We advise small, medium and large private and public bodies and advise on all aspects of data protection compliance and information governance.

GDPR

The GDPR applies to any organisation that has control over personal data as well as those that process personal data on behalf of another organisation.

It is critical to any business that they are aware of, and have a plan to deal with personal data. The costs of not complying with the GDPR are high. 

It’s important your organisation looks ahead to GDPR and lays the foundations to ensure compliance. 

We can help you with all aspects of GPDR, from offering initial GDPR audits, reviewing contracts, and the steps to take to comply with privacy through to GDPR training and incident response support. Find out more here.

Audits and compliance

We advise on:

  • GDPR -the General Data Protection Regulation
  • compliance with the Data Protection Act including DPA audits
  • information and records management
  • policies for the collection and processing of personal data
  • information access requests: subject access requests, freedom of information
  • data security including handling breaches of the Data Protection Act
  • liaising with the Information Commissioner in relation to complaints made by individuals
  • the information governance and data protection implications of outsourcing and commercial contracts
  • privacy impact assessments
  • data processing contract agreements
  • marketing privacy including direct marketing, telemarketing and sharing data with third parties
  • online privacy including cloud computing, cookie compliance, social media and mobile devices
  • employment and data protection  

Data protection guidance

What is data protection?

If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998. Please read our data protection guide for full details on what data protection is. 

Organisations must register with the Information Commissioner's Office, also called the ICO, if they process personal data.

What do we mean by 'personal data'?

According to the ICO, personal data means data which relate to a living individual who can be identified:

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

For example, a manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. 

Subject access requests

Subject access requests

What is a subject access request?

The Data Protection Act 1998 gives people six rights and one of these rights is to request a copy of their personal data that a data controller possesses.  As long as the person satisfies certain requirements, this is called a Subject Access Request (SAR).

There are various reasons why individuals submit SARs, for example, a disgruntled member of staff wanting to be a nuisance, an employee considering issuing Employment Tribunal proceedings, or someone with the belief that derogatory comments have been made about them. It could even be because a customer has not received a good service or experience, or they believe you had shared or received information about them which is causing them some distress or damage. 

The concept is simple enough, however the effect on the organisation can be profound. 

Depending on how long ago the data controller obtained their data, how they have processed it, and how long it has been retained for, there could be thousands of documents for you to trawl through.  This significantly impacts on your normal day-to-day job and therefore causes an expense to the organisation. Data Controllers forget to account for the resources needed to collate, assess, redact, copy and release the data. All they receive is a £10 fee (if they have applied this in their procedure).

The member of staff processing the request needs to be trained and understand the law and exemptions regarding disclosures. They need to be confident to compare the data they have collated for assessment against any previous, upcoming and prospective proceedings or defence against claims. Finally they need to be confident they know how to protect third parties right to confidentiality.

What is the subject access request bureau?

As part of our Data Protection and Privacy offerings, we provide clients with the Subject Access Request Bureau.  This gives clients the ability to provide us in a secure manner all of the personal data held, received or shared in relation to the individual (data subject)

We do the rest

  • We support you with advice on how and what to search to meet the legal requirements.  We then receive, start collating, and reviewing and reading each of the documents.  We then apply the necessary exemptions and redact the data.
  • You know that we will have the individual (the data subject), be that your current or former employee, contractor, consultant, customer or member at the heart of what we are doing and ensure you comply with the law and are protected from the risks which may arise due the request.
  • The individual will receive only the information they are entitled to under the law.  For example, we redact third party data to protect third parties who have a right to confidentiality.  We also contact other data controllers for permission to share the data they have supplied you and you have on file, for example the Police, DWP, HMRC, Health and Education authorities.
  • We review past, current, prospective proceedings and any other likely claims against the organisation as a data controller when carrying out our exemption assessments.
  • At the end of the process, the data controller (you our client) can feel safe in the knowledge the individuals’ (data subjects) rights have been fully adhered to and they receive the information they are entitled to receive. They will be provided with a copy of the data either by you (as we will provide you with a copy of the electronic / hard copy bundle) or by us, as we can send the disclosure pack to the person who made the request. 

We aim to take the stress and anxiety out of the process, and leave you to continue with your own job and delivering services while we do the hard work for you.

What work have you done so far?

We have undertaken a number of SARs on behalf of our clients; some have been very small and others have contained many thousands of documents. We have supported the housing, health, education, equine and legal sector carry out the disclosure obligations. 

Sometimes the person requesting their personal data remains unhappy and can complain to the ICO.  You can’t stop a person from doing this even if there are no grounds for it.  However, clients can be rest-assured that the documents provided to the person who made the SAR have been rigorously vetted and are the only documents the person is entitled to.  

Why use our subject access request bureau?

  • The information and advice between us and our client is legally privileged which means communication between us cannot be disclosed.
  • We are fully qualified to carry out the assessment which therefore reduces time, resources on your organisation’s man- power, finances and the risk to the organisation of failing to meet the 40 calendar day time scale. 
  • We are also here to support you when we identify information which is inaccurate, out of date and/or where comments have been made about the data subject which may cause them to be upset.   These are all areas we can guide, support and help you communicate with the individual.
  • Your organisation will know how much this will cost at the start and decide if this works for you. We offer tier and fixed pricing options to our case management service which meets the client’s needs every time.
  • We also offer as part of this service a one-on-one or team SAR training workshop, as a half day or full day. This is a great way to carry out the assessment long term and then we support by validating the disclosure to the assessment file. 

Data protection guidance

What is data protection?

If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998. Please read our data protection guide for full details on what data protection is. 

Organisations must register with the Information Commissioner's Office, also called the ICO, if they process personal data.

What do we mean by 'personal data'?

According to the ICO, personal data means data which relate to a living individual who can be identified:

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

For example, a manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. 

Our Data Action Network

Sharing data protection best practice

The ICO held a listening event in January 2016, where 100 sector leaders were asked how the General Data Protection Regulation (GDPR) would impact them and what would be there biggest challenges.

The Data Action Network (or DAN for short) was initially created as a way of bringing housing professionals together in a safe environment to share challenges, ideas and best practice as well as receive support and information from our data protection and privacy team around the Data Protection Act 1998.  DAN has now evolved from the housing sector, to the SME and sport and soon to be the dentistry sectors.

The Data Action Network is a forum which brings together professionals with responsibility for data protection, security and information governance within their organisations.  Alongside an online portal, regular networking meetings, webinars and much more, DAN gives members an opportunity to share insight and know-how in relation to data protection, privacy and records management.

Each Data Action Network comprises of 12 members.

Being part of DAN is a greater priority for many organisations as the financial risk of non-compliance increases significantly.  With the new General Data Protection Regulation the fines are increasing; up to 4% of an organisation’s global turnover or 20 Million Euros whichever is the greater for a serious breach of the Act. However, getting the basics right now using the Data Protection Act 1998 will hold you in good stead to build upon and future proof your compliance system in readiness for the EU General Data Protection Regulation which comes into force on 25 May 2018.

DAN provides a forum in which we can, as the ICO said at the spring conference, share and discuss experiences.  The feedback on our pilot events have been overwhelming. The members have enjoyed networking, sharing their challenges, obtaining suggestions from us using our real life experiences from helping our clients, and keeping in touch on how the current and new law will impact their specific sector and business. 

The goal of the network

Our goal is to create a network of data protection and privacy experts who collaborate and work in partnership to detect and mitigate risks by finding solutions together. We want to ensure data protection and privacy is at the forefront of everyone’s agenda and risk map. We want to be able to bring data protection and privacy services as ‘bolt on’ options in an affordable manner, allowing our sector clients to focus on their customers and growing their business. 

The benefits of joining

Our data protection and privacy team are privacy experts.  We also have legal advisors to help you find solutions and litigators who can advise you on how to prevent and mitigate the risk of non-compliance. 

  • Access to a secure, web-based portal where data protection good practice, training and workshop activities, blogs and discussions are shared.  The site achieves the highest security ratings and is managed by a preferred supplier who is ISO270001 accredited.  All information held on this system will be confidential.
  • Free access to a set of data protection policies and procedures which can be incorporated into your organisation’s existing policies to help it to become more compliant. Our aim is to meet the requirements of the law now and help you consider what is needed in the future to meet the new EU General Data Protection Regulation requirements.
  • Free access to briefing and guidance notes on emerging issues with best practice notes on how to prevent and mitigate against breaches of the law and regulation.
  • Attendance to four full day data protection workshops per year with a variety of topics which are selected to address immediate concerns as well as strategic planning for future proofing organisations.  These workshops providing a great opportunity to meet people in a similar situation from other sector organisations, including the opportunity to meet and engage with guest speakers and the regulators.
  • Be part of the first ‘shared service’ hub for data management, protection and security. 
  • Gain access to the first ‘shared service’ training academy at reduced cost across a whole range of topics: data protection, records management, security, outsourcing, employment and contract management, and avoiding litigation, amongst others.
  • Be part of the value for money workshops and data action network by jointly securing cost savings with regard to e-learning, case management support and advice.  We will also help you meet your requirements under s(7) of the Data Protection Act  ‘The right to access’ by adhering to individuals rights in regards to disclosing legally assessed subject access request documents. 
  • During the year we will extend our DAN and Policy Exchange Network (for the Housing Sector), and develop the first Compliance Action Network (CAN) in the Midlands and West for strategic leaders across our sector client base.  We will bring regulators across the board to the table to discuss key issues, experience, good practice and to learn where we can improve on compliance and governance controls.
  • We will advise you on how to collect, use, retain, share and secure your data safely. This is extremely important for all sector organisations, especially those dealing with personal and sensitive data.  We will guide you on how to help your teams understand their roles, for example, when outsourcing data (such as to a payroll, document scanning company and shredding company) to a data processor and/or another data controller (Information Sharing Protocol). We will work with SME’s on how to approach data protection as a data processor offering and delivering services and/or as a data controller in their own right and most things in between.

The ICO has been asked for its views on establishing DAN. It has confirmed that it welcomes initiatives aimed at fostering the sharing information and pooling expertise on information rights issues. DAN is a welcome development in the housing and care sector. The ICO has confirmed that it wants to engage with the work of DAN attending some of its meetings and workshops as appropriate

Information Commissioner’s Office April 2016

Data protection training

What is the Training Academy?

It is usually human error that leads to people’s personal and sensitive data being released when it should not, and that runs the risk of the Information Commissioner’s Office (ICO for short) becoming involved with its ability to issue a fine of up to £500,000.  We have therefore set up the Training Academy to train your staff on Data Protection in order to reduce the risk of breaches of the Data Protection Act 1998, and financial penalties.

The types of training we offer

We know that different levels of training will need to be given to different people within your organisation, so we have tailored our training with this in mind.  The workshops are tailored to each organisation's framework and can be applied to specific departments (e.g. marketing) or across departments.  We are pleased to offer the following sessions:

  • Human Resources Data Protection Training – a day’s training for your HR team who deal with your staff’s personal and sensitive data.
  • Have a Conversation – is tailored to each organisation’s needs and is a bite-size session with a lot of interaction in order to ensure staff’s awareness of data protection. 
  • Back to Basics – training designed for staff who collect and use data as part of their job and through delivering services.  It is also useful for those who make decisions on how data should be used.
  • Full Day Managers training – a wide-ranging training session for managers, including how to lead and implement Data Protection systems and develop staff.
  • Subject Access Requests – these can take many different forms and our training session helps your staff spot requests and how to deal with them.
  • 5 day Data Protection Officer Training – this takes you through the whole genre of data protection in a practitioner’s style.  The course gives you the tools to implement the role as a Data Protection Officer to ensure ongoing compliance.

The benefits of the Training Academy

  • High-quality training;
  • Staff understand how to protect people’s data;
  • More security of clients’ data;
  • Reduced risk of breaching the Data Protection Act 1998;
  • Reduced risk of sanctions and financial penalties from the ICO; and
  • Competitive quotes.

Our aim for our clients

We want to create bespoke and tailored governance controls that are practically applied and ensure future sustainability to all challenges organisations face regarding Data Protection and Privacy.  Data Protection is a vast area, so our training will help you to effectively manage it in a practical and proportionate manner.

We put our people services first and maintain this through all interactive helpline services, audit visits, one-to-one case management reviews and our Training Academy.  This enables all levels of staff to go away with the tools they need, both within the workplace and in their own personal life, and brings about good privacy and data protection management.