The strength and depth of this team’s specialist knowledge in the field of data protection and privacy issues is of note outside London, with particular expertise in how this topic affects clients in the information technology sector, the financial technology market and also the independent education and healthcare sectors. In respect of this ever-changing legal topic, Shulmans’ support includes conducting risk assessment audits, compiling and implementing bespoke training programmes and drafting compliance documentation to reflect the latest legal and regulatory requirements.
A monumental shift is on the way as to the rules governing the use of personal data and how all organisations handle information relating to individuals, whether it relates to customers, personnel, marketing contacts, contractors or suppliers. Whilst the new General Data Protection Regulation (GDPR) doesn’t take effect until 25 May 2018 there is plenty to do in order to meet its requirements by that deadline.
A growing proportion of the team’s work, together with the background experience of Emma Roe and Rob Lucas in dealing with international clients and work enquiries, means this team also has specific expertise in handling issues of international data transfers and work with a global dimension. Instructions include work for international clients regarding the compliance of their intra-group data transfers and their registration with the new Privacy Shield programme in place of the Safe Harbour scheme. The team’s international expertise also extends the firm’s scope to handle global data transfers, outsourcing of information handling services and to coordinate client or customer-facing documentation.
Key developments in this area around the use of subject access requests in parallel with employment claim matters has required specialist knowledge working alongside employment colleagues to ensure this type of data protection issue is handled in a strategic manner on behalf of clients as the case law continues to develop in this area.
We recently wrote an article, "Future-proof your data strategy," which featured in Yorkshire Finance Leaders Issue 5 - April 2017, a publication produced by Brewster Pratap Recruitment Group.
Specific recent case study examples of the team’s data protection expertise include:
- Advising on a complex subject access request from a former employee made in relation to employment proceedings. This involved liaising with employment colleagues to formulate a joined up strategy to align the subject access process with the ongoing litigation and settlement discussions. We prepared an initial response to be provided at the same time as disclosure bundles, gave advice on the risks of delaying the complete response until a settlement meeting had taken place, and provided advice on data protection wording for inclusion in the settlement agreement. This type of subject access request alongside an employment claim is something we are increasingly seeing and is also an area of developing case law, so can prove a difficult area for clients to navigate. As a result it requires the advice of experienced lawyers able to advise tactically and in a practical context.
- Advising on an MBO of a leading national direct sales and marketing business with sale of household, personal care and gardening products via multiple channels online and through its own magazines and inserts in national publications. Mark Lumley led the advice on complex due diligence on information management and data protection issues across approx. 10 brand titles and data sets. Advice involved addressing the gathering, storing, cleansing and management of data lists, personal information and PCI DSS information and onward data and database management and use of data within the business and with third parties. Our data protection expertise was key to our client because of the unusual level of complex streams of data (physical and digital), multiple sales channels and range of use of data.
- Advising a pay day lender owned by a US company on its compliance obligations relating to the transfer of data to the parent company’s systems in the US under Privacy Shield. The parent company’s in-house lawyers were responsible for preparing the Privacy Shield application and the client asked us to advise on what it needed to put in place and monitor globally in order to evidence that the data transfer was in accordance with the 8th principle. We also continue to advise the client on ad hoc data protection issues relating to ongoing compliance and more recently have been instructed to advise on preparations for the implementation of GDPR. This includes an initial data mapping and audit stage to help the client understand what data it holds and where, and will be followed by policy drafting and implementation work. As a consumer-facing business, handling significant amounts of personal data, much of which is sensitive or financial in nature, this global client recognises the importance of ensuring it takes data protection advice on changes to its activities and handling of that data. This area poses a major brand and reputational damage risk if not approached in a compliant yet pragmatic manner.
- Advising a client whose own work involves providing advice to public bodies on governance issues. These often arise out of complaints made by individuals, and as such our client can be drawn into the ongoing complaint and has received a number of subject access requests. The intention of this is usually to obtain access to our client’s reporting and background documentation. We have advised on specific subject access requests (including consideration of the extent to which the report and other documentation constitutes personal data), have liaised with lawyers for the relevant public bodies in respect of their proposed responses to DPA and FOI requests involving material prepared by the client, and have included wording in the client’s terms of business setting out its approach to requests and giving the ability to charge the public body for work carried out in relation to disclosure obligations. Our client is in a somewhat unusual position in that it is commonly drawn into a live complaint situation for which data protection advice can therefore be complicated by the case specific circumstances as the matters often involve several different parties already by the time our client becomes involved.
The team was nominated for the Lawyer Monthly Legal Awards 2016, for which it was shortlisted in the ‘Data Protection Law Firm of the Year (UK wide)’ category, having been nominated by a client. Partner in the team, Mark Lumley, was awarded ‘Data Protection Lawyer of the Year 2016’ at the Finance Monthly FinTech Awards 2017.