Thanks to GDPR, the relentless march of technology, and increasingly frequent hacks, data has never had a higher profile. Companies operating across all industries are increasingly becoming reliant on overwhelming volumes of data – in particular personal data. However, just as the collection and use of data is growing, so is the scope and complexity of the laws and regulations. Failing to comply with those laws can expose you to substantial penalties, loss of consumer trust, and significant reputational damage. At the same time, adopting good data protection practices can make your business more efficient, secure, and competitive.
We will work closely with you to help you to lawfully collect and exploit data. Equally, we can help you ensure you have the right policies, processes and security in place to manage the risk of data misuse, breaches, data theft and hacking.
We understand the law and also the way it is applied by the regulators. We are often in touch with them. We also work closely with our extensive network of independent law firms in other jurisdictions allowing us to support not only your UK but also pan-European and global transactions and operations.
Our specialist team can provide you with well-rounded, expert advice on a range of data protection and privacy issues including:
- GDPR and Data Protection Act compliance
- Data protection audits, policies and training
- Data breach management and response, including dealing with the Information Commissioner’s Office
- Online privacy policies, cookies notices and internal data protection policies
- Consent and other lawful bases for data processing
- International data transfers, binding corporate rules and EU model clauses
- Data processor agreements
- Data protection governance and records management
- Data subject access requests
- Compliance with data subject rights
- Data security
- Cookie laws and regulation
- Direct marketing and profiling
- Privacy and Electronic Communications Regulations, and the forthcoming ePrivacy Regulation
- Freedom of Information Act
- Supervisory authority notices and enforcement actions
- Employee monitoring, BYOD policies and processing of special categories of data
- Interception and monitoring of communications
- Data protection aspects of corporate transactions, including mergers, acquisitions and the implications of the transfer of databases
International media company
We have advised a large media company on its GDPR compliance project, including auditing the existing data protection compliance of its US and UK offices; advising on lawful bases upon which the company is processing personal data; revising and negotiating contracts with processors; updating consumer-facing privacy policies; drafting internal data protection policies, records of processing activities, DPIA and LIA forms; and advising on legality of international data transfers.
Major airline
We assisted a large airline company with its GDPR and Brexit preparations, and advised on a range of data protection issues including electronic marketing, international transfers, data subject rights requests, DPIAs for major systemic and technical developments, data sharing, handling passenger name records, dealing with law enforcement requests, and putting in place an internal governance structure, processes, policies, training and raising awareness.
Multinational interactive entertainment company
We advised a large entertainment company’s US and Japanese entities on their GDPR preparations, including their governance structures, identifying and documenting lawful basis for processing, electronic marketing, data subject rights, putting a system in place to deal with data breaches, information security requirements, training, international transfers, internal policies, third party risks and the implications of, and requirements associated with, collecting, hosting and analysing personal data of children.
Numerous corporate and high-profile individual clients
We routinely advise on strategic and contentious data subject access requests and the matters arising from them, including complaints to the Information Commissioner’s Office. We act for both individuals making requests and organisations who are facing requests in factually complex circumstances such as litigation or as part of a campaign where reputational and privacy issues arise.
Marketing and data analytics
We provide our clients with guidance on rules relating to direct social media, email, telephone, and postal marketing. We also advise a number of clients who collect and analyse data online, including dealing with issues such as ‘profiling’ and automated decision-making.
Theatre
We assisted a well-known London theatre with its GDPR preparation project including dealing with personal data of donors, data sharing with other organisations in the arts and fundraising. We regularly advise theatres on their data protection compliance issues.
Corporate transactions
We advise our clients on a data protection issues associated with corporate transactions, including due diligence disclosures and negotiation of data protection provisions in business and asset sale agreements. Previous work includes advising on the purchase of a loyalty programme database and subsequent data protection requirements such as providing a fair processing notice to data subjects.
Sacha Wilson
Partner
E: sacha.wilson@harbottle.com
T: +44 (0)20 7667 5000
John Kelly
Partner
E: john.kelly@harbottle.com
T: +44 (0)20 7667 5000
Amy Bradbury
Senior Associate
E: amy.bradbury@harbottle.com
T: +44 (0)20 7667 5000
Josey Bright
Associate
E: josey.bright@harbottle.com
T: +44 (0)20 7667 5000
Shayna-Radhika Patel
Associate
E: shayna.patel@harbottle.com
T: +44 (0)20 7667 5000
Mark Primrose
Associate
E: mark.primrose@harbottle.com
T: +44 (0)20 7667 5000
- Further safeguards are put in place to protect patients’ confidential information
- Sacha Wilson quoted on BA/Marriott GDPR fines
- Data & Privacy eBulletin: Autumn 2020
- Data & Privacy eBulletin: Schrems does it again
- Coverage: Dan Tozer on UK-US data sharing
- ICO report: mobile phone data extraction by police must improve
- ICO reshapes priorities in light of pandemic
- People Management coverage for Yvonne Gallagher
- Supreme Court to decide on key features of Class Action Data Compensation Claim against Google
- US eBulletin: Winter 2020
- Data & Privacy eBulletin: ad industry in the spotlight, Schrems II and Brexit developments
- H&L advises Sargent-Disc on sale to Cast & Crew
- January start for California data privacy law
- Data & Privacy eBulletin: (Still) preparing for Brexit
- Court of Appeal allows class action against Google
- DNA databases – what are you giving away?
- US eBulletin: Summer 2019
- Data & Privacy eBulletin: GDPR – One year on
- Recruiter coverage: Charlie Thompson on social media checks
- British Airways fined £20m by the ICO for data breach
- Are you ready for the P2B Regulation? Coming into force on 12 July 2020
- Implementation of revisions to Audiovisual Media Services Directive in the UK
- COVID-19: Ofcom decisions on fake news
- COVID-19: The debate about contact tracing apps and privacy safeguards rumbles on
- COVID-19: ICO issues guidance on its approach during the coronavirus public health emergency
- COVID-19: Contact tracing apps and the privacy challenges that need to be overcome
- Supreme Court finds Morissons not liable for data breach
- COVID-19: ICO publishes guidance on data protection compliance
- Court of Appeal rules (again) on beneficiaries’ subject access request for trust documents
- ICO publishes Age Appropriate Design Code
- Status update on cryptoassets, smart contracts and private keys
- Facial recognition technology: the way of the future?
- Protecting private medical information
- Marriott’s mammoth GDPR penalty in second ICO fine this week
- ICO proposes £183 million fine for British Airways cyber breach
- GDPR: one year on in numbers
