Data protection & privacy

Data controllers are generally required to register with the ICO in the UK, subject to a handful of limited exemptions. As most businesses will be acting as a data controller to one degree or another, the requirement to register applies to most businesses. There are three separate registration tiers (with different fees applicable in relation to each of these) which apply, depending on the number of employees and turnover of the controller. If you would like our assistance registering your company with the ICO, please contact us using the details provided above.

From a legal perspective, there are notification requirements set out under the GDPR which apply to certain types of breaches. You are required to notify the ICO within 72 hours of having become aware of a data breach, unless it is “unlikely to result in a risk” to the rights and freedoms of the individuals concerned. For higher risk breaches, the data subjects affected may also need to be notified “without undue delay”. We are experienced in advising when data breaches occur and are able to assist if a data breach takes place in your business.

The GDPR generally prohibits the transfer of personal data outside of the UK / EEA unless an appropriate transfer mechanism is in place. In terms of transferring data from a UK company to its US parent, unless the US company has signed up to the UK-US Privacy Shield, the most appropriate mechanism will likely be for the parties to enter into a data transfer agreement incorporating standard contractual clauses. If you would like our assistance drafting such a data transfer agreement, please let us know.

Consent is generally required when sending marketing emails to personal (i.e. non-corporate) email addresses. However, where you are sending marketing emails to existing individual customers regarding products or services which are similar to those they have purchased from you previously, and provided the recipient is given the opportunity to unsubscribe from receiving further communications, what is known as “soft opt-in” will apply, meaning consent is not required. Where this is the case, legitimate interests will likely be the appropriate lawful basis for sending such communications. Different rules apply when sending communications to corporate email addresses where consent is not required.

The provider of the SaaS solution will be acting as your data processor. As a result, you will need to ensure that the subscription agreement relating to the service contains certain mandatory data processing provisions as set out under the GDPR. These terms will impose clear conditions on what the provider is permitted to do with the data it processes on your behalf. We regularly draft and review data processing provisions and would be happy to provide you with tailored advice if required.