Our Data Protection Service
Data Protection in the UK is underpinned by the retained General Data Protection Regulation EU (UK GDPR) and the Data Protection Act 2018, which means that businesses must not only operate and use personal data in line with established data protection principles but also be able to demonstrate legal compliance.
Our experts work with clients of different sizes and sectors to provide effective, proportionate and affordable compliance solutions.
The mandatory requirement for specific terms and conditions to be put in place where a processor provides relevant services to a controller can seem daunting.
However our experienced team provide a range of assistance and documentation to aid your business with its compliance.
We can advise you about whether you have responsibilities under data protection laws as a controller or processor and what the implications are for your business.
Our Data Protection Solicitors can undertake, draft and advise on:
- Data Mapping Exercises. We map the journey of personal data within your business including where data is sourced from, stored, processed, transferred, accessed and used to evaluate your current practices and procedures;
- Data Subject Access Requests (DSARs). We can advise you on how to respond to DSARs, and draft policies to help train and guide your workforce on best practice when dealing with and responding to DSARs;
- Privacy Notices. We can draft Privacy Notices to cater for the processing of personal data across your business, including employee data, customer or supplier data, or from any online offering;
- Data Protection Impact Assessments (DPIA). The UK GDPR has prescriptive requirements on what entities are required to conduct DPIAs. We can advise you on such obligations, and draft a DPIA tailored for your requirements;
- Data Sharing and Processing Agreements. The UK GDPR requires standard terms to be in place between those sharing and processing personal data. We can draft Data Sharing and Data Processing Agreements for your purposes, including international transfers of personal data compliant with UK and EU data protection laws; and
- Direct Marketing - Data protection laws in the UK are supplemented in the context of electronic marketing by the Privacy and Electronic Communication Regulations (PECR). We can advise you on your direct marketing activities and offer practical guidance on how to comply with the PECR and other data protection law requirements.
Many organisations will regularly transfer personal data outside of the UK and the EU, sometimes unwittingly, for example if your business engages technology providers for cloud computing services, they may store data overseas.
Data protection laws restrict the transfer of personal data outside of the UK or the EU unless appropriate safeguards are put in place to ensure that the personal data is processed in a lawful and secure environment.
This issue can be particularly relevant to organisations which are members of a multi-national group or where business partners or suppliers are based outside of the UK and/or the EU.
For further guidance on the measures that should be implemented when making transfers of personal data overseas, please see our recent article on Standard Contractual Clauses.
Watch: Data Protection and UK GDPR
Our Data Protection Experience
- Reverse Rett - We assisted Reverse Rett with the drafting of App terms and conditions and a Privacy Notice as part of the launch of its new Reverse Rett App aimed at matching clinical trials conducted by pharmaceutical industries with potential patients. Our instruction consisted of a detailed data protection assessment to cater for the processing and sharing of special category personal data of minors by the App and third-party pharmaceutical companies;
- Drafting a suite of documents (including a Data Protection Policy, DPIA, Record of Data Processing Activities, and Data Breach Policy) for a software provider offering banking and peer-to-peer wallet solutions within the international Fintech sector;
- We assisted an IT and Tech provider offering social media data collection, harvesting and analysis services with the drafting of, and advising in relation to, their DPIA including conducting an extensive data mapping exercise. ;GDPR Audits for a plethora of our clients prior to the GDPR coming into effect.
Data Protection Case Studies
International technology business expanding into the UK
Client Intro
Our client is an international technology business providing software and systems to customers across multiple jurisdictions, including Australia and New Zealand.
Case Overview
We advised the client on a range of commercial and data protection matters in connection with the rollout of its services in the UK.
This included adapting existing overseas customer terms for use in the UK, preparing data processing documentation, and advising on compliance with UK data protection laws. The work required careful consideration of international data flows between the UK, Australia and New Zealand, particularly given the absence of an adequacy decision for certain transfers.
We also supported the client in establishing its UK presence, including corporate setup and employment documentation, ensuring the business was positioned to operate effectively in a new market.
Working alongside specialist advisers where appropriate, we helped the client implement a compliant and commercially practical framework for its UK operations.
“When supporting international businesses entering the UK market, it’s essential to align legal compliance with how the technology operates in practice. We focused on delivering a framework that achieved both.” – Richard Meehan, Partner
Why Work With Our IT/Technology Team
- Myerson Solicitors' IT lawyers can provide businesses with extensive legal advice and support on a wide range of IT-related matters.
- Members of the Society for Computers & Law
- Active participants in the UK technology ecosystem
- Working with Myerson Solicitors means you'll have access to legal experts who can support and help your business stay ahead of the curve in today's ever-evolving digital landscape.
- An alternative to the major, regional, and national firms by offering high-quality Technology law advice from specialist solicitors, but on a much more cost-effective basis.
- By working closely with our IT clients, we can ensure we meet their expectations for business operations and provide clear, specialist expertise. We are easy to deal with and understand that a common-sense approach is often required.
- Extensive experience in dealing with a broad range of IT disputes, such as data protection and software development issues, giving businesses fast and helpful advice based on knowledge of their business, its history, and pressures.
- A partner-led service and a genuinely accessible team of experienced IT law solicitors due to our size, structure, and unique culture.
- Our Technology Solicitors are happy to discuss your situation in a free, no-obligation telephone consultation. We are committed to transparent pricing and will always discuss costs with you at the outset. Fixed fees and retainers may be available where appropriate.
We are trusted by founders, investors and in-house counsel who require commercially astute advice delivered with accessibility and strategic insight.
Testimonials
Mr Preston
Chris Moss's advice and support was exceptional. I would highly recommend.
Mr. Maitland, VendiTech
Myerson has been exceptional to work with, combining a high level of professionalism with a pragmatic, commercially minded approach. Communication is always clear, timely, and responsive, which gives us real confidence when navigating complex decisions. Chris, Charlotte and Richard provided invaluable support across multiple areas of our business. Their guidance has been instrumental to our continued success and has played a key role in giving us strong confidence around compliance as we scale and evolve.
Gary Johnson, CDL
The strength that Myerson brings to CDL and its group companies is an intimate understanding of our products and services and how they are utilised in the various sectors of our evolving marketplace. CDL and Myerson have worked together for over 10 years and in that time CDL have been fortunate to attract, court and secure many new contracts including large banking and global organisations.
Tim Webb, RTA Claim Solutions
Myerson have been hugely professional and supportive in providing expert legal advice to the business. For us, their quality of service and expert knowledge of commercial business was equally as important as their undoubted legal capabilities. We hope to be able to continue to work with them over the long term.
Tony Sampson , J2 Retail Ltd
Unphased by the ‘big names’ and frequently head to head with much larger firms, they have always worked effectively on our behalf as both a business and as shareholders, and have represented us extremely well in many complex and difficult situations. Myerson partners and lawyers have an excellent grasp of the commercial realities of our business – something that is equally as important as their undoubted capabilities as lawyers.
David Hibbert, Stax Trade Centres PLC
We were introduced to Myerson back in 1986 with a view to them advising us on our MBO. Myerson have always been there with clear, easily presented counsel as to how to deal with every aspect of business life. We respect their honesty and integrity and have no qualms in recommending them to any up and coming entrepreneurs.
Mr. Roberts, Communications Plus Ltd.
Chris Moss, Melisa Chaplow and Charlotte Peers have been exceptional. Thank you.
Mike Forsyth - Founder and Chairman, Safer Sphere
Myerson Solicitors acted for us in a complicated Management Buy-Out transaction. Akeel, Palma, Simon, Andrew, and the team supported completion in a tight time frame with the utmost professionalism and diligence. They coordinated and cooperated seamlessly with the wider advisors and stakeholders, ensuring full protection and compliance with the transaction. We have worked with Myerson on a number of legal aspects for over 5 years, and would highly recommend their services.
Colin
Supported my business from the outset. Always there when needed. Superb integrity and pricing. Always gets the job done effectively with open dialogue and communication at every point. Yes I highly recommend.
Chambers UK Guide 2026
The Corporate team at Myerson is the perfect size for a balance between expertise and personal service.
Chambers UK Guide 2026
Myerson's Corporate team is attentive, available and technically knowledgeable.
Chambers UK Guide 2026
Myerson's Corporate Team were good to deal with and we worked well together.
Legal 500, 2024
Responsive, always willing to provide some direction, guidance and support, even at short notice, and, due to the familiarity of the business across the team, there are multiple contact points which means there is always somebody to speak to who understands our company and objectives.
Legal 500, 2024
The whole team is responsive and highly approachable, taking time to understand the business and framing legal matters in a manner understandable to the audience – working with a range of people across our business.
Legal 500, 2024
They have always looked at the whole picture and taken time to understand my business, so advice is tailored. No time-wasting and treated like I am their only client.
Legal 500, 2024
Well resourced and able team that expertly and adequately handle whatever we throw at them as our retained commercial lawyers.
Legal 500, 2024
Smaller boutique corporate team who are very responsive, professional and add value to corporate transactions.
FAQ’s
What level of fine could the ICO issue for a breach of data protection laws?
The ICO has the power to fine businesses that breach data protection laws the greater of 20 million Euros (circa £17.5 million) or 4% of a company’s group global turnover. Enforcement powers also include the ability to restrict data processing activities resulting in loss of profits. Individual data subjects also have bolstered rights under the legislation.
What is a Data Subject Access Request?
A request from an individual for copies of the personal data a company holds about them. This can include names, IP addresses, photographs, videos (CCTV footage), complaints, registration information, employees’ information – the type of personal data a business holds about data subjects can vary massively depending on the sectors the business operates in, its customer base, and its day to day operations.
What other rights do individuals have?
In addition to Data Subject Access Requests, individuals have the right to request that personal data held or processed about them is corrected, restricted or erased.
What privacy notices must be issued?
All data subjects about whom your business processes personal data should be issued a formal privacy notice. Such notices include details of: the processing, the purposes of the processing and legal basis, retention periods and data subject’s rights. Privacy notices should be included in employee documentation, consumers terms and conditions and on your business website. Therefore, depending on how your business operates you may need to issue more than one privacy notice. This will allow your privacy notices to be clearer, concise and specific to the particular circumstances in which your business processes personal data.
What is a website privacy notice?
A website privacy notice sets out the processing and what the personal data obtained via a user’s access to and interaction with your website will be used for. It enables businesses to comply with their “fair processing” obligations and to obtain a user’s “freely given, specific and informed” consent to processing personal data. It should be accessible at every point in which personal information is collected.
What is “Big Data”
Big data describes a massive volume of structured and unstructured data, where the data is so large that it is difficult to process using standard database and software methods.
Big data:
- uses massive, diverse, complex, longitudinal, and/or distributed datasets that are generated by, or collected from, a variety of different devices, sensors and transactions (volume);
- brings together data from different sources, both structured and unstructured (variety); and
- is processed quickly, often exceeding current processing capacity (velocity).
Does Big Data come under data protection laws?
Although much of big data is not personal data (for instance world climate and weather data) there are examples where big data analytics include the processing of personal data (for instance data from monitoring devices on patients in clinical trials, mobile phone location data, data on purchases made with loyalty cards and biometric data from body-worn devices). As such, the authorities have decided that big data should fall within the scope of data protection laws and therefore must comply with the eight data protection principles.
What do businesses processing Big Data need to do?
Businesses processing big data should:
- Abide by the rules of fairness and transparency and meet the reasonable expectations of the data subject in processing data;
- Explain the benefits of analytics to the data subject and obtain prior consent;
- Collect and use data for specified, explicit and legitimate purposes;
- Use and collection of data must be adequate, relevant, not excessive and must not be kept longer than is strictly necessary;
- Anonymise data;
- Respect the rights of data subjects; and
- Consider carrying out a privacy impact assessment to assess how big data analytics is likely to affect individuals whose data is being processed and where such use is fair.
What are the data processing recordkeeping requirements?
Most businesses will be required to keep a formal record of their regular data processing activities. A data processing record must include, amongst other details, full details of the categories of data processed, the basis for such processing and details of security measures in place.
Meet Our Technology Solicitors
Home-grown or recruited from national, regional or City firms. Our Technology lawyers are experts in their fields and respected by their peers.
Contact Our Experts
You can contact our lawyers below if you have any more questions or want more information:
0161 941 4000
Latest Myerson IT / Technology News
1
Five Key Legal Themes for Online Platforms in 2026
A practical webinar on the legal risks and key considerations for online platforms, marketplaces and digital services . The opportunities for businesses to operate as online platforms have never been greater whether acting as a marketplace for goods, facilitating peer-to-peer services, or offering outsourced platform-based functionality such as...
View Event
Commercial Contracts in 2026: 5 Key Trends in AI, Data Protection & Technology Risk
At our recent webinar, Commercial Contracts in 2026 | AI, Data Protection & Technology Risk , Richard Meehan , Partner in the Myerson Commercial Team and Head of the Technology Sector Group, explored five key themes shaping commercial contracts in 2026. The session focused on the practical issues arising from the complex, rapidly changing nature...
Read Blog
Deepfakes & Data: The UK Privacy Reckoning for AI-Generated Imagery
With the continued development of AI and the lack of overarching regulation in England and Wales, questions arise about whether more stringent measures are needed, particularly given the recent rise in non-consensual image and video generation featuring the likeness of individuals. Our Commercial Solicitors outline the current regulation of AI in...
Read Blog
Structuring and Protecting your Tech Business
How do you build a tech business that is investment-ready, legally robust, and protected against risk? In this expert-led webinar, specialists from Myerson’s Tech Sector team provide a practical and comprehensive guide to structuring, scaling, and safeguarding your technology business. Drawing on real-world experience and recent case law, this...
Watch Webinar
Compliance for Online Businesses Under the DMCCA
The Digital Markets, Competition and Consumers Act 2024 ( DMCCA ) came into force earlier this year on 6 April 2025 as a significant update to the UK’s consumer rights regime. Businesses that sell to consumers must ensure that they comply with the statutory requirements for consumer contracts, including the prohibition of fake reviews and other...
Read Blog
AI Patent Law Shift on the Horizon? Latest Update on the Emotional Perception AI Case
Last month saw the Supreme Court hear the appeal of Emotional Perception AI Limited (‘EPAI’) concerning its attempt to patent its neural network-based system for recommending music files. In this blog, our Technology Lawyers explore the case.
Read Blog