Thanks to GDPR, the relentless march of technology, and increasingly frequent hacks, data has never had a higher profile. Companies operating across all industries are increasingly becoming reliant on overwhelming volumes of data – in particular personal data. However, just as the collection and use of data is growing, so is the scope and complexity of the laws and regulations. Failing to comply with those laws can expose you to substantial penalties, loss of consumer trust, and significant reputational damage. At the same time, adopting good data protection practices can make your business more efficient, secure, and competitive.
We will work closely with you to help you to lawfully collect and exploit data. Equally, we can help you ensure you have the right policies, processes and security in place to manage the risk of data misuse, breaches, data theft and hacking.
We understand the law and also the way it is applied by the regulators. We are often in touch with them. We also work closely with our extensive network of independent law firms in other jurisdictions allowing us to support not only your UK but also pan-European and global transactions and operations.
Our specialist team can provide you with well-rounded, expert advice on a range of data protection and privacy issues including:
- GDPR and Data Protection Act compliance
- Data protection audits, policies and training
- Data breach management and response, including dealing with the Information Commissioner’s Office
- Online privacy policies, cookies notices and internal data protection policies
- Consent and other lawful bases for data processing
- International data transfers, binding corporate rules and EU model clauses
- Data processor agreements
- Data protection governance and records management
- Data subject access requests
- Compliance with data subject rights
- Data security
- Cookie laws and regulation
- Direct marketing and profiling
- Privacy and Electronic Communications Regulations, and the forthcoming ePrivacy Regulation
- Freedom of Information Act
- Supervisory authority notices and enforcement actions
- Employee monitoring, BYOD policies and processing of special categories of data
- Interception and monitoring of communications
- Data protection aspects of corporate transactions, including mergers, acquisitions and the implications of the transfer of databases
International media company
We have advised a large media company on its GDPR compliance project, including auditing the existing data protection compliance of its US and UK offices; advising on lawful bases upon which the company is processing personal data; revising and negotiating contracts with processors; updating consumer-facing privacy policies; drafting internal data protection policies, records of processing activities, DPIA and LIA forms; and advising on legality of international data transfers.
Major airline
We assisted a large airline company with its GDPR and Brexit preparations, and advised on a range of data protection issues including electronic marketing, international transfers, data subject rights requests, DPIAs for major systemic and technical developments, data sharing, handling passenger name records, dealing with law enforcement requests, and putting in place an internal governance structure, processes, policies, training and raising awareness.
Multinational interactive entertainment company
We advised a large entertainment company’s US and Japanese entities on their GDPR preparations, including their governance structures, identifying and documenting lawful basis for processing, electronic marketing, data subject rights, putting a system in place to deal with data breaches, information security requirements, training, international transfers, internal policies, third party risks and the implications of, and requirements associated with, collecting, hosting and analysing personal data of children.
Numerous corporate and high-profile individual clients
We routinely advise on strategic and contentious data subject access requests and the matters arising from them, including complaints to the Information Commissioner’s Office. We act for both individuals making requests and organisations who are facing requests in factually complex circumstances such as litigation or as part of a campaign where reputational and privacy issues arise.
Marketing and data analytics
We provide our clients with guidance on rules relating to direct social media, email, telephone, and postal marketing. We also advise a number of clients who collect and analyse data online, including dealing with issues such as ‘profiling’ and automated decision-making.
Theatre
We assisted a well-known London theatre with its GDPR preparation project including dealing with personal data of donors, data sharing with other organisations in the arts and fundraising. We regularly advise theatres on their data protection compliance issues.
Corporate transactions
We advise our clients on a data protection issues associated with corporate transactions, including due diligence disclosures and negotiation of data protection provisions in business and asset sale agreements. Previous work includes advising on the purchase of a loyalty programme database and subsequent data protection requirements such as providing a fair processing notice to data subjects.
Daniel Tozer
Partner
E: daniel.tozer@harbottle.com
T: +44 (0) 20 7667 5000
Sacha Wilson
Partner
E: sacha.wilson@harbottle.com
T: +44 (0)20 7667 5000
John Kelly
Partner
E: john.kelly@harbottle.com
T: +44 (0)20 7667 5000
Amy Bradbury
Senior Associate
E: amy.bradbury@harbottle.com
T: +44 (0)20 7667 5000
Josey Bright
Associate
E: josey.bright@harbottle.com
T: +44 (0)20 7667 5000
Sharon D’Silva
Associate
E: sharon.dsilva@harbottle.com
T: +44 (0)20 7667 5000
eBulletins
- GDPR guidelines released, how not to update marketing databases, and a record ICO fine
- Data & Privacy: The latest on Trump, GDPR prep, proposals for a new E-Privacy Regulation and recent lessons learnt
- Data & Privacy: £400k fine for TalkTalk is biggest ever, and ICO breaks its silence on Brexit
- Data & Privacy: Brexit and the GDPR, Privacy Shield updates and recent ICO fines
- Data & Privacy: Data leaks, privacy shield and direct marketing
- Data & Privacy: EU-US Privacy Shield and the General Data Protection Regulation
- Data protection reforms: Christmas has arrived early
- Data & Privacy: Not so safe harbor, data subject access requests and ‘stable arrangements’
Insights
- UK Government publishes the Data Protection Bill
- What data regulation might look like in a post-Brexit world
- Cooperating with data subjects: revised ICO guidance
- Getting data subject access wrong can be costly, new cases show
- Decision announced on Fundraising Preference Service
- The ICO fires warning shot over data security with record fine for TalkTalk
- Lessons to learn in the wake of the Yahoo data breach
