Data and Privacy

We are experts in data governance, accountability and advisory work. 

We advise our clients on policies, procedures and practices to ensure their operational processes adhere to the data protection requirements outlined in the UK and EU GDPR. Taking into account regulatory guidance and fines together with any case law, we will provide you with a practical approach via which you can demonstrate your compliance to clients, customers, employees and regulators alike.  With our extensive breadth and depth of knowledge across a multitude of sectors, we can offer examples of what is considered the benchmark level of compliance with best practice.

We offer a roadmap for your ongoing compliance journey, including: a selection of packages for data protection officer services; advice on international data transfers (including Standard Contractual Clauses, Transfer Impact Assessments and Binding Corporate Rules); and data record keeping requirements. We explain how best to manage the most difficult data protection issues your organisation faces.

Today, data is integral to every organisation whether it be the collection and sharing of data, its use in activities like analytics, research or profiling, or how and where it is processed.  Each of these exercises are underpinned by a commercial contract and/or data protection practice (such as DPIAs or data protection by design and by default). Working with some of the largest and most sophisticated technology companies in the world, our Data and Privacy team handles an enormous volume of work in this area. 

This ranges from commercial contracts with customers and vendors through to reviewing new products, sales and marketing advice across all channels (e-mail, text, phone and post) besides profiling and online advertising in the increasingly changing sphere of adtech. We have outstanding experience in helping businesses achieve their commercial and product oriented goals in a way that provides effective protection for individuals’ data.

When suffering a personal data breach, the decision to notify or not is often finally balanced. To determine if an incident merits notification often needs the input of experience to consider the potential consequences of reporting and where to report, which may be across a multitude of jurisdictions. This is a process we are adept to handle and assist you with. Furthermore, organisations sometimes grapple with parallel notification requirements under GDPR, NIS and the ePrivacy Directive and we can support you in navigating the applicable regimes.

In addition, many organisations face increasing challenges through the so-called “weaponisation” of data subject rights, where individuals submit enormously time-consuming and expensive requests easily, and without cost. Our team has significant experience in advising organisations in both preparing for these risks and mitigating against them before or as and when they arise. 

Employee data subject access requests can be extremely complex and time and cost intensive. We can advise in relation to conducting appropriate searches and the use of appropriate technology, which, together with a culture of data minimisation, can help make the process more seamless. We have extensive experience in managing regulatory investigations within the UK and more widely: our links with regulators and understanding of their priorities help us advise our clients on the key issues in any investigation.