From our offices in Edinburgh and Glasgow, we help individuals as well as private and public sector organisations across the UK navigate the world of data protection and compliance.
The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. It represents a significant step forward in the modernisation and harmonisation of data protection throughout the European Union (EU).
To summarise a very wide-ranging piece of legislation in one sentence: data protection under the GDPR will provide individuals with more control over their personal data and will require organisations to process personal data responsibly and transparently.
All organisations established or operating within the EU will be affected by the GDPR, irrespective of the industry or business sector in which such organisations operate. The GDPR will apply to all personal data collected, held or processed by an organisation, whether this relates to employees, customers, suppliers or contacts, so these new regulations will not be restricted to data-intensive businesses.
At this stage and as an ongoing process, organisations should consider what personal data they hold, what they do with it, why they process it and whether it is strictly speaking necessary to hold and process the personal data.
There are a number of steps to becoming GDPR compliant, and the first step is to become aware of the personal data within an organisation. The subsequent steps are determined by the types of personal data and the purposes for which the personal data is processed - for example, are there special categories of personal data including health and medical information or is the personal data used for scientific research?
We offer comprehensive advice and support on data protection matters, including:
- advising on data audits and other aspects of GDPR compliance,
- advising on the rights of individuals in respect of their personal information,
- reviewing data protection policies and procedures,
- reviewing and/or negotiating data processing contracts, and
- drafting privacy policies, consent forms and other relevant data protection documents.
We also advise organisations who receive requests for personal data ("subject access requests") as well as individuals who are making the requests.