Data Protection and Privacy

Subscribe to our Advice Line to access advice for your teams when you need it at anytime for a fixed cost.  Up to 4 hours support every month at a fraction of the cost of full-time support or Magic Circle Firms.  Our Helpline subscription Service is a cost effective way to access multi-disciplinary expert advice on Data Law from any of our team, when you need it.  We can advise on every type of matter with deep expertise in Data Protection, Adtech, and AI.  Whether you are seeking assistance with compliance issues, innovative advertising technologies, or the ethical implications of artificial intelligence, we are here to help.

Whether you need a Gap analysis, Data Privacy Impact Assessment or just advice and guidance our data protection and privacy experts can help.

Privacy Partnership perform Health-checks, gap analysis and in-depth Audits to help you to establish whether your organisation is following good data protection practices and meeting the requirements of the international data privacy and related data focused legislation.

We conduct detailed audits to support you with data mapping and evaluating your current data protection compliance and governance structures against your legal obligations. We will assess your existing compliance frameworks, identify gaps and risks and provide targeted, risk-based recommendations to help you achieve compliance with comprehensive roadmaps.

We take a pragmatic approach to balance urgent priorities with longer-term plans. We offer a wide range of health checks, gap analysis exercises and in-depth privacy audits to assess whether your organisation meets the requirements of laws such as the UK GDPR, GDPR, EU Artificial Intelligence (EU AI) Act, the Privacy and Electronic Communications Regulations (PECR) and relevant regulatory guidance. 

If you are a new business, starting to deliver new services or launching a new product, we can help determine your status under data protection laws and guide you on your specific legal obligations - which vary depending on whether you are a controller, processor, sub-processor or a combination of roles. 

We can design and help you stress-test data breach incident response frameworks to support your organisation in the event of a data breach. We can guide you on investigations, notification processes and external communications to contain risk and help preserve trust in challenging scenarios. 

We can help you meet 72-hour breach-notification requirements where applicable and document remedial steps to mitigate risk.

We help with:

• Designing and stress-testing incident response plans to ensure your teams know how to identify, escalate and manage data breaches 

•Supporting you with breach response processes and urgent incident management • Advising on communications with affected individuals and legal notification requirements, including assessing your circumstances against reporting thresholds

• Preparing notification templates, internal incident logs and supporting documentation

 • Conducting post-breach reviews and assessments 

• Reviewing and improving breach-related policies, processes and governance 

• Training teams on breach identification, internal reporting duties and practical incident-response steps 

• Reviewing and negotiating third-party vendor breach obligations in contracts

 • Reviewing technical and organisational measures linked to breach prevention and working with your security teams to guide on improvements

• Coordinating multi-vendor breach simulations across complex supply chains

and carrying out cyberattack readiness reviews including ransomware scenarios


Whether you need a Gap analysis, Data Privacy Impact Assessment or just advice and guidance our data protection and privacy experts can help.

 

 We can help you complete thorough DPIAs and LIAs to assess privacy risks, document mitigation measures and demonstrate your compliance. Our experienced team has supported hundreds of DPIAs and understands the nuances of complex data uses - including AI and emerging technologies.

Including:

• Full DPIA support from initial consultation to ensuring each stage of the assessment is completed correctly 

• Supporting DPIAs for a range of scenarios such as assessing new systems, vendor systems, cloud systems, AI, biometric, tracking and surveillance tools - helping you assess risks in complex or emerging technologies

 • Creating tailored DPIA templates aligned to your business process risks to afford your teams practical tools they can use consistently 

• Supporting consultation with regulators where required - including preparing supporting documentation

• Conducting LIAs with structured balancing tests and documentation to help you demonstrate accountability.  Advising you on the new Recognised Legitimate Interests ground under the DUA Act

• Reviewing third-party DPIAs and providing feedback and advice on risks • Updating your existing DPIAs when processing changes or legal rules change

We also offer DPIA support for AI systems potentially falling within high-risk categories - including for model training, profiling, algorithmic decisions and biometrics and data concerning children

The UK GDPR and EU GDPR have strict record keeping requirements. It's essential to maintain an accurate Record of Processing Activities, detailing the purposes, data sharing methods, and retention periods of the processing, as mandated by Article 30 of the GDPR and UK GDPR.

We're here to simplify this for you. Let us assist you in mapping your current data processing and data flows, ensuring all records align with GDPR requirements. 

We can also help with the configuration of record keeping tools such as OneTrust .

 We offer confidential and urgent support for challenging scenarios including regulatory investigations and contentious data subject complaints. This includes expert review and management of data protection complaints, navigating complex data subject access requests and responding Freedom of Information

requests.

We will work with you to tackle these common business pain points and help you address your obligations lawfully.

This includes:

• Responding to regulatory investigations, enforcement action and compliance audits
• Advising on complex data subject access requests concerning matters such as third-party rights or privileged information including end to end review and redaction
• Handling contentious erasure, objection or restriction requests from data subjects
• Advising on risk mitigation and strategic response during disputes involving personal data

• Supporting internal investigations into suspected data breaches, data misuse or non-compliance • Providing ongoing guidance and support after enforcement or complaints

Every contract which involves the processing, sharing or access to personal data requires data protection clauses. We can create contract templates tailored to your business or draft standard Terms.

We can draft robust and tailored contracts concerning data processing or sharing to ensure they are legally accurate and commercially driven to help protect your business from risk. We can help your organisation prepare tailored templates, negotiate data protection clauses with suppliers and partners and review their policies and contractual terms for compliance. Our work also includes conducting thorough processor due diligence reviews to ensure third-party data risks are managed and your potential contractual liability is mitigated.

We are expert in: 

· Drafting and negotiating compliant controller-to-processor agreements for Article 28 UK GDPR in relation to diverse suppliers (such as SAAS providers, AI vendors and data hosting centres)

· Reviewing and drafting controller-to-controller data sharing agreements

· Drafting supplier compliance questionnaires and onboarding risk assessments

· Drafting processor engagement playbooks for your internal teams for procurement 

risk management

· Advising on risk allocation in joint controller relationships and how to mitigate risks

· Conducting robust processor and sub-processor due diligence reviews

· Reviewing vendor documentation for privacy and security compliance and raising enquiries on your behalf to address risks

· Advising on international data transfer rules for overseas data flows in respect of overseas vendors and reviewing their data transfer mechanisms

· Supporting your internal teams with bespoke guidance on negotiation of data protection clauses in contracts

· Drafting cybersecurity supply-chain security schedules to protect your business from risk

Direct marketing and the use of cookies are increasingly common business practice but come with various risks. We will review and help you align your consent frameworks, cookie banners, tracking mechanisms and campaign governance with PECR rules and the UK GDPR to the extent that your campaigns involve personal data.

 We can help develop granular consent models, review dark-pattern risks and strengthen your cookie governance to balance compliance with user experience and business needs - including offering commercially driven advice on how you can leverage flexible legal exceptions such as the soft opt-in where applicable. We will also help you plan ahead for cookie law changes under the DUA Act - including higher penalties.

We can help with:

• Conducting cookie audits across your websites, apps and platforms
• Reviewing consent mechanisms, cookie banners and consent-management platforms to ensure compliant user journeys • Assessing direct-marketing campaigns across all channels for PECR and UK GDPR compliance
• Advising on lawful use of the soft opt-in exemption and supporting its implementation in marketing workflows • Guiding you on consent-refresh, re-permissioning and re-engagement strategies where necessary
• Reviewing and advising on third-party integrations such as pixels, SDKs and cross-site tracking technologies for compliance risks
• Advising on the acquisition and use of marketing databases, including due-diligence and data-broker risk assessments
 • Reviewing digital-marketing platforms, analytics tools and audience-targeting features for compliance
• Assessing dark-pattern risks and guiding you on relevant issues • Advising on AdTech, behavioural targeting and custom audiences compliance risks
• Reviewing cookie-policy and privacy-notice wording for compliance
• Conducting audits on marketing systems, consent logs, suppression lists and permission-management processes
• Assessing mobile-app tracking, device-permission flows and in-app privacy notices • Supporting UX and design teams in developing compliant consent and preference-management journeys
 • Delivering training for marketing, product, design and CRM teams on PECR, cookies, AdTech and digital-privacy rules
 • Reviewing influencer, affiliate and partnership arrangements for data-sharing compliance

• Providing regulatory updates and horizon-scanning on developments in UK and EU privacy and direct marketing changes

• Advising on DUA Act enforcement risks and changes such as cookie consent exemptions and increased penalties

 Global data transfers are increasingly prevalent and high risk. Where your organisation transfers personal data outside of the UK, strict international data transfer law rules come into play. We can help you assess and document international transfers of personal data and implement appropriate safeguards where necessary to lawfully engage in data transfers.

We can help with:

· Mapping your global data flows and identifying where personal data moves internationally to guide you on associated risks and rules arising

· Completing the UK IDTA, the key regulatory approved UK data transfer mechanism

· Completing the EU SCCs for EU based transfers

· Completing the UK Addendum to the EU SCCs, to facilitate compliance for businesses transferring data from both the UK and EU

· Preparing UK Transfer Risk Assessments and or Transfer Impact Assessments to assess third-country laws and risks

· Advising on adequacy decisions and permitted derogations and determining whether your transfers can rely on legal exemptions

· Advising you on reliance on the UK-US Data Bridge where applicable as a lawful transfer mechanism

· Drafting internal global transfer guidance to helping your teams manage overseas data transfers

· Preparing Binding Corporate Rules (BCRs) which are internal, regulator-approved rules allowing global groups to transfer personal data within their organisation

· Working with overseas counsel to assess third-country laws and practices affecting data protection

· Drafting cross-border transfer clauses in contracts to embed compliant international transfer terms into your agreements

· Supporting intra-group transfer frameworks by preparing intercompany agreements covering group data sharing

· Periodically reviewing your data transfers mechanisms to ensure your safeguards are compliant over time and guiding you on legal developments impacting your data flows

Hiring staff can give rise to a range of issues - including the need to comply with fair processing requirements, complex considerations around matters such as the collection of special category data, automated decision making, staff monitoring use of AI tools in workplace settings. We can guide you on how to achieve compliance across all areas of HR and employment to help you comply with rules and prevent employee mistrust and complaints.

We help by: 

• Preparing bespoke employee, contractor and candidate privacy notices tailored to your recruitment and HR processes 

• Advising on data collection during recruitment, screening and onboarding

 • Updating employment and consultancy agreements to include appropriate data protection provisions 

• Advising on automated decision-making, algorithmic scoring and the use of AI tools in recruitment and HR decision-making 

• Reviewing employee monitoring practices such as email monitoring, productivity tools, CCTV and location tracking for compliance with UK GDPR and employment laws

 • Guiding you on implementing HR-specific data retention schedules, deletion processes and records-management frameworks in line with applicable laws 

• Handling sensitive or contentious employee data-subject access requests

 • Advising on the processing of special category data such as health data 

• Reviewing HR related third-party providers including payroll, benefits, pensions and background-check platforms

 • Providing HR focused data protection training for managers, HR teams and senior leadership

 • Assessing lawful bases for HR data processing and specific considerations

 • Advising on cross-border HR data transfers of staff data 

• Carrying out DPIAs for complex matters such as new HR systems, biometric tools and AI tools

 • Advising on employee screening, pre-employment vetting and criminal-records processing 

• Guiding HR teams on privacy issues arising from hybrid or remote working arrangements and how to protect personal information 

• Advising on data minimisation and access-control measures for personnel files and HR systems

 • Reviewing staff surveys, engagement tools and wellbeing platforms for privacy compliance 

• Assessing your standards against ICO employment specific rules and best practice guidance

 We can draft, review and help you implement legally sound documentation to support your accountability obligations. Importantly, we will work with you to ensure your policies and documents are correctly tailored to reflect how your business operates in practice for risk prevention.  

We can create:

· Data mapping registers to help you map your data flows

· Tailored and compliant external privacy policies for your platforms, websites and mobile applications

· Internal staff facing privacy notices for employees and contractors

· Records of Processing Activities (ROPAs) with ongoing updates to reflect any changing processing activities

· Subject access and rights-handling policies to help you manage data subject rights effectively

· AI governance policies to help you navigate and reduce risk when using AI tools

· Data retention and deletion policies to help you manage data retention and deletion processes

· Bring-Your-Own-Device and remote working policies to better secure data where staff work from home

· Data security and IT policies to help safeguard data and reduce the threat of data breaches

· Data protection impact assessment (DPIA) templates, guidance and supporting procedures

· Legitimate interests assessment (LIA) templates and guidance for lawfully applying legitimate interests as a lawful basis for processing

· Data sharing agreements and controller to processor agreements drafted for legal compliance when sharing personal data with third parties

· Comprehensive internal data protection handbooks consolidating all governance documents in one place for simple access by your staff

· Consent-management procedures including opt-in forms where your business relies on consent as a lawful basis for processing

· Special category data documentation, including explicit consent opt-in forms and records

· Vendor due diligence and onboarding documentation, such as privacy questionnaires and risk scoring matrices

· Internal guidance documentation on the data protection principles to apply across your organisation

· International data transfer documentation required to lawfully transfer personal information outside of the UK, including helping you complete the UK IDTA, EU SCCs and preparing Transfer Risk Assessment and Transfer Impact Assessment templates

· Incident response and data breach management policies

· Policies for managing children’s data and compliance with the Age-Appropriate Design Code

· CCTV privacy notices to alert individuals of CCTV use

· Privacy-by-design documentation - including internal checklists and approval workflows for new projects or tools

· Internal AI use policies covering risks around the use of generative AI and other automated tools

· Guidance documentation on privacy-enhancing technologies

· Online Safety Act related safety governance documentation, including content-moderation procedures and reporting workflows

· Cybersecurity governance policies aligned with industry standards accountability obligations. Importantly, we will work with you to ensure your policies and documents are correctly tailored to reflect how your business operates in practice for risk prevention.