Data Protection

In an ever-evolving digital world, our specialist Data Protection team can advise and support you on a wide range of data protection issues.

Contact Us

Data Protection Services

Data is a valuable business asset and data protection compliance is a critical issue for companies and individuals alike. Our expert data protection lawyers regularly advise on a variety of complex data protection issues. Our services include: 

In addition, we also advise on a wide range of data protection matters, such as:

  • The use of cookies and other tracking technologies
  • The transfer of personal data to third countries
  • The use of personal data for marketing purposes

Whether you have just established your company or are an experienced data protection officer, our understanding of the market and law means we are able to apply a commercial and contractually sound perspective to our support and advice.


Data Breaches
Data Compliance
Employment Data Protection
Subject access requests
Data Protection Audit

Data Breaches

Personal data breaches occur when persons data has been accidentally or unlawfully:

  • Destroyed
  • Lost
  • Altered

Disclosed without authorisation, whether that be accidentally or deliberately.

What is required when a breach happens?
Under the GDPR, it is required that when certain types of breaches involving personal data occur, these will need to be reported to the relevant supervisory authority within 72 hours of becoming aware of it. Following on from this, should the breach be of such a high risk to the data subject, they should be informed without delay.

Records will need to be maintained by the party who is liable for the breach. The way in which you will need to assess the breach is to identify the risk the breach poses to the data subject’s rights and freedoms as well as the severity of that risk. We would recommend legal advice is taken at that stage, if not, documentation is key to being able to justify why a breach has not been reported.

However, with appropriate measures to prepare for, manage and react to data breaches and ultimately reduce the possibility of their occurrence, it is possible that certain breaches do not have to be reported. It is therefore key to establish how in your day to day business, breaches could occur. It is very easy for these to happen, for example leaving your phone on the train or sending an email to the wrong recipient. Certain scenarios require simple solutions; however this will not always be the case.

Should a breach need to be reported, Article 33 of the GDPR sets out what needs to be reported when a breach occurs, this includes:

  • The nature and extent of the personal breach.
  • Who your Data Protection Officer or other point of contact is, and their contact details.
  • What are the likely consequences of this data breach.
  • Measures taken by yourself as the controller to address and mitigate the effects of the breach itself.

Any failure to disclose a breach, even if this be due to internal analysis suggesting it does not need to be reported, may result in the aforementioned fines. Therefore advice should always be sought in these scenarios.

Our skilled dispute resolution team can help individuals and businesses to resolve disputes relating to data protection. This may include disputes about the processing of personal data, the right to erasure, and the right to object to processing.

Data Compliance

We can help businesses to comply with data protection legislation, such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This includes advising on data collection practices, data storage and security, and data sharing.

In order to demonstrate compliance with the GDPR and, perhaps more importantly, to mitigate any enforcement action by the Information Commissioner’s Office, businesses should put in place:

  • Privacy notices (both internal and external) telling staff and the outside world what they are doing with their personal data.
  • A data handling policy which sets out the businesses policies and practices staff must follow when handling personal data. This document will protect the business if a staff member acts beyond their powers and causes a data protection breach.
  • Processing agreements in any situation when a controller / processor relationship arises. This document is required under the GDPR and will have a list of prescriptive clauses that must be contained within it setting out the responsibilities of the processor to the controller.
  • A data protection officer (if required under the GDPR).
  • A process to consider international transfers of personal data to ensure they are lawful by, for example, putting in place standard contractual clauses or other appropriate safeguard.
  • A process to test their internal reporting pathways so if, for example, a data subject access request is received at reception there is a pathway to make sure it is provided to the responsible individual in order it can be dealt with in the required timeframes.
  • A process to regular test the security of personal data including the IT systems and physical security at the business premises.
  • A training program to ensure staff are aware of their responsibilities and are adequately trained in relation to data protection.

Employment Data Protection

The right to make a data subject access request (DSAR) is a key element of the protections contained in the UK General Data Protection Regulation (UKGDPR).

Although a right of an individual to access data held about them has long been a part of data protection legislation, the development of digital technology has led to a massive expansion in the amount and nature of the data being processed, particularly in the employment context.

We have seen a particular increase in the number of DSARs being brought by employees. These requests are frequently made in the context of an ongoing or potential dispute or tribunal or court claim.

It is also important that employers have key documentation in place before getting to the stage of receiving and handling a data subject access request, as this sets the foundation for the legal basis on which they are processing employee data and the steps to take when an employee seeks to enforce their data rights.

Employment Data Services

Subject access requests

Subject access requests (SARs) are a fundamental aspect of data protection regulations, granting individuals the right to access and understand how their personal data is being used. The UK data legislation does not set out formal requirements for a valid request and therefore an individual can make a SAR verbally or in writing. It is therefore important that you are able to recognise when a SAR has been made against other routine verbal enquiries. Our services focus around assisting businesses in efficiently and compliantly handling such requests in a timely manner. You will have a legal deadline within which you must respond to all SARs.

While SARs are most commonly made in a consumer or employment context, they can also arise outside of this relationship and be made in a professional services context, for example when a former client makes a request to their former advisor.

Whatever the context, with our expertise, businesses can confidently manage SARs, demonstrating commitment to data transparency and privacy.

Data Protection Audit

We work with clients to understand their data flows and how they use data. This enables us to provide a compliance report.

An audit, on site or remotely, to assess current data compliance and to recommend steps toward compliance. This is undertaken through a tailored audit or questionnaire.

Outsourced Legal Solutions
By outsourcing your legal requirements this could result in cost savings by reducing operational costs, giving you access to specialised expertise and reducing your administrative burden to enable you to focus on your core competencies.

Our services include:

  • Data Audit
  • Commercial Audit
  • Commercial Contract Audit
  • Intellectual Property Audit
  • Intellectual Property Management
  • Immigration Audit

Outsourced Legal Solutions


What is the UK General Data Protection Regulation (UK GDPR)?

UK GPDR is the data protection law in the United Kingdom, and it is based on the EU GDPR, with some key differences which are accounted for under the Data Protection Act 2018. The UK GDPR applies to all organisations that process the personal data of individuals in the UK, offer goods or services to individuals in the UK, or monitor the behaviour of individuals in the UK. The UK GDPR is a complex piece of legislation, and it is important to seek professional advice if you are unsure of your obligations under it.

What data protection documents should employers have in place?

An employer will need to ensure that the following documentation is in place and up to date to ensure compliance with legal requirements and best practice:

  •  The Contract of Employment
  • Data Protection Policy
  • Employee Privacy Notice
  • Data Protection Impact Assessment (depending on the circumstances)
What are data processors and controllers? 

The UK GDPR draws a distinction between a ‘controller’ and a ‘processor’, and the distinction is important because it clarifies the responsibilities and obligations between the two under the UK GDPR. Data controllers decide how and why personal data is processed, ensuring compliance with data laws. Data processors handle data on behalf of controllers under their authority and follow their instructions for secure and lawful processing. 

I have received a Data Subject Access Request from an employee – can I refuse to respond?

Currently, there are limited circumstances in which you can refuse to respond entirely. You can only refuse to deal with a request where it is either manifestly unfounded or manifestly unreasonable and a request will only fall within one of these in exceptional circumstances.

Much employment data is unstructured and contains data on more than one individual. This in turn creates a particular challenge for employers and HR departments in handling subject access requests. They are now far more onerous, time consuming and expensive than when the right to access was first established but that does not give employers the right to refuse or limit the request.

How long do I have to respond to a Data Subject Access Request?

You should ideally respond within 1 month of the request. If the nature of the request is complex you can write to the employee before the expiry of the initial 1-month period and inform them that you will be extending the time to respond by a further 2 months.

Can I redact some information from my response to a Data Subject Access request, or do I have to provide everything?

Yes, there is some information you can withhold. The most common exceptions for employers will be:

  • Not their personal data
  • Legal privilege
  • Third party information
  • Management planning and forecasting
  • Negotiations.
What is a data processing agreement? 

A data processing agreement (DPA) is a legally binding contract between two parties, a data controller and a data processor, that outlines the rights and obligations of each party when it comes to the processing of personal data. Personal data refers to any information that can be used to identify a living individual, such as their name, address, email address, or phone number. It plays a crucial role in ensuring responsible and compliant handling of personal data, protecting individuals’ privacy rights, and mitigating risks for organisations involved in data processing activities. Please do get in touch if you would like further information on this. We are also able to advise as to whether or not your intentional data transfers overseas would warrant standard contractual clauses (SCC’s) or an Intentional Data Transfer Addendum (IDTA). 

What are cookies and what is a cookies policy?

Cookies are small text files stored on devices by websites to remember preferences, track user activity, and personalise experiences. A cookies policy outlines how a website uses cookies, detailing their purpose, types, and user choices. Under English law, there are key requirements which a cookies policy and associated opt in/opt out procedure needs to comply with to protect the privacy rights of their service users and it is vital that policies and procedures to meet these requirements. 

Who is the Information Commissioner's Office (ICO)?

The ICO is the UK’s independent data protection authority. The ICO is responsible for enforcing the UK GDPR and for promoting good data protection practice.

Recent Work

International Marketing Launch for Retail

Advising an internationally recognised provider of retail analytics solutions with international data protection advice concerning a cross-jurisdictional marketing launch.

International Sporting Event Advice

Advising household name manufacturer and supplier on their privacy policy for international sporting event. 

International Retailer Data Audit

Advising an internationally recognised retailer on the preparation of a tailored data audit questionnaire, undertaking an on-site audit and providing a report on the findings.

Legal Insight

Meet the Team

Related expertise

Best Law Firms 2024

Herrington Carmichael has once again been named in the Times Best Law Firms. We were first listed in 2023 and have once again made the Best Law Firms list for 2024.


Best Law Firm 2024