Data Protection

Our Data Protection Legal Services

UK GDPR and Data Protection Act Compliance

The UK GDPR and the Data Protection Act 2018 set out detailed rules for how businesses must collect, store, use, and share personal data. Non-compliance can result in fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. We help businesses understand their obligations and put the right measures in place without unnecessary complexity.

• Compliance audits and gap analysis for SMEs and growing businesses
• Lawful basis assessments and records of processing activities
• Privacy notices, cookie policies, and consent frameworks
• Data retention policies and secure destruction procedures
• ICO registration and ongoing compliance support

Data Protection Policies and Documentation

Having the right documentation in place is a legal requirement, not just good practice. Investors, buyers, and commercial partners increasingly scrutinise data compliance before entering transactions. We draft and review the full suite of data protection documents your business needs, keeping them proportionate and practical.

• Internal data protection policies and staff handbooks
• Data processing agreements with suppliers and third parties
• International data transfer agreements and standard contractual clauses
• Data protection impact assessments (DPIAs)
• Privacy by design frameworks for new products or services

Employee Data and Employer Obligations

Employers collect and process significant volumes of personal data about their workforce, covering recruitment, payroll, performance management, monitoring, and more. Getting this right is essential for both legal compliance and employee trust. Our employment contracts and policies team works alongside our data protection solicitors to ensure your HR practices are watertight.

• Employee privacy notices and data retention schedules
• Lawful monitoring and surveillance policies
• Employee screening, background checks, and data handling
• TUPE transfers and employee data obligations
• Subject access requests from current or former employees

Data Subject Access Requests

Individuals have a legal right to request copies of their personal data under UK GDPR, and businesses must respond within one month. Mishandling a subject access request can result in ICO complaints and enforcement action, particularly where requests come from employees involved in disputes. We advise on how to scope, manage, and respond to DSARs efficiently and lawfully. Our employment dispute resolution team can also advise where DSARs arise in the context of tribunal proceedings.

• Scoping and responding to complex DSARs
• Identifying and withholding exempt information lawfully
• Extension requests and time management
• Responding to DSARs linked to employment disputes

Data Breach Response and ICO Notifications

A personal data breach must be reported to the ICO within 72 hours of discovery if it is likely to result in a risk to individuals. Acting swiftly and correctly in the immediate aftermath of a breach can significantly affect the regulatory outcome. We provide urgent advice on breach response, notification obligations, and managing the consequences for your business and customers. Our GDPR compliance team is available to assist at short notice when breaches occur.

• Breach assessment and risk evaluation
• ICO notification drafting and management
• Individual notification requirements
• Remediation plans and post-breach compliance improvements
• Defending regulatory investigations and enforcement action

Data Protection in Business Transactions

Data compliance has become a key area of scrutiny in mergers, acquisitions, and business sales. Buyers and their solicitors routinely examine data protection practices as part of due diligence. A business that cannot demonstrate compliance risks delays, price reductions, or failed transactions. We advise on data protection due diligence as part of broader mergers and acquisitions work, ensuring your business is transaction-ready. For businesses accepting investment, the same scrutiny applies.

• Data protection due diligence for buyers and sellers
• Warranties and indemnities relating to data compliance
• Post-completion data migration and processor transition
• Data room preparation and compliance documentation for sale

Privacy and Electronic Communications

The Privacy and Electronic Communications Regulations (PECR) sit alongside UK GDPR and govern direct marketing by email, telephone, and text, as well as the use of cookies and similar technologies. Many businesses fall foul of PECR without realising it, particularly around email marketing and consent. We advise on PECR compliance and help businesses build lawful marketing frameworks.

• Email and SMS marketing compliance
• Cookie consent mechanisms and cookie audit
• Legitimate interest assessments for direct marketing
• Soft opt-in rules for existing customers