GDPR stands for General Data Protection Regulation. Its purpose is to protect personal data and to govern its storage, sharing and processing. The ICO (Information Commissioner’s Office) regulates GDPR.
Any company handling or processing personal data must follow the requirements of GDPR. This includes updating all relevant documentation.
- Documents that may need changes under GDPR include:
- Data protection policies
- Privacy statements and notices
- Data breach procedures
- Cookie policies
- Security policies
- Data processing policies (data retention information, data processing details, policies on data protection)
- Data usage consent documentation (for staff, clients, partners, contractors and others)
- General contractual agreements
For help revising your existing policies or creating new documentation, 0333 200 5859.
How our data protection solicitors can help you
Our legal experts are able to ensure that any data protection policy is GDPR compliant. We can:
- Examine your processes to make sure they meet the requirements of GDPR
- Discuss your planned responses to Data Subject Access Requests with you
- Undertake data protection audits and help you prepare for ICO audits and inspections
- Examining any existing contract or other legal document, ensuring it adheres to requirements
- Assisting in the creation of contracts between data controllers and data processors
- Providing support and advice. Whether you drafting new data protection policies or updating old ones
- Help you in demonstrating compliance throughout all your official documentation
Alongside this, our data protection solicitors can assist you with:
- Technology law
- Internal Investigations
- GDPR HR support
- Dealing with data breaches
What are companies’ responsibilities as data controllers or data processors?
Data controllers must consider the following aspects of data processing:
- The nature of all planned processing
- Its scope
- Its context
- Its purposes
They must also ensure that all processing adheres to GDPR and upholds the rights of the data subject.
Data controllers must maintain proper policies and procedures at all times. They must keep a record of all data processing undertaken.
There must be a comprehensive contract between the data controller and data processor.
A data processor’s duties include:
- Adhering exactly to the controller’s required nature, scope, context and purposes of processing
- Keeping a secure record of all processing undertaken
- Completing all data processing according to GDPR legislation
- Only undertaking the data processing required of them by the data controller
- Retaining information with total security and only for as long as required
- Reporting any data breaches within 72 hours
Can I use a data protection contract acquired from internet?
You may be able to use existing contracts as basic templates for your own documents. It is vital that yours is relevant to all your processing activities and policies.
The best approach is to find a high-quality template and go through every aspect. You should be consulting the official GDPR text throughout.
You should enlist the help of a legal adviser. Include any other staff members responsible for data protection.
Data protection act offences
The ICO or other authorities may investigate or take legal action against you if you:
- Obtain, disclose, retain or procure personal data in an illegal manner
- Re-identifying de-identified information such as redacted data in a document
- Alter data in a way that is unlawful
- Refuse to adhere to a lawful Data Subject Access Request
Frequently asked questions about data protection contracts
When is a data protection contract needed and why is it important?
Any company that handles personal information requires a data protection contract. If there is both a data controller and data processor involved in the process, this is even more vital.
It is a legal obligation for companies of this kind to have such a contract in place. Failing to do so would mean they are not GDPR compliant. This may lead to an ICO investigation.
GDPR compliance is vital to protect the information of clients, employees and others. A data breach may put those individuals at risk of fraud, crime or even injury. Without the right contract, you may be liable for damages caused by a breach.
What is a breach of data protection?
A data breach may occur if you share data with the wrong people without consent. If you have insufficient security allowing unauthorised access, this is a breach too.
Following a breach, data controllers and processors must report it to the ICO within 72 hours.