Data Privacy and
Protection Law

With qualifications in the UK and Canada and a pragmatic approach, Plain English Law helps you build GDPR compliance seamlessly into your business.

A man touches a virtual computer chip. Concept: data privacy, data protection, GDPR compliance for business, privacy policy, data breach, DSAR response

Privacy Documentation and Processes

Data Mapping

Typically the first step to compliance, we'll help you identify and record:

This information is used to create a record of personal data you use, such as required by GDPR Article 30.

Gap Analysis

Nobody's perfect. Most businesses have some data handling processes that don't comply with privacy laws.

A structured gap analysis can identify and close these compliance gaps.

This is most easily done along with data mapping. As we find issues, we help you develop solutions that work with your business, and create a record of the process.

Data Protection Impact Analysis

Some uses of personal data are risky and require a documented, formal data protection impact assessment (DPIA).

We can support you and your staff to:

Plain English privacy documentation

Most privacy laws require you to be transparent. You must tell people what data you have about them and what you are doing with it.

It's harder than it looks. Too much detail can make your privacy notice hard to understand. Customers don’t like that, and neither do privacy regulators.

Let us help you strike the right balance with plainly written, concise, legally compliant privacy notices.

Data breach response

Mistakes happen. Defences can be breached.

What do you do if personal data is stolen or leaked? Your response to the breach can be just as important as preventing it in the first place. And you'll have little time to weigh your options.

We can help you to:

Data subject rights

Most data protection laws, including GDPR and PIPEDA, give individuals a series of rights:

Responding to a data subject can be complicated. Deadlines are tight, and your response must respect the legal rights of others. Increasingly, employees request to access information about dismissals and redundancy processes.

We can help you to:

DPO as a service

A Data Protection Officer (DPO) is an independent advisor reporting to the highest levels of management. DPOs monitor GDPR compliance and advise on privacy operations, oversee maintaining records of processing activities, and liaise directly with the data protection supervisor, such as the UK's Information Commissioner, on privacy matters and mandatory consultations.

DPOs are mandatory for some businesses, while others may choose to appoint one voluntarily. DPOs must have expert knowledge of data protection law and practice.

We can be your DPO:

UK GDPR Representative

If you are a business that trades in the UK, but you have no "establishment" in the UK, then you must appoint a UK-based GDPR Representative to comply with the UK GDPR. This applies to both controllers and processors anywhere outside the UK (including in the EU after Brexit).

The UK Representative has a more limited role than a DPO. A Representative is the first point of contact for UK data subjects and the Information Commissioner’s Office.

As your UK GDPR Representative, we can help by:

FAQ: GDPR basics for businesses

+ - What is the GDPR all about?
In the UK and the EU, privacy is a fundamental right. The GDPR is a law that protects your privacy against intrusions by businesses and government agencies.
Digital technologies are used to collect, process, and store vast and ever-growing amounts of information about practically everyone. The threat to individual privacy has tended to grow steadily as these technologies improve.
The EU Parliament passed the GDPR in 2016, and it came into force in 2018. It was created to standardise most privacy rules across the EU, replacing a patchwork of laws going back several decades.
Brexit, by the way, hasn’t changed too much. When the UK left the EU, incorporated a slightly tweaked version of the GDPR into UK law as part of the Data Protection Act 2018. For most businesses, the new UK GDPR requires the same things as the original EU GDPR.
+ - Is the GDPR anti-business?
Our personal information can provide valuable insights to anyone trying to sell us something. This presents a challenging problem for governments.
On the one hand, voters demand jobs, and many businesses use our personal data to sell us more and create jobs. On the other hand, voters demand strong privacy protections.
The GDPR is an attempt to strike a fair balance between those needs. It allows business to use personal data for marketing, but within strict limits. Does it offer a fair and practical compromise? Opinions vary.
Some believe the GDPR is overly complicated, anti-business, and impossible to comply with. Others believe it offers too many loopholes and isn’t enforced properly anyway.
Either way, it’s the law, and most consumers and business customers will expect you to comply with it.
+ - Data security = data privacy, right?
"Data security" and "data privacy" are often used to mean the same thing, but they are different.
Data security describes the measures used to protect data from hackers or intruders. This includes technical measures like firewalls and two-factor authentication, and physical measures like controlled access to servers.
Data privacy is all about how data is collected, used, and shared. At the core of data privacy is everyone's right to be in control of the information they share about themselves and not to be identified, monitored, or profiled without their knowledge or consent.
Data security and privacy are two sides of the same coin. Understanding your customers' data privacy rights and making sure you have the proper security measures in place to safeguard that data contribute equally to building confidence and trust in your brand.

 

+ - What is *personal* data?
The GDPR’s official definition of personal data is: “Any information relating to an identified of identifiable natural person.”
Let’s break that down:
“natural person”: This just means an individual - a real, flesh-and-bone human being.
A natural person is “identified or identifiable” if you can tell who the information relates to. Normally, this is straightforward, for example because the information itself directly names the person, or because the information can be tied to other data that identifies the person.
“Any information” is as broad as it sounds, and would include data found in a database, photographs and drawings, and documents.
“relating to” means, more or less, that the information is about the person. Inaccurate information about a person is still information relating to them – it’s just incorrect information about them.
Some common examples of personal data are:
  • Contact details (name, phone number, email address)
  • Personal details (age, gender)
  • Employment details (occupation, employer name)

 

+ - What is *special category* personal data?
Special category data (also called Article 9 data) is a particularly sensitive category of personal data. Many of the special categories contain data that could too easily be used for unfair or illegal discrimination, or even to persecute someone if the data fell into the wrong hands.
GDPR Article 9 treats the following personal data as being within special categories:
1) Personal data revealing:
    • racial or ethnic origin
    • political opinions
    • religious or philosophical beliefs
    • trade union membership
2) Genetic data
3) Biometric data when used to uniquely identify an individual (e.g. facial recognition, retina scans, fingerprints)
4) Data about someone’s health, sex life, or sexual orientation
 
Special category data is subject to extra protections, so you should be extremely careful when processing it. Ask whether this kind of processing is necessary, and then ask again.
Data relating to criminal convictions is not technically “special category” data, but it is subject to similar protections.
Processing special category and criminal conviction data is risky. Doing so improperly or without justification is likely to attract significant penalties. Data breaches involving this kind of data will often cause a public relations nightmare.

 

+ - What does it mean to *process* personal data?
According to the GDPR, processing data means performing  any operation or set of operations on that data, and it includes:
  • Collection,
  • Storage,
  • Retrieval,
  • Analysis,
  • Organising,
  • Sharing,
  • Archiving,
  • Deletion, and
  • Destruction.
 
In plainer English, processing data means doing stuff with the data.
Are you storing data without doing stuff to it? That’s still doing stuff to it. Keeping data just to have it is a form of processing under the GDPR.

 

+ - GDPR Who’s Who: the Data Subject
The data subject is an individual that the personal data is about. Note that an item of personal data can be data about more than one data subject.
Data subjects are typically:
  • Leads / Potential customers
  • Employees (past and present)
  • Candidates (successful and unsuccessful)
  • Contractors and vendors (or their employees)
  • Volunteers

 

+ - GDPR Who’s Who: the Data Controller
Any time personal data is processed, someone somewhere is acting as a controller. Normally this will be an organisation, such as a company or a government agency.
A controller of personal data is a decision-maker – controllers determine the purposes and means of personal data processing.
Put another way, to determine who the controller of personal data is, ask which organisation decides what data to process, why it will be processed, who will do it, and where and how it is to be done.
Controllers can do their own processing, and often they contract out some of the processing to another organisation. Think about when you store company data on a cloud service, such as Microsoft OneDrive. The company acts as a controller of the data it stores there, and Microsoft agrees to act as a processor only.
It is possible for one data processing activity to have a single controller or several joint controllers.
It’s also possible for the same data to have more than one controller, with each of them doing their own thing with the data without consulting each other.

 

+ - GDPR Who’s Who: the Data Processor
A processor is essential a service provider.
Processors only process personal data on behalf of a controller, at the controller’s instructions. Processors don’t make any decisions about the purposes and means of processing – if they do that, they automatically become controllers.

 

+ - GDPR Who’s Who: Why does it matter?
Controllers and processors have different obligations under the GDPR. In general, a controller has more obligations than a processor.
Whether you are a controller or a processor is a question of behaviour. The data processing agreement might say that you are a processor only. However, if you start using that data for your own purposes, you automatically become a controller as well. This triggers a number of requirements, such as telling all the data subjects who you are and what you are doing with their data.

 

GDPR compliance in plain English.

Send us a message, request a call back, or book your free 30-minute initial consultation.

Our approach

First, do business. Then worry about the legals. Plain English Law gives practical, commercially smart legal advice and produces documents in everyday language.

Fixed-fee and Hourly

Where possible, we prefer to quote fixed fees to reflect the value you receive instead of the time we put in. If this isn’t practical, we bill at an hourly rate and give you our best estimate of the expected costs.

Computer screen graphic. Plain English Law offers GDPR compliance services for small and medium sized businesses in Scotland, England, Wales, Canada including privacy policies, data breach response, data mapping, data discovery, DSAR, DPIA

Virtual Counsel

Perfect for larger projects, providing surge capacity for an existing in-house legal team, or helping smaller businesses that have a steady flow of legal work. Our month-to-month Virtual Counsel plans are excellent value. Strike your own balance of price and flexibility:

  • Lower hourly rates, with day rates available.
  • No increases to your headcount.
  • No long-term commitment required.
Business men working together. Plain English Law, no legalese, plain language contracts, negotiations, virtual counsel service, flexible rates, affordable fees
Canadian and UK flags. Plain English Law qualified in Scotland, England, Wales and Canada, international trade, serving international clients

International

We provide legal support to small and medium-sized businesses in Scotland, the rest of the UK, and Canada.

Scotland flag emblem. Plain English Law qualified in Scotland, England, Wales and Canada, international trade, serving international clients.

Scotland

Based in Dundee, Plain English Law serves businesses throughout Scotland.

British flag emblem. Plain English Law qualified in Scotland, England, Wales and Canada, international trade, serving international clients.

United Kingdom

Costs in Dundee are much lower than in London and the South East. Or in Manchester, Leeds, or Edinburgh, for that matter.

With qualifications in England & Wales and Scotland, we offer great value to businesses across most of the UK.

Canada flag emblem. Plain English Law qualified in Scotland, England, Wales and Canada, international trade, serving international clients.

Canada

Founded by Trevor Fenton, a Canadian-trained lawyer, Plain English Law:

  • Advises clients on both sides of the Atlantic on Canadian business and privacy law.
  • Acts as the UK GDPR Representative for overseas companies.

Our affiliations

+ - What is data mapping?
Data mapping is another term for a personal data audit or information audit. It’s how you create your organisation’s record of processing activities, which is required by article 30 of the GDPR.
We can help you plan your data mapping process, complete your record of processing activities, and develop systems to keep it up to date.
+ - How do you build a data map?
Building a data map isn’t hard, but it can be a lot of work the first time you do it.
Data mapping involves looking at the personal data used by every team and function across your organisation. There’s no set method, but we find it helpful to start by having the team list the tasks that make up their jobs. Then we ask how they do those tasks: what systems they use, and what information they access or enter into those systems.
You record your findings in the record of processing activities (ROPA).
+ - What is a record of processing activity (ROPA)?
One of the new things the GDPR brought to privacy law is accountability: to comply with the GDPR you must be able to demonstrate that you comply with the GDPR.
An up-to-date record of processing activities is the cornerstone of GDPR compliance. It shows your organisation is on top of its data privacy responsibilities.
To build a good record of processing activities (ROPA), you take stock of your personal data and document:
  • What kinds of personal data you are using
  • Who the data’s about (the “data subjects”)
  • Where you got it
  • Why you have it
  • Your legal basis under the GDPR for using it
  • Who all the controllers are 
  • Whether you are a controller or a processor
  • How you track consents and objections to processing
  • Where you store the data and how you keep it safe
  • How long you keep it
  • Who you share it with and why
  • Who is processing the data on your behalf
  • What data processing agreements you have with external processors
Article 30 of the GDPR sets out the legally required minimum content of any ROPA.  
The UK’s Information Commissioner’s Office provides helpful starting points with their free templates:   
For controllers: record of processing activities template (Excel spreadsheet)
For processors: record of processing activities template (Excel spreadsheet)
+ - I’ve completed my record of processing activities – am I done?
Nope. It’s an ongoing task to keep the ROPA accurate and up to date. Every time you start using a new system or app, ask yourself:
  • What are we going to use this app for? Why do we need it?
  • What information will we put into the app? Is any of it personal data?
  • Is this app going to generate new data?
Then look at your ROPA. Is this use of personal data already covered? What about the new app, and the app vendor?
+ - Data mapping sounds like an expensive box-ticking exercise – what’s the point?
This is a good question. Complex and bureaucratic processes are frustrating and expensive. Usually they add little value to the organisation.
The GDPR? It’s far from perfect, but there is a certain amount of method to this madness.
Data mapping forces us all to confront the masses of personal data we collect and ask a few important questions. Why do I have this data? Are my purposes legal and legitimate? Do I even need this data to accomplish those goals?
Storage has become so cheap that most of us stopped worrying about running out of space years ago. Nobody has to clean out old data to make space anymore. That’s far more expensive than just buying more cheap storage space.
We don’t even need to manage the storage ourselves. With cloud computing, our mess is kept in someone else’s data centre. So we keep accumulating data of all kinds, often without keeping it organised or up to date.
The GDPR forces you to stop doing that. When you map your data, you are surveying the mess. Then you can make a plan to clean it up without throwing away the data you still need.
+ - Does the GDPR still apply after Brexit?
Yes.
The UK’s Data Protection Act 2018 brought the GDPR into UK law. This new “UK GDPR” is almost identical to the EU GDPR.
For most UK organisations, GDPR compliance is the same after Brexit as it was before Brexit. However, there’s an important change if you sell to consumers in the EU: you might need to appoint an EU GDPR Representative if you don’t have a location in the EU.
+ - How has Brexit changed GDPR compliance?
For many organisations, almost nothing has changed, except:
  1. If you are an EU / EEA business selling to the UK, you may need to appoint a UK GDPR Representative.
  2. If you are a UK business selling to the EU / EEA, you may need to appoint an EU / EEA GDPR Representative
+ - Is GDPR compliance different for B2B versus B2C businesses?
The GDPR applies to all personal data you use in your business. This includes data about your B2B business contacts, such as the employees of your suppliers and customers.
However, some rules can apply differently when you are using consumer data compared to business data.
For example, most businesses use "legitimate interest” as the legal basis for keeping a marketing database with individual contact details. Whenever you rely on legitimate interest, you must balance the benefits of what you are doing against the impact it has on the data subject (the person whose data you are using).
B2C data use can be more challenging to justify than B2B data use. Normally, using someone's work address and phone number is less intrusive than using their home address and phone number.

 

+ - Does every business need a Data Protection Officer?
No.
Public authorities normally require a DPO, but only some private businesses will require a DPO.
A business must appoint a DPO if it does one of the following as part of its “core activities”:
  1. large scale, regular and systematic monitoring of individuals (examples: online behaviour tracking, CCTV)
  2. large scale processing of “special categories” of data (see GDPR Article 9) or data relating to criminal convictions and offences (see GDPR Article 10
As a result, private companies often don’t require a DPO. However, they can appoint one voluntarily.
+ - We are outside the UK. Do we need a UK GDPR Representative?
You must appoint a representative located in the UK if all of these are true:
  1. You are outside the UK.
  2. You don’t have a UK office, branch, or other establishment.
  3. You are subject to the UK GDPR anyway because you:
  • offer goods or services to consumers in the UK; or
  • monitor behaviour of individuals in the UK.
When the UK was part of the EU, these rules did not apply to organisations in the EU or the wider EEA. With Brexit complete, EU and EEA companies must now appoint a UK-based representative.
+ - We are in the UK. Do we need an EU GDPR Representative?
Before Brexit, UK organisations did not need to appoint any EU or EEA representatives. With the UK outside the EU, that’s now changed.
If you are a UK organisation, you must appoint a representative located in an EU or EEA country if all of these are true:
  1. You don’t have an office, branch, or other establishment in the EU / EEA.
  2. You are subject to the EU GDPR anyway because you:
  • offer goods or services to consumers in the EU / EEA; or
  • monitor behaviour of individuals in the EU / EEA.

Let's get to work in plain English.

Contact us today by sending a message, booking a 30-minute initial consultation at no charge or requesting a call back.

Back to top