The European Union’s General Data Protection Regulation 2016 (‘GDPR’) came into force on 25th May 2018, replacing the existing data protection provisions in the UK’s Data Protection Act 1998 (‘DPA 1998’).
The Data Protection Act 2018 (‘DPA 2018’) gained Royal Assent on 23rd May 2018. It both enables GDPR as the UK leaves the European Union and also adjusts certain elements of GDPR that applies in the UK.
Everybody working for GLP Solicitors (‘the firm’) is bound by data protection laws. These laws exist to set rules on how personal data should be handled and to provide rights to individuals when their data is used. There are significant consequences for breaching data protection laws, so it is very important that everyone appreciates this and ensure they are adhered to.
The firm’s Data Protection Policy aims to inform everybody to whom this policy applies; how the firm expects personal data to be handled; what rights the individuals whose personal data the firm holds enjoy and what to do if and when there is a personal data breach. It should be read in conjunction with the the firm’s Information Mangement & Security Policy.
This policy applies to everybody working for the firm including partners, managers, employees, consultants and locums (‘staff’) and any third party that this policy has been communicated to.
The Managing Partner at each GLP Solicitors practice (listed below) is ultimately responsible for ensuring that the firm complies with this policy and that the policy remains effective for protecting personal data.
Every person to whom this policy applies (‘staff’) is responsible for ensuring that they comply with the policy. Failure to do so will be a serious disciplinary offence, to be dealt with in accordance with each Practice’s Disciplinary Procedure.
5) Data Protection Compliance Manager (DPCM)
GLP Solicitors have appointed Keith Mellalieu as GLP Solicitors’ Data Protection Compliance Mananager (DPCM). The DPCM is the firm’s immediate internal and external point of contact for all data protection related issues and queries.
The DPCM’s responsibilities include:
a) To inform and advise the firm and its staff of their data protection obligations under GDPR along with any other UK data protection laws;
b) To monitor compliance with data protection laws and the firm’s policies, including assignment of responsibilities, staff training and related audits;
c) To provide advice on and monitor performance in relation to Data Protection Impact Assessments;
d) To cooperate with the Inforfmation Commississioner’s Office (ICO);
e) To act as a point of contact for the ICO on all data protection issues.
6) The current law
Our data protection obligations are governed by the following legislation:
a) The General Data Protection Regulation 2016 (‘GDPR’); and
b) The Data Protection Act 2018 (‘DPA 2018’)
GDPR is an EU Regulation applicable to all EU member states and any organisation or person processing personal data belonging to EU citizens. DPA 2018 makes provision for how GDPR will apply in the UK (where discretion has been allowed by the EU) and addresses any processing that does not fall within EU law. In substance, this legislation replaces the DPA 1998.
7) The data protection regulator
a) Data protection law in the UK is regulated by the Information Commissioner’s Office (‘ICO’);
b) The firm is accountable to the ICO in relation to all of its personal data processing activities;
c) The firm is required to keep a record of its processing activities in relation to personal data which must be made available to the ICO on request. The DPCM is responsible for maintaining this Record of Processing Activities and reviewing and updating it on a regular basis;
d) The firm is required to pay an annual data protection fee to the ICO to fund its work (paid in each case by direct dedit);
e) Staff can find out more about the ICO’s work by visiting its website at https://ico.org.uk.
8) Key terms
The GDPR uses a number of terms which the staff need to familiarize themselves.
The relevant terms and definitions are:
a) Personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Typical examples of an identifier include: client reference, ID number, name, postcode, or other location data etc.
b) Data subject means a natural person to ehom the personal data belongs.
c) Data controller means a person or entity, who alone or jointly with others, determines the purposes and means for processing personal data.
d) Data process/processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, restriction, erasure or destruction.
e) Data Processor means a person or entity which processes personal data on behalf of the controller.
f) Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, and the alleged commission of offences or proceedings for an offence committed or alleged to have been committed or the disposal of such proceedings, including sentencing.
Note: this type of data was previously called sensitive personal data under DPA 1998. DPA 2018 has added criminal convictions and offences element to this list, causing the ICO to amend it guidelines which are awaited.
9) Data Protection Principles
GDPR is underpinned by a number of data protection principles. These principles are the starting point for ensuring data protection compliance whenever you process personal data. The data protection principles are as follows:
Personal data shall be:
a) Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation);
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
d) Accurate and where necessary kept up-to-date (accuracy);
e) Kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
f) Processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (integrity and confidentiality).
The firm is responsible for, and must be able to demonstrate compliance with, Principles (a) to (f) (accountability).
Everybody to whom this policy applies must familiarise themselves with the data protection principles and have regard to them whenever they are processing personal data.
10) Lawful basis for processing personal data
The firm and therefore its staff must have a lawful basis for processing any personal data which must meet one of the conditions laid down in the GDPR./
The conditions are that the processing is:
a) Based on consent from the data subject;
b) Necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
c) Necessary for compliance with a legal obligation to which the controller is subject;
d) Necessary to protect the vital interests of the data subject or of another natural person;
e) Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) Necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
There are additional conditions that the firm and therefore its staff must satisfy if processing special categories of personal data.
The main conditions that will apply to the firm are:
a) Explicit consent from the data subject;
b) Necessary for carrying out and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law in so far as it authorised by UK law;
c) Necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) Processing relates to personal data which are manifestly made public by the data subject;
e) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
f) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or UK law.
The firm expects all processing of personal data to satisfy at least one of the conditions for lawful processing. If none of the conditions listed above can be satisfied, the processing will be unlawful and the firm will be at risk of sanctions from the ICO.
When using the ‘UK Anti-Money Laundering Search’ option in the CROinfo report facility, available on the dashboard, enquirers may only use the credit data alternative with the specific, informed and unambiguous consent of the client or other party.
If you have any doubts as to whether there is a lawful basis for processing personal data, you must refer your concerns to Keith Mellalieu, the DPCM immediately (T: 0161 828 0600 / E: firstname.lastname@example.org).
11) Fair processing information
The principle of "fair and transparent" processing means that the firm must provide information to individuals about its processing of their data, unless the individual already has this information. The information to be provided is specifed in the GDPR and is covered by the items listed below. The firm may also have to provide additional information if, in the specifc circumstances and context, this is necessary for the processing to be fair and transparent.
The information must be provided in a concise, transparent, intelligible and easily accessible way, using clear and plain language (in particular where the data subject is a child). The firm will do this in a variety of ways, including via:
a) Client care documents;
b) Privacy notices on our website;
d) Internal policies and procedures (for processing of personal data about our staff).
Staff must recognise that individuals have the right to know why the firm is collecting their personal data and what the firm is are using it for. If clients or any other individual third party asks for fair processing information, you should provide the information to them or direct them on where to find this information. Please refer the request to Keith Mellalieu, the DPCM immediately if you do not feel confident in providing this information yourself.
12) Sharing or disclosing personal data
Staff must not share personal data with any third party (i.e. anybody outside of the specific GLP Solicitors firm for which they are directly empolyed), unless there is a legal basis for doing so (see section on Lawful basis for sharing personal data above).
If you receive any requests for disclosure of personal data from a third party, and you are not sure whether you should disclose the information requested, please seek advice from Keith Mellalieu, the DPCM immediately.
13) Data subjects’ rights (Subject Access Request)
GDPR gives data subjects (i.e. the person that the data belongs to), a number of rights concerning how their personal data is processed. While the majority of these rights are not absolute (they are not rights that will be automatically granted), it is important that all staff are able to recognise a request to exercise a data subject right (Subject Access Request).
Staff are expected to be able to do two things:
a) Recognise when a Subject Access Request request to exercise a data subject right is being made, verbally or in writing;
b) Refer the request immediately to Keith Mellalieu, the DPCM immediately or another suitable manager in his absence.
Staff should not, without prior authority from Keith Mellalieu, the DPCM, action any request received. This is because the request has to be recorded and assessed as to how the firm will respond, if at all, should it not meet the requirements of GDPR or current case law.
The data subjects’ rights are as follows:
a) Right to access personal data - the data subject can request details from us of the personal data that we hold about them. They may ask for a copy of their personal data as part of this type of request;
b) Right to object to processing - the data subject might tell us that they want us to stop processing their personal data;
c) Right to object to automated individual decision making including profiling - e.g. such as a decision made by a computer without a human element such as applying for a bank loan;
d) Right to rectification - the data subject may ask us to correct personal data that we hold because they believe it to be inaccurate;
e) Right to erasure (‘to be forgotten’) - the data subject may ask us to delete the personal data that we hold about them;
f) Right to restrict processing - the data subject may tell us that they only want us to use the personal data for a specific reason.
We only have a maximum of one month to comply with any of these requests. Therefore, it is very important that you refer any requests you receive to Keith Mellalieu, the DPCM immediately. The firm may receive sanctions from the ICO if it fails to comply with this time limit.
14) Personal data breaches
What is a breach?
a) A personal data breach is defined as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
b) The firm has implemented organisational and technical measures to protect the personal data that the firm holds (see our Information Management & Security Policy for details). Staff must ensure that they are familiar with, and adhere to, this policy to help the firm avoid committing personal data breaches.
a) The firm recognises that occasionally, things will go wrong. When they do, the firm needs to know about them as quickly as possible so that staeps can be taken to mitigate any damage. All staff, at whatever level, are therefore required to report all actual or suspected personal data breaches to Keith Mellalieu, the DPCM (or, in his absence, the Managing Partner or a Partner) as soon as the incident has materialized.
b) PLEASE NOTE: The firm is required to notify all personal data breaches to the ICO without undue delay, within 72 hours UNLESS the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject(s) concerned. It is therefore, essential that staff report any breach(es) immediately.
i. Staff can report data breaches by any means, but you are encouraged to use the method of communication that will get the information to Keith Mellalieu, the DPCM the quickest i.e. face-to-face or via the telephone, if available - do not email at this stage.
ii. Staff should then follow up their report up in writing, by completing the Data Breach Report Form to ensure that to Keith Mellalieu, the DPCM has all the information that is needed to investigate the breach and take steps to mitigate the risks posed by the breach.
We have prepared a Personal Data Breach Management Plan which details how will handle a breach report.
15) Financial implications and sanctions
The consequences of failing to comply with the GDPR are significant. This legislation gives the ICO the power to impose administrative fines in the sum of:
a) up to €20,000,000 (twenty million euros); or
b) in the case of an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
This firm seeks to avoid any form of penalty at whatever level and the full cooperation of all staff is needed to achieve this.
16) Data Protection Impact Assessments (DPIAs)
The firm is required to complete a DPIA whenever the firm introduces new technologies or new methods of processing personal data likely to result in a high risk to data subject rights, e.g. CCTV or other forms of surveillance.
This will help us to identify the most effective way to comply with data protection obligations.
A DPIA will cover:
a) Description of processing and purpose for processing;
b) Assessment of necessity and proportionality of processing in relation to the purpose for processing;
c) Assessment of the risks to the rights of individuals;
d) Measures in place to address these risks.
If you are asked to assist with a DPIA, you must give it your full attention as its completion is a mandatory requirement under the GDPR and will be essential to ensuring data protection compliance with any new processing project or method that the firm and therefore the staff undertakes.
a) Everybody to whom this policy applies must complete the firm’s mandatory data protection awareness and other training course and any refresher courses, released from time to time.
b) Completion of data protection training will be recorded on individual’s training records.
c) The firm’s data protection course also forms part of the firm’s induction programme.
d) If anybody has any queries or concerns about data protection at any time, they must contact Keith Mellalieu, the DPCM for guidance.
18) Review of this policy
This policy was introcduced in May 2018 and will be reviewed as least annually by Keith Mellalieu, the DPCM.
Revised (Vers 1.1) August 2018; GDPR edition Introduced May 2018
Request a callback
Fill in your details below and our
specialist team will be in touch shortly.