GDPR & Data Handling

Advising on whether the client acts as a data controller, joint controller or processor, and the legal responsibilities attaching to each role.

Assisting with identifying personal data processed by the organisation and preparing or reviewing records of processing activities in accordance with Article 30 UK GDPR.

Advising on the appropriate lawful basis for each processing activity and documenting decision-making to demonstrate compliance.

Drafting, reviewing and updating privacy notices to ensure they meet transparency requirements and accurately reflect processing activities.

Advising on procedures for responding to data subject rights requests, including subject access requests, rectification, erasure and objection, and associated statutory timescales.

Drafting and reviewing data processing agreements and data-sharing arrangements to ensure mandatory UK GDPR provisions are included.

Advising on when DPIAs are required and assisting with their preparation, review and implementation.

Advising on appropriate technical and organisational measures to ensure personal data is processed securely and proportionately.

Advising on the assessment, containment and notification of personal data breaches, including ICO notification obligations and communications with affected individuals.

Advising on the lawful transfer of personal data outside the UK, including adequacy decisions, standard contractual clauses and risk assessments.

Advising on data protection governance structures, staff training requirements and internal policies to promote ongoing compliance.

Advising on communications with the Information Commissioner’s Office, regulatory investigations and enforcement action.

Providing ongoing advice, compliance reviews and audits to reflect changes in law, guidance and business practices.