Data protection solicitors
Our data protection lawyers have helped a wide range of clients needing advice on interpreting the General Data Protection Regulation (GDPR), the post-Brexit UK GDPR and other data protection laws, implementing systems to comply with their obligations around handling personal data and drafting privacy policies and privacy notices.
We have helped start-ups, SMEs and multinationals including suppliers working with the NHS and the Foreign, Commonwealth & Development Office. As well as UK businesses, many of our clients are based overseas with operations and clients in the UK.
Data protection law examples
Examples of our data protection team experience
- Advising clients on the implications of the EU GDPR coming into force and helping them with data compliance by providing them with the necessary documentation and advising them on changes to their processes so they can remain compliant.
- Advising clients on the Data Protection Act 2018 and the UK GDPR following Brexit.
- Assisting clients on how data protection laws impact direct marketing efforts and helping clients structure their marketing to comply with data protection laws and The Privacy and Electronic Communications (EC Directive) Regulations 2003 as well as other legal issues.
- Updating standard form customer contracts to include data protection clauses to make the contracts compliant with data protection law.
- Updating DFID’s standard terms and conditions for suppliers to include extensive provisions dealing with data protection and privacy.
- Advising a telecommunications provider on their data handling obligations and negotiating several major contracts on their behalf involving cross border data transfers.
- Advising a business that processes large amounts of data on behalf of law firms on its contracts with clients and suppliers.
- Advising a law firm on data compliance.
- Advising a business that provides Virtual Reality training to various police forces in the UK on all aspects of their data compliance and drafting their data policies and data notices.
- Advising a business that provides online platforms through which its clients host large on-line events on all aspects of their data compliance and drafting their data policies and data notices.
- Advising a major supplier to the NHS who transfer personal data internationally on data protection compliance. Updating their policies and helping them deal with data audits being undertaken by the NHS and getting them through this with quick sign off from the NHS.
- Advising a US business on its implementation of a £10s of millions research project that involves collecting personal data from individuals around the world and working with many external suppliers in the supply chain based internationally. Preparing them for data audits.
- Advising a direct marketing agency on its privacy obligations and putting in place systems to ensure that data was collected lawfully with appropriate privacy notices.
- Advising a major newspaper (in an in-house capacity) on data protection compliance.
- Advising a media investment company (in an in-house capacity) on data protection compliance.
- Advising an agent on its position under data protection and privacy law and PECR which involved liaising with UK’s Information Commissioner’s Office.
- Advising an international church on GDPR / PECR challenges around a database with hundreds of thousands of individuals on it and how to overcome them.
- Advising a leading PR business with overseas operations on GDPR compliance and providing training to staff.
- Advising an international business in the risk advisory / corporate due diligence industry on GDPR compliance and optimal ways to transfer personal data..
Why Choose EM Law Data Protection Lawyers?
Data protection legislation is complicated but this does not mean that getting your business data compliant should be a painful exercise. Clients use us because we provide them with solutions with minimal fuss and at a fair cost.
Since GDPR was introduced in May 2018 we have helped clients with data compliance ahead of their businesses being sold or them receiving significant investment. In these scenarios lawyers acting for the investor / buyer have undertaken a due diligence exercise and scrutinised our clients’ data compliance practices and our clients have passed these checks to go on and sell the business or receive that investment.
So the compliance work that we carry out has passed the scrutiny of City law firms. However, unlike some City law firms, we don’t map out every single data flow in an organisation to an unnecessary degree. This would add costs to the data compliance exercise which our clients would not want to pay. Put simply: we provide our clients with data compliance support that protects them properly and offers value for money.
Data Protection Legislation Case Reviews
COO of a Strategic Communications Agency
Neil at EM Law advised us with regards to GDPR. He was thoughtful and thorough, providing actionable advice that was relevant to our specific circumstances. The materials and training that he and his team left behind have ensured that the entire team is better educated as to the challenges and opportunities provided by GDPR.
Richard Davies Director F2iT Limited (t/a Zedonk)
We approached Neil at EM Law to deal with the GDPR legislation and new staff handbook and employment contracts for our employees. Neil, who is professional, personable and knowledgeable, dealt with all the issues that arose and we would not hesitate to recommend. Great law firm!
Data Protection Solicitors FAQs
What is the general data protection regulation?
The GDPR was introduced in May 2018 replacing the Data Protection Directive 95/46/EC. It is an EU law (all members of the EU have to comply with it) offering much greater protection to the personal data of individuals, providing data subjects with greater rights and organisations facing harsher penalties if they failed to comply with the new law.
It was in particular the size of the penalties that could be imposed under GDPR and the complexities of gdpr compliance that caused organisations and their lawyers to sit up and (in many cases) scramble to become compliant ahead of GDPR coming into force.
What is the Data Protection Act 2018?
The Data Protection Act 2018 is the UK’s implementation of the GDPR. It sets out the rules for how personal data must be collected, processed, and stored by organisations operating in the UK.
The Act applies to any organisation that processes or intends to process the data of individuals in the UK, regardless of whether the organisation is based in the UK or not. This includes businesses, charities, public authorities, and any other organisation that processes data.
Under the legislation, organisations must take steps to protect personal data from being accidentally or deliberately destroyed, lost, altered, or disclosed to unauthorized people. They must also ensure that data is accurate and up-to-date, and take steps to correct any inaccuracies.
Organisations must also ensure that data is only processed for the specific purposes for which it was collected, and not used for any other purpose without the individual’s consent.
Individuals have the right to access their personal data, and organisations must provide this data free of charge within one month of receiving a request.
Organisations that process data must also notify the individual if their data has been lost or stolen, and must take steps to prevent data breaches from happening in the first place.
The 2018 Act replaces the Data Protection Act 1998, and applies to data collected from 25 May 2018 onwards.
What are the key differences between the Data Protection Act 1998 and the Data Protection Act 2018?
The 1998 Act was introduced at a time when data protection was not considered to be a priority for businesses or individuals. The 1998 Act was designed to protect data from accidental or unauthorised access, destruction, or alteration. However, it did not focus so much on the purposes for which data was being collected and used.
The 2018 Act was introduced in response to the GDPR. The GDPR is a much more comprehensive data protection legislation than the 1998 Act and applies to all businesses and individuals processing data within the EU with GDPR compliance being regarded as amongst the toughest data compliance rules in the world. The 2018 Act sets out strict rules about how data must be collected, used, and protected. It also gives individuals the right to access their data and to have it erased.
The main differences between the two data protection acts are the scope of the legislation, the penalties for non-compliance, and the rights of individuals. The 2018 Act imposes heavy fines for data breaches, including a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. Finally, the 2018 Act gives individuals the right to data portability, the right to be forgotten, and the right to object to data processing.
Did the UK replace GDPR after Brexit?
The answer is not a simple “yes” or “no”. GDPR still exists – it has not been replaced so GDPR compliance is still important. If your UK business processes the personal data of EU citizens it must comply with GDPR (or “EU GDPR” as it is now known as in the UK).
The Data Protection Act 2018, in essence, says that all UK organisation must comply with GDPR. The Act continues to apply after Brexit but its rules apply to the version of GDPR that was immediately in force before the Brexit transition period ended on 31 December 2020 – enter the UK GDPR. Right now, in 2023, there have been very few changes to UK GDPR and EU GDPR but 10 years from now it’s possible that the two sets of rules will be very different.
Can a lawyer be a data protection officer?
Yes, data protection officers (DPOs) can be lawyers and some DPOs have a law degree or background.
However, it is not a requirement to be a lawyer to serve as a DPO. There are many different types of data protection officers, with various backgrounds and qualifications.
Ultimately, what is most important for a DPO is to have a deep understanding of data protection legislation and regulations.
Can you get compensation for a data breach?
Yes, you may be eligible for compensation if you can demonstrate that you suffered loss as a result of data breaches. Your loss could be in the form of stress akin to a personal injury claim.
If you suffer financial loss as a result of a data breach then you can claim for the amount of those financial losses.
Most of the time it will be difficult for you to obtain compensation despite a breach of your data having occurred but it depends on the seriousness of the breach and the type of data that have been disclosed.
What is covered by data protection law?
Data protection law covers the rules for the processing of personal data.
What is personal data?
Personal data is information that relates to an identified or identifiable individual. Most commonly this will be a person’s name and contact details but it can include all sorts of other things such as images of that person, that person’s financial data, personal beliefs and IP address.
What is a processor?
If you are processing personal data then you must follow data protection laws which are extensive. If, for example, you are processing personal data as a “data controller” then you are primarily responsible for looking after that data and for letting the individual whose data you are processing (the data subject) know who you are, how you can be contacted, what you are going to do with that person’s data and what their rights are.
Alternatively you may be processing personal data on behalf of a data controller, perhaps because you are a supplier to the data controller and, in supplying your services to that data controller you access the personal data which the data controller is responsible for. In these circumstances you would be acting as a “data processor”.
How can organisations legally process personal data?
Data protection law contains rules about when you are permitted to process personal data. You can’t process personal data unless you can rely on certain legal grounds for processing. Organisations must also be able to demonstrate compliance with data protection law by drafting policies and notices and hold on to personal data securely.
Under the law, individuals have the right to know what information is being collected about them, why it is being collected, and how it will be used. They also have the right to have that information erased, or “forgotten.”
Organisations that collect, process, or store data must take steps to protect that data from unauthorised access, destruction, or alteration. They must also ensure that the data is accurate and up-to-date.
Data protection law is designed to strike a balance between the rights of individuals and the need for organisations to collect, use, and store data. Its rules are complex and you will need specialist lawyers to help you and liaise, if necessary with the information commissioner’s office (ICO).
What are the consequences for breaching data protection laws?
The UK GDPR and Data Protection Act 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. The ICO or another regulator would impose the fine.
Your business could also be sued for damages by an individual whose rights had been infringed if the individual could establish that they had suffered loss as a result of your organisation’s actions.
You could also be guilty of committing a criminal offence. A criminal offence may be committed if, for example, you destroy or falsify documents or if you are, say a director of a company and your company breached certain data protection laws with your “consent or connivance”.
The courts can only impose fines, though. Imprisonment is not available on conviction of any offence under the Data Protection Act 2018.
What are subject access requests?
A subject access request (SAR) allows an individual to make a formal request to a data controller for any personal data that is being held about them. This includes any data that may have been collected, used, processed, or stored by the data controller.
Subject access requests can be made for any type of personal data, including data that is held in physical (e.g. paper) or electronic (e.g. computer) form.
The data controller must provide the individual with a copy of their personal data within one month of receiving the SAR, unless the request is particularly complex or numerous, in which case the data controller can extend this deadline by a further two months.
Individuals have the right to make a SAR at any time, but data controllers may charge a fee of £10 if the request is considered to be unfounded or excessive.
If subject access requests are not handled properly the individual can ask the information commissioner’s office ico to step in and take enforcement action.
My business is a start up and can’t afford the costs of a full compliance programme. What should I do?
You should understand that all organisations, no matter how large or small they are, have to comply with data protection laws. Failure to do so could mean that the ICO imposes fines or other enforcement actions or that individuals bring claims against your organisation.
However, if you really can’t afford full blown expert advice then you should do your best to stay up to date with the law, have a legal expert create a privacy policy to link to from your website, have an expert look at what cyber security measures you are using to keep data secure and follow their recommendations to improve these. If you can overcome security issues and behave transparently then these are the main things to get right initially.
Security issues tend to be the main reason for causing data loss so it is a good idea to get security matters right from the beginning.
If, however, you are processing special category data then we would strongly advise you to take specialist legal advice from data protection lawyers from the outset.
What is Special Category Data?
The UK GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
Who is responsible for data protection law in the UK?
The Information Commissioner’s Office (ICO) enforces data protection laws in the UK. While the ICO ensures compliance with regulations like GDPR, businesses are responsible for implementing and maintaining their own data protection measures to comply with these laws.
Who can be a data controller under the GDPR?
Under the GDPR, a data controller is any individual, organisation, or body that determines the purposes and means of processing personal data. This includes businesses, government agencies, non-profits, and other entities. Any organisation can be a data controller, and so too can sole traders.
What is Article 26 of the GDPR?
Article 26 of the GDPR outlines the responsibilities of joint data controllers. It requires them to clearly define their respective roles and responsibilities regarding compliance with GDPR, ensuring transparency and accountability in data processing activities.