Data Protection and UK GDPR

Data and information rights are crucial to individuals and organisations in an interconnected world. Innovations in digital and communications technology have revolutionised the way in which data and information is created, stored, processed and shared, and in recent years the privacy rights of individuals have taken centre stage.

How we can help you

From our offices in Edinburgh and Glasgow, we help private and public sector organisations across the UK and elsewhere to navigate the world of data protection and compliance.

The General Data Protection Regulation (GDPR) is retained in UK domestic law now the Brexit transition period has ended, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the Data Protection Act 2018.

To summarise a very wide-ranging piece of legislation in one sentence: data protection under the UK GDPR provides individuals with more control over their personal data and requires organisations to process personal data responsibly and transparently.

All organisations established or operating within the UK are affected by the UK GDPR, irrespective of the industry or business sector in which such organisations operate. The UK GDPR applies to all personal data collected, held or processed by an organisation, whether this relates to employees, customers, suppliers or contacts, so these regulations are not restricted to data-intensive businesses.

The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to offering goods or services to individuals in the UK or monitoring the behaviour of individuals taking place in the UK.

As an ongoing process, organisations should regularly consider what personal data they hold, what they do with it, why they process it and whether it is strictly speaking necessary to hold and process the personal data.

There are a number of steps to becoming compliant with UK data protection legislation, and the first step is to become aware of the personal data within an organisation. The subsequent steps are determined by the types of personal data and the purposes for which the personal data is processed - for example, are there special categories of personal data including health and medical information or is the personal data used for scientific research?

We offer comprehensive advice and support on data protection matters, including:

  • Advising on data audits and other aspects of data protection compliance
  • Advising on the rights of individuals in respect of their personal information
  • Reviewing or drafting your data protection policy, data privacy notice, consent forms, procedures and data protection documents generally
  • Reviewing and/or negotiating data processing contracts, and
  • Reviewing and/or negotiating data protection aspects of other commercial contracts and transactions

We also advise organisations who receive requests for personal data ('subject access requests').