Our experience

Here are some highlights of our work to illustrate what we can do to help you.

Case study: Podium Analytics

Context

Podium Analytics is a charity founded to significantly reduce the incidence and impact of youth sports injury. One of Podium’s ambitions is to build the most comprehensive repository of reliable youth sports injury information and to use that data to aid research into youth sports injury.

The dataset will be made available in anonymised form to researchers within the Podium Analytics Institute for Youth Sports Medicine and Technology at the University of Oxford, who will deploy the latest AI and modelling techniques to identify causes and potential preventative measures against injury.

Podium Analytics is also collaborating with England Hockey and the Rugby Football Union on research, cases for change and dissemination of knowledge.
How we helped
To help Podium achieve its ambition, we have advised Podium on:
- the data collection process, including lawful bases for processing personal data
- when Podium may be a “processor” and when Podium will be a “controller” of personal data
- anonymisation of sports injury data
- collaboration and data access agreements with schools and with England Hockey and the Rugby Football Union
Outcomes

Paul Forsyth, finance and business operations director at Podium Analytics, said: “Paul Knight and his team have helped us to address unique and complex challenges in the areas of technology, data protection and GDPR compliance, tailoring their advice to the real-world challenges we face and carefully considering the sensitive nature of the data we handle. The high quality of the team’s work gives Podium, our stakeholders and partners confidence and is playing a vital part in our work to create a safer world of sport.”

Case study: Multinational company replacing EU SCCs

Context

The EU GDPR and the UK GDPR both restrict cross-border transfers of personal data, as explained on our page on International data transfers.

Making a restricted transfer subject to standard contractual clauses (SCCs) approved by the European Commission is one of the appropriate safeguards allowed for by the EU GDPR. In June 2021, the European Commission released new SCCs. Organisations can only continue to rely on earlier SCCs for contracts entered into before 27 September 2021 until 27 December 2022. After that date, earlier SCCs will not provide an appropriate safeguard for making restricted transfers of personal data – only the June 2021 EU SCCs will provide the appropriate safeguard.

For a global organisation, updating all existing contracts that rely on old EU SCCs to cover restricted transfers of personal data with new EU SCCs is a significant project. One multinational company approached us for help with this process for contracts with more than 2,000 suppliers from a wide range of sectors, markets and jurisdictions.
How we helped
We have worked with a wide range of stakeholders from across the multinational company, including procurement, legal, information security and business contacts, to:
- address questions from suppliers at first instance to resolve minor queries where possible
- support with any negotiations associated to variable aspects of the new EU SCCs, including security measures and changes to previously negotiated positions
- advise on risks and the scope of the updates
- help conclude supplier discussions in a pragmatic and efficient manner
We tailored our advice to support on key priorities for the business while ensuring compliance with the regulatory requirements.
Outcomes

Our advice on the scope of the EU SCCs requirements has helped to significantly reduce the number of suppliers that our client has needed to engage with, allowing the client to focus on suppliers of key importance, risk, and complexity.

Case study: Communication system provider

Context

Errors in how we communicate can result in the accidental misdirection of emails and other messages. Under the UK GDPR, an individual whose personal data has been disclosed to an unexpected recipient has the right to make a claim for compensation, where distress or damage is caused by the disclosure.

The UK common law provides a variety of further bases for litigation where information is alleged to have been mishandled, including breach of confidence, negligence, misuse of personal information and (where a public authority is involved) breach of human rights.

Organisations facing such claims must take swift action to assess and either defend or settle those actions before costs mount, particularly if there is a risk of action from a group of affected individuals.
How we helped
Our client faced the threat of significant claims from a number of affected individuals, covering a variety of potential claims. They needed sound advice and strategic guidance as to:
- its role in relation to the data processing under the UK GDPR, and the legal and regulatory obligations attaching to that role in relation to the threatened claims
- the risk of losing the claims
- the tactics to deploy to minimise the claim and associated risks, and
- how to resolve the threatened claims in an expeditious and cost effective way
Our team acted swiftly, in an extremely time-limited context, to untangle the facts and status of each claim. We determined the legal issues, including the existence of defences, identified substantive risks, and presented the client with tactical advice on next steps. We implemented the client’s choice, preparing all necessary correspondence and pleadings which resulted in a swift resolution with minimal legal spend.
Outcomes

The case was concluded in the most cost-effective way, thereby avoiding significant potential risks. Changes made by the client further to our advice ensured that the client was better placed and could respond quickly in the event of future claims.

Case study: A financial services institution

Context

A personal data breach occurs whenever a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Following an incident, the controller of that data has a limited period in which to investigate, contain and mitigate the breach, assess any risk attaching to the breach, and make appropriate notifications.

Following the unauthorised access to personal data by a third party, in the context of a complex contractual arrangement, our client needed advice as to whether it held the role of data controller over the affected data, and what it should do to respond to the breach.
How we helped
Calling on the experience our team has gained in the handling of multiple data incidents, we:
- conducted an analysis of the legal and factual context to identify the client’s role;
- provided tactical and strategic advice on risks and the timing of notifications;
- prepared regulatory filings in relation to the incident, including notifications required by non-UK regulators;
- advising the client on messaging to affected individuals, with a view to minimising the potential for regulatory complaints and litigation; and
- worked with the client to identify the root cause of the incident along with appropriate remediation.
Outcomes

Our client met their regulatory deadlines for incident notifications at the national and international level. Our support enabled them to clearly explain events and issues to both regulators and individuals. Having enacted and offered appropriate mitigation, they were able to maintain positive relationships with affected individuals and avoided any regulatory action.

Case study: An international service provider
in the hospitality sector

Context

Our client experienced a cyber breach which affected a large volume of records, with the breach having global implications (primarily Europe and USA), due to a platform arrangement being put in place between the client and its third parties.
How we helped

We provided our Cyber Response service - we worked with the client to deal with containment, as well as analysis of the data protection roles and responsibilities of the various parties to allow for informed notifications to be provided to the respective supervisory authority under the GDPR within the prescribed 72-hour breach period, as well as working with the client to assess the impact on affected data subjects in the context of the proposed data subject notifications.
Outcomes

Our prompt cyber response service helped our client contain the risks associated with regulatory fines and enforcement actions for cyber breaches. It also helped our client troubleshoot issues with its supplier ‘online ecosystem’ to help guard against future risks.

Your main contact

Paul Knight

Partner
Paul Knight

Partner

+(44)(0)161 234 8702

+(44)(0)7552 165880

Contact Paul

Contact Paul Knight

* = required

First name *

Please enter your first name

Last name *

Please enter your last name

Organisation

Email address *

Please enter your email address Please enter a valid email address

Phone number

Your message *

Please add your message

Send enquiry

Mills & Reeve will use the information you provide in this form in accordance with our privacy policy. We may from time to time send you general updates by email or post that we think you will find of interest. This includes notification of upcoming event and updates or alerts containing relevant legal news. You can update your preferences at any time and will be able to easily unsubscribe from anything that you do not wish to receive.

check

Thank you

Thank you for your enquiry. We will be in touch shortly.

Close

Reset form

Close overlay

Manchester
Bookmark this page
Peter Wainman

Partner
Peter Wainman

Partner

+(44)(0)1223 222408

Contact Peter

Contact Peter Wainman

* = required

First name *

Please enter your first name

Last name *

Please enter your last name

Organisation

Email address *

Please enter your email address Please enter a valid email address

Phone number

Your message *

Please add your message

Send enquiry

Mills & Reeve will use the information you provide in this form in accordance with our privacy policy. We may from time to time send you general updates by email or post that we think you will find of interest. This includes notification of upcoming event and updates or alerts containing relevant legal news. You can update your preferences at any time and will be able to easily unsubscribe from anything that you do not wish to receive.

check

Thank you

Thank you for your enquiry. We will be in touch shortly.

Close

Reset form

Close overlay

Cambridge
Bookmark this page
Jagvinder Singh Kang

Partner, International & UK Head of IT
Jagvinder Singh Kang

Partner, International & UK Head of IT

+(44)(0)121 456 8470

+(44)(0)7515 850070

Contact Jagvinder

Contact Jagvinder Singh Kang

* = required

First name *

Please enter your first name

Last name *

Please enter your last name

Organisation

Email address *

Please enter your email address Please enter a valid email address

Phone number

Your message *

Please add your message

Send enquiry

Mills & Reeve will use the information you provide in this form in accordance with our privacy policy. We may from time to time send you general updates by email or post that we think you will find of interest. This includes notification of upcoming event and updates or alerts containing relevant legal news. You can update your preferences at any time and will be able to easily unsubscribe from anything that you do not wish to receive.

check

Thank you

Thank you for your enquiry. We will be in touch shortly.

Close

Reset form

Close overlay
Bookmark this page
Helen Tringham

Partner
Helen Tringham

Partner

+(44)(0)121 456 8229

Contact Helen

Contact Helen Tringham

* = required

First name *

Please enter your first name

Last name *

Please enter your last name

Organisation

Email address *

Please enter your email address Please enter a valid email address

Phone number

Your message *

Please add your message

Send enquiry

Mills & Reeve will use the information you provide in this form in accordance with our privacy policy. We may from time to time send you general updates by email or post that we think you will find of interest. This includes notification of upcoming event and updates or alerts containing relevant legal news. You can update your preferences at any time and will be able to easily unsubscribe from anything that you do not wish to receive.

check

Thank you

Thank you for your enquiry. We will be in touch shortly.

Close

Reset form

Close overlay

Birmingham
Bookmark this page
Richard Sykes

Partner
Richard Sykes

Partner

+(44)(0)121 456 8436

+(44)(0)7918 709311

Contact Richard

Contact Richard Sykes

* = required

First name *

Please enter your first name

Last name *

Please enter your last name

Organisation

Email address *

Please enter your email address Please enter a valid email address

Phone number

Your message *

Please add your message

Send enquiry

Mills & Reeve will use the information you provide in this form in accordance with our privacy policy. We may from time to time send you general updates by email or post that we think you will find of interest. This includes notification of upcoming event and updates or alerts containing relevant legal news. You can update your preferences at any time and will be able to easily unsubscribe from anything that you do not wish to receive.

check

Thank you

Thank you for your enquiry. We will be in touch shortly.

Close

Reset form

Close overlay

Birmingham
Bookmark this page

Case study: A public healthcare
organisation

Context

Under UK data protection laws, individuals have the right to request access to information that is about or relates to them (personal data). In the context of an ongoing employment dispute, our client received subject access requests from multiple employees relating to complex grievance and disciplinary investigation reports prepared by the client and external investigators on the client’s behalf.

Each report comprised the personal data of multiple individuals and was based on a large quantity of underlying documentation, including meeting recordings, material stated to have been provided in confidence (or in relation to which assurances of confidentiality had been provided), and emails. Much of the content was sensitive, either from a legal or practical perspective.
How we helped
The client required substantial assistance to understand its obligations, review the materials, and ensure that its disclosure was limited to what was legal and appropriate in all the circumstances. Drawing upon our expertise, we:
- advised the client on the complexities around pseudonymised and anonymised data, and explained the risks for both employees and for the client if data was erroneously disclosed
- explained and explored with the client the exemptions to disclosure that could be applied to different categories of data in this case
- conducted a thorough examination of the reports and underlying materials, to identify excludable content
- provided tactical advice as to how and in what format potentially damaging data should be disclosed, and
- supported our client in its compliance with applicable statutory deadlines and procedures
Outcomes

Substantive disclosure in response to the requests was made appropriately, within the applicable deadlines. The client was confident that it had protected the rights of all individuals concerned, and was able to respond positively and constructively to regulatory queries and individual complaints regarding its approach. The client was able to counter allegations that it had not complied with some individual’s data rights, and the individuals ultimately accepted the disclosure made was appropriate.

Case study: Global crypto-exchange
and currency provider

Context

We advised a private equity backed global crypto-exchange and currency provider on its worldwide IT and data protection arrangements, including GDPR and data protection law requirements, considering the multiplicity of transactional and dependency requirements of both the crypto-exchange and the crypto-currency using blockchain technology.
How we helped

Furthermore, with Jagvinder’s specialist CIPP/E, CIPM, CIPT and FIP internationally recognised data protection qualifications, he was able to advise on complex UK GDPR and Data Protection Act 2018 arrangements. This included international data transfer obligations following the landmark ‘Schrems II’ judgment from the Court of Justice of the European Union, whilst taking into account the requirements of the European Data Protection Board in the context of transfers of personal data outside the European Economic Area. Jagvinder’s software engineering background also helped ‘bridge’ the technical and legal aspects of the matter for the business.
Outcomes

The organisation updated its IT and data protection arrangements to refocus on key requirements and priorities relating to personal data protection. This ensured a renewed focus on areas that were key to the organisation, which in turn helps to demonstrate compliance with its regulatory obligations.

Case study: An education institution

Context

A global education institution required advice on its worldwide data protection arrangements, including UK and EU GDPR law requirements, across its global operations.
How we helped

We advised on complex UK GDPR arrangements, including international data transfer obligations following the landmark ‘Schrems II’ judgment from the Court of Justice of the European Union.
Outcomes

Our client relied upon our specialist in-depth data protection knowledge to analyse the purpose and necessity of its current data flows, as well as the risks posed by its current arrangements. Our client was then able to formulate a strategy with our help to put in place measures to better meet the requirements of the GDPR, as well as its organisation, to guard against operational and business risks associated with international personal data transfers.

Case study: An automotive company

Context

Our client required data protection advice on its global connected car project.
How we helped
We provided advice on:
- the Cloud Computing arrangements with the central technology platform provider for provisioning the connected car services
- the third party data feed provision for connected car services
- mobile app integration with the vehicles
- UK GDPR implications associated with data transfers, including live traffic data
- undertaking DPIAs working closely with the tech and engineering teams of the client, as well as providing guidance to the software design team on the user interface design for the in-car controls from a data protection law perspective, and
- international data transfers
Outcomes

Our advice on the complex data protection landscape arrangements associated with Connected Car arrangements, enabled our client to address important GDPR compliance requirements, as well as to mitigate against cyber risks associated with the Connected Car ecosystem. This helped our client to guard against the risks of multi-million-pound fines under the GDPR regime, whilst also boosting confidence amongst our client’s consumer customers about how their personal data was going to be used.

Our experience

Case study: Podium Analytics

Case study: Multinational company replacing EU SCCs

Case study: Communication system provider

Case study: A financial services institution

Case study: An international service provider
in the hospitality sector

Your main contact

Paul Knight

Paul Knight

Contact Paul Knight

Peter Wainman

Peter Wainman

Contact Peter Wainman

Jagvinder Singh Kang

Jagvinder Singh Kang

Contact Jagvinder Singh Kang

Helen Tringham

Helen Tringham

Contact Helen Tringham

Richard Sykes

Richard Sykes

Contact Richard Sykes

Case study: A public healthcare
organisation

Case study: Global crypto-exchange
and currency provider

Case study: An education institution

Case study: An automotive company

Visitors

Existing clients

Staff

Our experience

Case study: Podium Analytics

Case study: Multinational company replacing EU SCCs

Case study: Communication system provider

Case study: A financial services institution

Case study: An international service provider in the hospitality sector

Your main contact

Contact Paul Knight

Contact Peter Wainman

Contact Jagvinder Singh Kang

Contact Helen Tringham

Contact Richard Sykes

Data protection hub

Stay informed

Case study: A public healthcare organisation

Case study: Global crypto-exchange and currency provider

Case study: An education institution

Case study: An automotive company

Visitors

Existing clients

Staff

Case study: An international service provider
in the hospitality sector

Case study: A public healthcare
organisation

Case study: Global crypto-exchange
and currency provider