Privacy and data protection
Whether you see privacy as a differentiator, or just something which you need to "do right", we can help.
In a world of increasingly complex privacy law, you want someone who knows the legal frameworks inside out and has years of operational experience.
Neil spent several years as head of privacy for the UK operating company of a global communications provider, helping to design cutting edge products and services, as well as being responsible for the privacy rights of almost 20 million communications customers.
Since then, he has helped companies and in-house privacy teams protect the privacy rights of their customers, and meet their legal obligations, across the full spectrum of data protection issues. This has included substantial GDPR implementation activity, helping bring companies up to speed with the new(ish) framework, as well as day-to-day advice and guidance, and operational issues such as handling questions from customers and complaints from the UK's privacy regulator.
What our clients say
Head of Legal, major energy company
“Best External Privacy Resource In The World"
Chief Privacy Officer, FTSE 100 brand
"[your] business understanding is one of the reasons why you are my favourite external lawyer of all times"
Project manager, major airline
"Neil, you’re a legend! Thank you sooooooo much! This is amazing!"
Data protection compliance review
We offer a fixed price data protection compliance review tailored to your needs.
The scope is flexible, and you only pay for the components you need, meaning that you are in control from both a risk and budgetary perspective.
Whether a typical "privacy notice" or a more user-friendly approach incorporated into your service design, we can help you meet your legal obligation to keep data subjects — whether your customers, your employees, or anyone else — informed about what you are doing with their data, and why.
We have prepared privacy notices for a whole range of companies, in a variety of styles, and we're happy to help with a "one-off" notice, or help you to implement a system for keeping your notice(s) up to date as your business practices change.
If you would like a less stuffy, formal notice, we can prepare something which fits your preferred style and tone of voice, while also meeting your legal obligations.
Data processing agreements
If you are going to be engaging someone to process your customers' precious data on your behalf, you'll need to ensure that you have an appropriate data processing agreement, as part of your security strategy.
We have helped prepare suites of documents for clients, to suit different situations, along with accompanying negotiation and liability guidance, to help procurement teams lead on the implementation on data processing agreements with a minimum of legal team support. We have also negotiated tens of agreements with processors around the globe, and we can steer you on issues which are likely to prove a sticking point or cause concern, as well as advise you on risk and apportionment of liability.
If you are processing on behalf of another data controller, you'll want to make sure that you have a clear view of your obligations, risks and liabilities. Getting expert legal advice early in the process can help reach an agreement which works for both parties.
We can also help you with data sharing agreements, or agreements between you and other data controllers.
Subject access requests and ICO complaints
Most subject access requests — requests from data subjects for a copy of their data, and for information about your processing — can be answered quite easily. But if you've got one which is trickier, or else you just need a hand with it, we've plenty of experience in preparing responses for clients to send to data subjects.
We hope it won't happen to you but, if a data subject complains to the ICO, there's a strong chance that the ICO will get in touch. This is an opportunity to put your side of the case — it's a chance for advocacy, and to persuade the ICO to find in your favour. If you don't have the resources do to this yourself, or you'd appreciate some skilled assistance (particularly if there situation is unclear, or if the facts appear unhelpful), do drop us a line.
New products and services
Products, services, apps, wearables — whatever!
You have probably heard of the terms "privacy by design" and "data protection impact assessments".
We can help you design services in a way which meets your commercial objectives without alienating customers or triggering undue regulatory concern, including giving you clear, pragmatic advice on challenging topics, such as data analytics.
From getting your business registered with the Information Commissioner's Office to establishing a solid policy framework, and from embedding good practices across your organisation to helping you meet your regulatory obligations, such as dealing with subject access requests, we can support and guide you.
Nobody wants to have a privacy-related incident, but worse is having an incident without a plan for how to deal with it. We can help you make that plan, so that an incident is not a panic. Or, if you've had an issue, we can help you get back on your feet again.
Some breaches are the subject of mandatory reporting obligations — often to the regulator, and sometimes to affected users — so it is worth having a plan in place so that, if an incident happens, you know what to do and how.
Some communications services may be subject to even more rigorous reporting obligations, requiring notification to the regulator within 24 hours of detection.
Audits by the ICO
We have experience in both leading and supporting on ICO audits. We can help you engage with the ICO and determine audit scope and structure, review existing materials and prepare supporting evidence, help arrange pre-audit documentation packs, and provide on-site support during the audit itself.
We have helped reassure nervous or concerned interviwees, and provided dedicated coaching and support on answering questions and presenting their evidence confidently and succinctly.
We can also help with post-audit representations, if things have not gone quite to plan, or if you feel that the audit findings are not representative of the true position of your organistion.