain and develop global commerce and share health and safety information. Manufacturing, retail, services, agriculture, and even medical research on COVID are all reliant on data and the global flow of that data.
Granted by the European Commission to countries outside the European Economic Area (EEA), and by the UK to areas outside of the UK and EEA, data adequacy is a status awarded to a country who has proven that it provides a level of personal data protection comparable to strict GDPR standards. Once a country has been awarded this, information is allowed to pass freely between it and the EEA or the UK without additional safeguards required.
Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission to allow for the free flow of personal data from the EU into the UK to continue past 30 June 2021, when the ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement is set to expire.
When sending personal data outside of the UK to jurisdictions (like the United States) that are not considered “adequate”, appropriate safeguards must be put in place prior to transfer in order to protect personal data the same way as it would be in the UK.
At present, an ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement allows for the free flow of personal data from the EU into the UK. It is set to expire on 30 June 2021.
Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission. In February, after nine months of assessing the UK’s domestic law and practice on personal data protection, the Commission determined that the UK does ensure essentially equivalent personal data protection to that provided under the General Data Protection Regulation (GDPR).
The next stage is for the European Data Protection Board to provide a non-binding opinion, and after taking the opinion into account, the Commission will then send the draft decision to EU Member States for formal approval: the European Commission may then adopt the decision.