"I would say that the amount of time I take to draft a good, comprehensive submission has been cut down by at least 60 to 70%. Having all these sources, commentary and journals at my fingertips is brilliant."
ParrisWhittaker
Access all documents on Data protection
In an employment context, this refers to the obligation on an employer to protect the data of its employees and ensure that it complies with the law on how it uses the employees' data.
An employer is required to comply with the Data Protection Act 1988 (and numerous subsequent regulations and codes of practice) which sets out rules on how employee personal data is processed and handled. The Act sets out a number of key principles as well as a requirement to inform employees of how the data is to be processed and handled and to obtain their consent to such a process.
Speed up all aspects of your legal work with tools that help you to work faster and smarter. Win cases, close deals and grow your business–all whilst saving time and reducing risk.
For our full legal glossary and more legal research sources, register for a free Lexis+ trial
Internet and electronic communications—checklist Required document or action Compliant? 1 Do you have a written Policy on internet, email and communications describing permitted and prohibited use of:—the internet—your electronic communications system (emails and telephone)? 2 Do you have a Policy on social media? 3 Do you have a separate Policy—data protection covering any data processing activities that may arise from use of the internet and your electronic communications system? 4 Do you intend to monitor how your staff use the internet and/or your electronic communications system? See Practice Note: Monitoring staff, IT and communications systems in the workplace. 5 If so, have you conducted a data protection impact assessment (see subtopic: Data protection impact assessments—DPIAs)? 6 Do any of your monitoring activities amount to intercepting an electronic
Key provisions in a consultancy agreement—checklist This Checklist sets out the key provisions to consider in a consultancy agreement. This Checklist highlights issues which are relevant to the customer, issues which are relevant to the consultant and issues which are relevant to both parties for inclusion in a consultancy agreement. This Checklist will assist both the consultant and the customer when reviewing and negotiating a consultancy agreement. See also: Taking instructions for a consultancy agreement—checklist. For Precedent consultancy agreements, see: • Consultancy agreement—company and individual—pro-client • Consultancy agreement—company and company—pro-client • Consultancy agreement—individual and company—pro-consultant • Consultancy agreement—company and company—pro-consultancy • Consultancy agreement—company and individual—pro-client (short form) • Side letter to consultancy agreement—company and company—pro-client For further related guidance, see: Consultancy services—overview and Practice Notes: • Managed service companies and the anti-avoidance legislation • Deciding appropriate employment status • Personal service companies—the key benefits and key tax considerations • Securing intellectual property rights from employees and contractors • IR35—the large and public client off-payroll regime—practical considerations for the end client...
Discover our 138 Checklists on Data protection
Evaluating an objection to processing request—flowchart This document reflects the UK GDPR regime. References and links to the GDPR refer to the UK GDPR (Assimilated Regulation (EU) 2016/679) unless expressly stated otherwise. The UK General Data Protection Regulation (UK GDPR) provides a number of rights for data subjects, including providing a right to object. Data subjects can make a request to an organisation to exercise their right to object to processing at any time. This is not, however, an absolute right to object—it only applies in specific circumstances. There are strict time limits for complying with requests made. See Practice Notes: • Data subject rights—objection to processing • How to handle data subject requests This Flowchart maps out a process for evaluating a data subject request under the right to object that your organisation receives under the UK GDPR. It reflects the requirements in the UK GDPR and the Data Protection Act 2018 (DPA 2018) together with guidance issued by the Information Commissioner’s Office (ICO). It should be...
Data protection impact assessments—flowchart This flowchart illustrates how to establish whether or not you need to conduct a data protection impact assessment (DPIA) in relation to a particular project, and how to conduct one if it is required. See also Precedents: Data protection impact assessment—DPIA and Data protection impact assessment—DPIA—short form, which is based on a template issued by the Information Commissioner’s Office (ICO). The ICO’s Data Protection Impact Assessments guidance sets out seven steps to conducting a DPIA, whereas the ICO’s Data protection impact assessments guidance sets out a nine-stage process, as shown above. The two processes are broadly the same but the latter is more intuitive and is adopted in this flowchart. Note 1: Identify the need for a DPIA If you have a data protection officer (DPO), ask them for advice. For further information, see Practice Note: How to complete a data protection impact assessment—DPIA—Who should conduct the DPIA? A DPIA is compulsory in the case of: • a systematic and extensive evaluation of personal aspects...
Discover our 19 Flowcharts on Data protection
STOP PRESS: The Information Commissioner's Office launched a new audit framework on 7 October 2024 to assist organisations in assessing compliance with data protection laws by offering practical tools for building and maintaining strong privacy management. The audit framework is an extension of its existing Accountability Framework. The framework is suitable for large businesses and organisations in the public, private and third sectors. It is not directly applicable to small businesses and organisations, or organisations who process personal information subject to Part 4 of the Data Protection Act 2018 (Intelligence services processing). This framework features nine toolkits covering areas such as accountability, records management, cybersecurity, data sharing, requests for data, personal data breach management and artificial intelligence, which aims to empower organisations to identify areas for improvement. Each toolkit has a downloadable data protection audit tracker that will help organisations conduct their own assessment of compliance, tracking actions that must be taken in areas needing improvement. By using the framework, the aim is that organisations can enhance their data protection...
This Practice Note provides employment lawyers with an introduction to the due diligence process in which they will be involved as advisers to the seller or the buyer prior to the acquisition of shares in a private limited company or the acquisition of a business and its assets (the target). It also considers the factors affecting the nature and extent of due diligence that an employment lawyer for the buyer or seller should consider.For more detailed guidance on the particular issues to consider in employment due diligence on a share purchase, see Practice Notes: •Share purchases—employment issues acting for the buyer, and•Share purchases—employment issues acting for the sellerFor further information on complying with data protection obligations under Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) during due diligence and on completion of a share or asset purchase, see Practice Note: Corporate transactions and service provision changes (employment)—data protection issues.Introduction to the due diligence processThe starting point for a buyer...
Discover our 722 Practice Notes on Data protection
Ireland—data protection impact assessment—artificial intelligence DPIA screening questionnaire The screening questionnaire should be a concise document and not overly burdensome on the business. However, it needs to provide sufficient information to the DPO/Privacy POC to decide if a DPIA needs to be completed. Like the DPIA itself, the screening questionnaire will be drafted by a multidisciplinary team within the business. All completed screening questionnaires should be approved, time stamped and retained by the DPO/Privacy POC. Where a DPIA is required, it should be kept with the screening questionnaire to avoid duplication. The DPIA template is a continuation of the screening questionnaire. While the screening questionnaire and the DPIA detail AI use in accordance with EU GDPR requirements, companies deploying AI systems also need to factor in their obligations under additional relevant legislation, such as the requirement to carry out a fundamental rights impact assessment (FRIA) under the EU AI Act. While outside the scope of this document, information gathered as part of the screening questionnaire / DPIA exercise will be...
EU GDPR—standard contractual clauses (SCCs) for compliance with Article 28(3) EU GDPR by Danish supervisory authority This is a set of Standard Contractual Clauses (SCCs) for compliance with Article 28(3) of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), governing relationships between controllers and processors and published by the Danish data protection supervisory authority (the Danish SCCs). It was published following an opinion by the European Data Protection Board (EDPB). The Danish SCCs should not be confused with SCCs relating to international personal data transfers under Chapter V of the EU GDPR. Access the Danish SCCs Click the link below to download the agreement from the EDPB’s website: Standard Contractual Clauses for compliance with Article 28(3) of the EU GDPR published by the Danish supervisory authority (the Danish SCCs) Background As detailed in Practice Note: Supply chains under EU GDPR—arrangements between controllers and processors, Article 28(3) of the EU GDPR requires that controllers and processors put in place a contract which contains certain minimum terms (unless the...
Dive into our 403 Precedents related to Data protection
If a data controller shares personal data with another data controller based outside the EEA, and in doing so exports that personal data outside of the EEA using one of the permitted data export exceptions or adequacy solutions under Schedule 4 of the Data Protection Act 1998 (DPA 1998), does the transferor data controller retain any liability for the processing of that personal data by the transferee controller under the DPA 1998? For the purposes of this Q&A we have focused solely on the law under the UK’s Data Protection Act 1998 (DPA 1998) as regulated by the Information Commissioner’s Office (ICO). Please note that: • the General Data Protection Regulation (GDPR) will introduce substantial amendments to data protection law and will replace the current DPA 1998 and the current Directive 95/46/EC (the Data Protection Directive). The GDPR will be directly applicable and fully enforceable in all EU Member States from 25 May 2018. For further information, see Practice Note: Introduction to the EU GDPR and...
What is 'personal data' for the purposes of the Data Protection Act 1998? For the purposes of the Data Protection Act 1998 (DPA 1998), 'personal data' is defined as: 'data which relate to a living individual who can be identified— (a)    from those data, or (b)    from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual' This definition refers to several key terms which are further defined in DPA 1998. The term 'data' is defined to include information which: '(a)    is being processed by means of equipment operating automatically in response to instructions given for that purpose (b)    is recorded with the intention that it should be processed by means of such equipment (c)    is recorded as part of a "relevant filing system" or...
See the 440 Q&As about Data protection
Our new Risk & Compliance forecast (as at 17 June 2025) is now live. This month we report on items including (1) FATF actions following the conclusion of recent consultations; (2) the Crime and Policing Bill's report stage and third reading scheduled for 17-18 June; and (3) the LSB's refined guidance on meeting the new economic crime regulatory objective.
The Council of the EU and the European Parliament have reached a provisional agreement on a new regulation to improve cross-border enforcement of the GDPR. The deal, led by the Polish presidency, harmonises rules on admissibility, complainants’ rights, and procedural deadlines, with the aim of accelerating the handling of cross-border complaints and strengthening cooperation between national data protection authorities. The agreement must now be formally adopted by both institutions before entering into force.
Read the latest 812 News articles on Data protection
**Trials are provided to all ÀÏ˾»úÎçÒ¹¸£Àû content, excluding Practice Compliance, Practice Management and Risk and Compliance, subscription packages are tailored to your specific needs. To discuss trialling these ÀÏ˾»úÎçÒ¹¸£Àû services please email customer service via our online form. Free trials are only available to individuals based in the UK, Ireland and selected UK overseas territories and Caribbean countries. We may terminate this trial at any time or decide not to give a trial, for any reason. Trial includes one question to LexisAsk during the length of the trial.
0330 161 1234