Data Privacy_Hero Banner

Data privacy

Our global cyber and data risk team has a focus on legal and organisational issues facing businesses in a data-driven world. We represent clients (from SMEs to PLCs) on regulatory issues regarding data capture, and advise on measures to help protect the integrity of data processes.

Our global cyber and data risk team has a focus on legal and organisational issues facing businesses in a data-driven world. We work with software developers, organisations with a global and/or online presence, and companies in highly-regulated industries to provide practical and efficient solutions involving data collection, use and strategies in an ever-growing complex world.

Over 100 countries have data protection laws. With privacy lawyers in North America, the EU/UK, Middle East, and Asia Pacific, Kennedys advises companies on how to navigate ever-growing and complex domestic and global privacy requirements. We are regularly asked by our clients to provide commercially driven advice relating to managing data risk across multiple jurisdictions. This can be on a proactive basis by ensuring that our client’s house is in order and to mitigate exposure to legal issues, or reactively to concerns raised by a customer or a regulator.

We help our clients develop internal checklists, map data, and deliver training, and we work closely with our partner vendors to provide technical support such as provision of penetration testing.

In addition, we are an internationally recognised leading firm in data breach response.

End-to-end data protection lifecycle

We recognise that data protection issues pervade the business spectrum, and our team is here to help you with any element of commercial or regulatory compliance. This includes:

1. Regulatory and commercial compliance

  • Advice on compliance with data protections across the world, including all the rules and regulations across the UK, Europe, USA, Latin America, UAE, and Asia Pacific
  • Ensuring that your organisation complies with rules around data retention and storage, cookie compliance, marketing preferences, and PCI standards
  • Assessing and advising on the data protection provisions within vendor or licensing agreements.

2. Data strategy

  • Advising on strategies for managing and processing data within your organisation, and building a framework that helps you efficiently navigate the ever-evolving global privacy regulations
  • Coordinating and mapping data transfer, processing and management, and advising on solutions such as standard contractual clauses or binding corporate rules
  • We provide training, and advise on internal data procedures to ensure policies are implemented across all levels of your organisation.

3. Regulatory investigation

  • We have extensive experience in dealing with Data Protection Act (DPA) investigations, including the Information Commissioner's Office (ICO).
  • Investigations regarding unsolicited marketing communications, data processing arrangements, cookie compliance and others.

4. Cyber

  • When things go wrong, we have a dedicated team of cyber lawyers to coordinate and advise on the response to a cyber attack. Utilising our unique experience, we also advise organisations on breach readiness.

5. Litigation/data subject claims

  • We have experience in dealing with individual or group data subject litigation
  • Our data subject litigation product allows to advise on strategies to defend privacy claims on a strategic level. We also advise organisations on the response to Data Subject Access Requests (DSARs).
The team at Kennedys are first-class, and we can rely on them to support us in any challenge we may face.

Work highlights

  • Advising a major international container shipping company on regulatory notification thresholds and preparations for dealing with ransomware incidents
  • Advising a global vehicle brand on regulatory compliance following implementation of GDPR, including advising on privacy policies, and the use of vehicle telematics
  • Advising a local authority security contractor on data processing agreements relating to the processing of CCTV images
  • Advising a global construction organisation on their cross border data transfer agreements and effect of US Privacy Shield when transferring documents for processing
  • Advising one of the UK’s largest gym chains on direct marketing strategies and compliance with data handling legislation
  • Advising one of the UK’s most recognisable brands on a regulatory investigation led by the Information Commissioners Office
  • Drafting and advising on website privacy policies and cookie policies for a range of organisations.
  • Advising an international e-commerce company on cookie banner implementation and compliance.
  • Conducting a data privacy compliance audit for Marriott International Inc. The audit process involved interviewing staff from all sections of the business to build up a comprehensive picture of the collection and handling of personal data, and then advising on areas of potential non-compliance and recommending remedial actions.
  • Providing multi-jurisdictional data privacy compliance advice for Marriott International Inc, to prepare privacy notices and policies for use in hotel properties throughout the APAC region. This involved coordinating data privacy compliance advice from up to 15 APAC jurisdictions.
  • Advised the Hong Kong Hospital Authority in relation to complying with Hong Kong data privacy laws and the European Union General Data Protection Regulation in relation to a range of activities, including the Electronic Health Records System, the conduct of clinical trials and the development of AI technology.
  • Advising a large number of insurers including Allianz, Bupa and Prudential on the wording of personal information collection statements and direct marketing consents on Hong Kong insurance application forms.
  • Preparing an industry model privacy policy wording for the Hong Kong Federation of Insurers to use as guidance to its members.
  • Advising clients including Aegon, Ageas and KPMG on retention and secure destruction policies for policyholder data.
  • Conducting in-house data privacy training sessions for clients including Bupa, MSIG and Cigna.
  • Assisting a national restaurant chain with compliance with the California Consumer Privacy Act (CCPA).
  • Assisting an insurance company with compliance with the New York State Department of Financial Services Cybersecurity Regulation, including presentations to the Board of Directors.
  • Preparing US and Canada privacy policies for US corporation doing business in the US and abroad.
  • Preparing technology contracts for remote test proctoring services and multinational app-based transportation ticketing company.
  • Assisting web-app developers with negotiating data hosting and white-labeled mobile app licenses.
  • Assisting clients with drafting and implementing information security programs in compliance with such data protection laws as SHIELD Act, CCPA, and GDPR, including for cloud data hosting organization, third-party claims handling organization, investment fund, and organizations in the insurance industry
  • Advising insurance industry clients with compliance under New York DFS cyber regulations 23 NYCRR 500, including certification and implementation of cybersecurity programs, and NAIC Model Law on Insurance Data Security
  • Advising corporate clients on data transfers between US and EEA.
  • Drafting and negotiating insurtech and start-up licensing and service agreements, resolving issues regarding data ownership, use, security and privacy of data.
  • Coordinating incident response to various national and international data breaches and other cybersecurity events.
  • Providing data protection advice to reinsurance brokers in relation to the implementation and applicability of data protection law.
  • Advising an international insurance company on whether their personal data transfer, processing and protection agreement complied with the Mexican law provisions on personal data protection
  • Advising a reinsurer in respect of an Intragroup international data transfer agreement to comply with Mexican law.
  • Advising an international insurance group on data regulation compliance in connection to data intercompany transfer under a global master operating agreement in several Latin American jurisdictions.