£650 plus VAT
£400 plus VAT
£400 plus VAT
GDPR Third Party Questionnaire
£500 plus VAT
GDPR Candidate Privacy Notice
£400 plus VAT
Data Protection Policy
£400 plus VAT
£400 plus VAT
Website Acceptable Use Policy
£400 plus VAT
What is included in the price:
- Initial telephone conversation
- Email and telephone correspondence throughout the service
- Expert review of existing policies and procedures
- New GDPR compliant policies
What is excluded from the price:
Legal advice outside of the service requested
How long will it take?
We aim to have the relevant service completed within 48-72 hours of formal instruction. We will endeavour to meet any deadlines you have and we ask that you inform of any relevant timescales at the outset of our instruction so that we can endeavour to meet the same.
What changes does GDPR bring about and why should I be concerned?
The introduction of GDPR will change the dynamic of the data protection landscape, with the most important changes being:-
- Enhanced right of erasure: Data subjects will be able to request that their personal data is deleted where it is no longer necessary, the employer has no other ground for processing or the data subject objects to processing or there is no compelling grounds that overrides their interest. However, in certain circumstances data subjects can be denied this right. In short, data controllers can deny requests if the data being processed is exercising the right of freedom of expression and information or to comply with a legal obligation for the performance of a public interest task. At present, a data subject right ‘to be forgotten’ can only be exercised where the personal data in question is causing unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. Data subjects also have a right of rectification
- Increased notice obligations: Data processors (e.g. employers) will need to review and update privacy notice so as to ensure that they meet the GDPR’s expanded definition of personal data, set out the personal data they hold relating to them and explain how data subjects can expect their personal data to be used and for what purposes. Furthermore, the notice should explain to the data subject the lawful basis for collecting personal data, the period of time they intend to hold the data and provide details of the data subject’s right to complain to the Information Commissioners Office (ICO) if they believe their data is being processed illegitimately.
- Consent: GDPR revises the general consent definition to require a "freely given, specific, informed and unambiguous" indication of the data subject's wishes. Consent must be documented and therefore records kept so as to demonstrate when and how a data subject provided their consent. Data subjects will also be given continuous choice and control over how their data is used. Consent can no longer assumed or obtained via pre-ticked boxes. Importantly, data subjects must be able to withdraw their consent as straightforward and conveniently as it was to give it, at any time. For that reason, organisations will need to review the way in which they have acquired consent. If existing consent has been established illegitimately and lacks the GDPR standard then organisations will need to refresh consent. For example, sending an email to active data subjects explaining if they still wish to receive emails from the organisation they will need to give their consent again, such email setting out specifically the purposes for which personal data will be used. Organisations would wish to avoid the tactics employed by both Honda and Flybe, who used historical data to distribute service messages to active and inactive users asking them to opt in. They were fined £83k in total by the ICO and serve as a useful reminder that organisations can still fall foul of data protection laws even where, such as here, an attempt to act in accordance with data protection law ultimately resulted in them breaking them.
- Subject Access Requests: The current fee of £10 will no longer be chargeable and the current 40 day turnaround time is removed and replaced with an obligations to comply “without undue delay” and at the latest within one month of the request.
- Data Breaches: Organisations must ensure they have the right procedure in place in regards to any data breach, whether potential or substantial and the steps to take in order to remain compliant with GDPR. Under GDPR data breaches must be reported to the ICO within 72 hours of the breach. At present there is no express obligation to report breaches.
- Giving more control to individuals: Organisations need to ensure all procedures are in agreement with those rights. For example, data subjects will have the right to obtain confirmation from the controller (organisation) as to whether or not personal data concerning them is being processed and for what purpose.
- Increased non-compliance risk: All organisations who process personal data must comply with the GDPR before its introduction in May. Organisations who fail to make the requisite transition could face fines from regulators of up to €20m (£17.7m) or 4% of their global turnover for the most negligent of offenders. The current limit under the Data Protection Act 1998 is £500k. This increased risk can most clearly be seen by reference to a recent case involving TalkTalk. In 2016, TalkTalk received a record £400k fined for security failings which led to the theft of personal data of almost 157,000 costumers. Under the GDPR this fine would have been astonishing £72m….a 18,000% increase. Such stark figures serve as just one example of the needs for business to get GDPR compliant sooner rather than later. A further point worth considering is the fact that the ICO is not government funded. As such, some commentators have suggested that as a result it has a greater incentive to fine the higher amounts where applicable and ICO fines can be expected to become more regular from May 2018 onwards.
How do I comply with GDPR?
First and foremost, organisations need to identify the personal data they’re holding, where it came from and who their sharing it with. Organisations are required to maintain records of all processing activities and therefore it may be necessary to conduct an information audit. Furthermore, they will need to produce a data register to establish the names and contact details of every data controller and data subject.
Equally important, organisations must identify their lawful basis for processing the data. This should be done before the processing begins and must be documented. There are six lawful bases for processing data which include: consent, contract, legal obligation, vital interests, public task and legitimate interests.
How can Attwells help?
Our GDPR expert Lloyd Clarke is experienced on advising businesses on data protection issues and has drafted many articles and delivered talks on both data protection generally and the implications of GDPR compliance. By May 2018 your organisation must be GDPR compliant and we can work with you to deliver the following:-
- A compliance plan covering key steps, milestones, project plans, personnel and budgets.
A data audit of all the personal data your organisation currently holds so as to establish:-
- What data you have and what should be deleted
- Where you store it
- Why you have it
- How it is processed
- Who has access to it
- Ways to identify and report any breach
- New GDPR compliant policies covering data breaches, privacy notices, response procedures for subject access requests, privacy standards and data protection.
- Other necessary GDPR documentation including data protection impact assessments, records of processing activities, job descriptions for Data Protection Officers, GDPR accountability questionnaires for senior management and GDPR checklists for employers.
- Assisting with responding to and managing subject access requests, requests for rectification of personal data held and the identification and reporting of data breaches to the ICO and responding to any enforcement action taken thereafter.
- Reviewing and updating your consent mechanisms and the language used for the purposes of obtaining consent from both data subjects and your employees, for instance by amending standard data processing consents given in existing contracts of employment.
- Deliver in house training to all your staff so as to ensure that they are fully abreast of their obligations in ensuring your organisations meet the necessary GDPR requirements.
How much will I pay?
Attwells Solicitors will ask you for money on account in advance of work on each service beginning.
How to instruct Attwells Solicitors?
Instructing us is simple. You can either click on the instruct button below to register your interest or you can call your local office. We have offices in Ipswich, Colchester and London. When instructing us please inform us of the office you would like to use.