Data Protection

“They have a reputation for legal excellence which is richly deserved.”

Chambers UK

Whether malicious or inadvertent, internal or external, breaches of data security have the potential to cause extreme disruption to individuals and businesses. As the frequency, severity and public awareness of data incidents has grown, the risks of reputational damage, substantial regulatory penalties and litigation from aggrieved data subjects have increased significantly, pushing business concern over data protection ever higher up in the corporate agenda.

The law relating to data protection is principally contained in the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”), whose regulatory and enforcement provisions are overseen by the Office of the Information Commissioner (“ICO”). The GDPR and DPA regulate the control and processing of data by entities such as companies, firms and sole traders established in the UK. The data protection legislation creates a series of rights for individuals and obligations on controllers and processors of data in relation to the handling and treatment of personal data and “special category” personal data. It also controls the transfer of such data overseas, including following MLA requests to the UK authorities by foreign regulators and investigators such as the US Securities and Exchange Commission (“SEC”) and Department of Justice (“DOJ”). For the first time, the GDPR requires that personal data breaches are reported to the ICO unless there is unlikely to be a risk to the rights and freedoms of data subjects. Timing is critical, with notification necessary as soon as feasible, and not later than 72 hours of the controller becoming aware of a breach.

Subject to certain defences, offences under the DPA such as “blagging” (broadly, obtaining or disclosing personal data without the data controller’s consent) are prosecuted in the criminal courts and can lead to unlimited fines. Corporates and their directors may also be found liable where offences are committed with the consent, connivance or neglect of those directors or company officers.

The ICO may also impose very substantial monetary penalties on data controllers for breaches of the GDPR, in some instances up to €20 million or 4% of total worldwide turnover, whichever is the higher.

BCL advises businesses and individuals with regard to data security, data protection policies, ICO investigations and audits, GDPR compliance and the defence of criminal and administrative proceedings under the data protection legislation. We assist in crisis management with reference to the reporting of data breaches and criminal liability, as well as Norwich Pharmacal relief and the strategic use of subject access requests and requests under the Freedom of Information Act 2000