GDPR & Data Protection

Data protection law has become one of the busiest areas for lawyers in recent years. Almost all entities that control and process personal data are required to comply with GDPR under the Data Protection Act 2018 regime. This requires informed and proactive on-going information management.

When it comes to data protection, prevention is better than the cure. By taking a proactive approach and getting the right legal and technical support, organisations can achieve compliance and significantly reduce the risk of data breaches that could lead to fines and serious reputational damage.

However, data breaches cannot always be avoided, so it is also essential to have access to expert legal support if a breach occurs. This can allow an organisation to swiftly take the right actions to minimise the impact of a breach.

Our GDPR and data protections lawyers advise clients of all types, including SMEs, charities, religious organisations and schools. The work ranges from practice and policy reviews and updates, handling subject access requests, advising on data breaches, drafting privacy notices, security and assisting with full data audits. We have advised global companies with operations in the UK, regularly assisting with data processing agreements as well as providing day to day guidance and support.

In an area of law that is complex and technical and which can appear impenetrable to those unfamiliar with it, our team prides itself on distilling the legal requirements and providing proportionate, sensible and targeted advice to clients.

To discuss your requirements with our experienced GDPR and data protection solicitors in Westminster, London, please get in touch.


Matters our London GDPR & data protection solicitors can assist with

Our highly experienced GDPR and data protection solicitors in London have a wide range of expertise and can advise on the following:

  • Practice and policy reviews and updates
  • Subject access requests
  • Data breach management
  • Drafting privacy notices
  • Data audits
  • Data processing agreements

Why trust us for GDPR & data protection law advice?

  • We offer high level expertise in achieving GDPR compliance and mitigating data breaches.
  • Client care is at the heart of our service. We make sure that the practical solutions we offer are carefully tailored to our client’s requirements.
  • We respond quickly, so clients can be confident of getting the urgent legal support they need, when they need it.
  • Every client will have a dedicated person dealing with their case, providing a consistent point of contact for updates and to answer questions.

Find out more about our specific areas of GDPR & data protection expertise

Data protection practice & policy reviews & updates

Getting the right data protection policy and practices in place is an essential step to achieving compliance across an organisation. Keeping the policies under review and ensuring the practices are being applied is key.

Our data protection solicitors can provide independent expertise on what needs to be included in these policies and how to create effective data protection practices that teams can realistically follow.

Our expertise includes:

  • Identifying gaps in an organisation’s existing data protection policies and procedures
  • Advice on how to deal with problem areas where compliance is not being achieved
  • Updating data protection policies and procedures to reflect best practice
  • Creating new data protection policies and practices from scratch

Subject access requests

When an organisation holds personal data about a person, that person has a legal right to access that data on request. Having a clear process in place for dealing with subject access requests make this simpler, ensuring you are able to respond promptly within the required one-month deadline.

Our expertise includes:

  • Subject access request procedures
  • Responding to specific subject access requests
  • Dealing with subject access request disputes
  • Reviewing and handling large volumes of confidential client data

Data breach management

Breaches of the Data Protection Act 2018 can be relatively minor or much more serious, but they must all be taken seriously. If an organisation commits a suspected data breach, there are reporting obligations that must be followed, depending on the nature and severity of the breach.

Our expertise includes:

  • Effective data protection processes to minimise the risk of breaches
  • Procedures to follow in the event of a data breach
  • Responding to data breach claims

Drafting privacy notices

A well-drafted privacy notice is an essential tool for any organisations handling personal data. It informs anyone sharing their data about key details, such as what purposes their data will be used for and who the organisations Data Controller is.

A proper privacy notice is a legal requirement and can significantly reduce the potential for data disputes, saving an organisation time and money. 

Our expertise includes:

  • Reviewing privacy notices and recommending changes
  • Drafting privacy notices
  • Advising on privacy notice disputes

Data audits

Many organisations do not fully understand their data protection obligations, do not have the right framework in place to achieve compliance or struggle with getting their teams to follow correct processes.

A data audit can help to identify all types of data an organisation holds that is covered by the Data Protection Act 2018, as well as where the organisation may need to make changes to achieve compliance. This is a sensible proactive measure to take but can also be an essential step if a data breach has occurred and remedial action is needed.

Our expertise includes:

  • Carrying out data audits
  • Advising on specific actions to improve data protection processes
  • Implementation of data protection measures

Data processing agreements

Where an organisation relies on a third party to process personal data, there must be a sound data processing agreement in place to ensure compliance with the Data Protection Act 2018.

Our GDPR and data protection lawyers can assist with:

  • Drafting data processing agreements
  • Reviewing and updating data processing agreements
  • Data processing disputes

Our GDPR & data protection solicitors’ fees

We believe that our fees should be as transparent as possible. For this reason, we will always make sure that all of the likely costs will be made clear upfront, allowing you to make a fair comparison with our competitors.

In certain situations, we may be able to offer fixed fees allowing you to budget with precision.

To find out more about our specific fees for dealing with GDPR and data protection law, please get in touch.

GDPR & data protection law FAQs

Who is responsible for demonstrating GDPR compliance?

An organisation’s Data Protection Officer or ‘DPO’ will need to take a leading role in ensuring compliance. The DPO might be a dedicated role or it might be a role that an existing member of the team carries out in addition to other duties.

However, it is everyone in an organisation’s responsibility to work to achieve and maintain GDPR compliance, which is why it is so important to have clear policies and processes in place and to make sure all staff have appropriate data protection training.

What is a breach of data protection?

A data protection breach is any breach of an organisation’s security that leads to the accidental or unlawful exposure, loss or alteration of personal data.

Exactly what constitutes a data breach is covered by the Data Protection Act 2018 and such breaches are regulated by the Information Commissioner’s Office (ICO).

What happens if you breach the Data Protection Act?

If an organisation breaches the Data Protection Act, then they have a legal duty to inform anyone whose data was involved in the breach. Depending on the severity of the breach, they may also need to inform the Information Commissioner’s Office (ICO). All data breaches within an organisation will need to be recorded internally.

If ICO feels that there is the need to investigate a breach, it has the power to do so. Organisations must comply with ICO investigations and it is sensible to have expert legal advice during such an investigation to ensure the organisation meets its obligations while minimising the risk of prosecution or any penalties.

ICO has the power to recommend organisations to make improvements to their data protection processes, to order them to do so and to hand out fines and other sanctions where appropriate.

As well as the legal risks involved in a data breach, there is also serious risk to an organisation’s reputation

How has GDPR changed after Brexit?

Since the UK left the EU, GDPR has no longer applied directly within the UK as it is an EU law. However, GDPR was incorporated into UK law in the Data Protection Act 2018, so the basic rules around data protection will not change in the UK unless and until new data protection legislation is introduced into law.

For UK organisations that operate in the EU, then EU GDPR will still apply. You will also have to give consideration to EU GDPR rules if you send data to any organisations in Europe that are covered by EU rules.

Speak to our GDPR & data protection solicitors in Westminster, London

To discuss your GDPR and data protection law needs with our experienced team, please get in touch.


  • Ed Henderson
      • 0207 960 7169
      • View profile
  • Niamh McKay
      • 0207 960 7144
      • View profile