Client Testimonials

"Protecting my name and image is key. Back in 2005 I was looking for a firm that knew their stuff, didn't cost the earth and would not only get things done but also achieve results. Since then, the Waterfront has consistently achieved all of these objectives and are also a real pleasure to deal with.  I highly recommend them to anyone needing to take swift action to protect a brand."

Sarah Beeny, TV Broadcaster and Property Developer

Data Protection

In the UK, the Data Protection Act 1998 (the "DPA") regulates the processing of personal information relating to living, identifiable individuals. Save for a few exceptions, every organisation that processes "personal data" must comply with the DPA.

"Personal data" is all data relating to a living person (known as the "data subject"), where such data could identify that person (whether on its own or in conjunction with other data available to the "data controller" - see below for the definition).  This would include, by way of example, a person's name, address and date of birth and any other data that is attached to such identifying data. The DPA applies to information held on computers and also to paper records, where these are filed by reference to the data subject.

Certain types of personal data are classified as "sensitive personal data", which attracts special protection.  For example, any data regarding a person's racial or ethnic origin, his physical or mental health, or his sexual life fall within this category.

The person or organisation that determines the purposes for which and the manner in which personal data is processed is called a "data controller". Any person who processes data on behalf of the data controller is known as a "data processor". "Processing" is construed very broadly under the DPA and includes obtaining, holding, use or disclosure of information.

Organisations must be open about their use of personal data and their use must comply with the eight ‘data protection principles':

The Eight Principles

Data must be:

  1. Processed fairly and lawfully.
  2. Held only for specific purposes and not used in any way which would be incompatible with those purposes.
  3. Adequate, relevant and not excessive for the purpose for which the personal data is being processed.
  4. Accurate and kept up to date.
  5. Not kept for longer than necessary.
  6. Processed in accordance with the individual's rights.
  7. Kept secure.
  8. Not transferred outside the EEA unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data.

Data subjects have the following rights and remedies under the DPA:

  • the right to find out what information is held about them
  • the right to prevent processing
  • the right to prevent processing for direct marketing
  • the right to object to decisions made only by automatic means based on data held
  • the right to compensation - a data subject can claim compensation from a data controller for damage and distress caused by any breach of the act
  • the right to rectification, blocking, erasure and destruction of data
  • the right to ask the Information Commissioner to assess whether the DPA has been contravened, and if it has, an enforcement notice may be served on the data controller.
Intellectual Property