Our privacy and data protection solicitors advise data controllers on the lawful processing of personal data under the UK GDPR including in response to law enforcement requests / demands for access, transparency obligations, the security and handling of personal data, the outsourcing of processing activities, the exercise of data subject rights including responding to subject access requests, and data protection policies and training.
Our advice is often sought about the impact of data protection laws in relation to internal investigations work, as well as the inclusion of individual profiles on risk compliance databases.
Our work encompasses responding to requests under the FOIA and the EIR for sensitive materials obtained or generated by regulators during serious and high-profile regulatory and criminal investigations.
We deal with crisis management including data breach reporting, as well as responding to ICO information, assessment and enforcement notices issued to data controllers and processors, and the supervision of ‘raids’ when the ICO exercises its entry and inspection powers.
On behalf of individuals, we advise on the enforcement of data subject rights and common law pre-criminal charge privacy obligations, data subject access, the rights to rectification and erasure (the ‘right to be forgotten’), and where necessary the use of redress mechanisms / litigation to enforce data subject rights.
Our expertise
The services provided by our expert privacy and data protection lawyers include:
- assistance to data controllers and processors with their data protection / UK GDPR compliance obligations, including internal policies, contractual agreements (data processing agreements) and transparency requirements (privacy / fair processing notices);
- advising on the application, exceptions to, and enforcement of data subject rights (Articles 12 – 23 of the UK GDPR), including the rights of access, rectification and erasure;
- advising data controllers on their data protection duties following law enforcement requests / demands for access to personal data as part of criminal investigations, and by parties to civil proceedings, including Norwich Pharmacal relief;
- data breach handling, including regulatory reporting requirements and reports to law enforcement; and
- using data protection legislation to enforce individual rights in relation to fraud prevention services and databases.
Our experience
Our instructions in the field of data protection include:
- advising a facial recognition company on the compliance of its state-of-the art, biometric processing technology with UK data protection legislation for the prevention and detection of crime in the UK;
- working in conjunction with US lawyers of an international payment processor to develop a UK GDPR-compliant decision-making framework for handling law enforcement requests for the voluntary provision of personal data in ‘threat to life’ situations;
- advising an overseas telematics provider on its UK GDPR obligations following an urgent law enforcement request for the voluntary provision of personal data in relation to a homicide investigation;
- advising an online dating company regarding its data protection obligations in respect of information requests by UK and US law enforcement authorities;
- reviewing the commercial documentation and policies of a provider of a secure content-sharing platform to ensure compliance with applicable UK data protection legislation and regulatory guidance;
- providing data protection compliance advice to UK-based start-up company offering penetration and online threat assessment services, including in relation to data processing agreements;
- using the provisions of UK data protection legislation to challenge the inclusion of an HNW client’s name and details on a global crime risk database routinely used by financial institutions;
- challenging UK Government bodies over their disclosure of personal data in response to subject access requests as part of sanctions disputes; and
- advising a media company on its breach reporting obligations following a cyber-attack.