Expert Data Protection Solicitors for GDPR Compliance
Our Data Protection Services
Data protection in the UK is governed by the UK GDPR, the Data Protection Act 2018 and related legislation. Businesses must not only comply with data protection principles but also demonstrate accountability in how personal data is handled.
Our data protection lawyers provide practical, strategic advice to help you embed compliance into your day-to-day operations.
We work with organisations of all sizes and sectors, delivering proportionate and cost-effective solutions tailored to your business.
We can advise on whether you act as a data controller or processor and explain the legal and commercial implications for your organisation.
Our Core Services
We advise on and prepare the key documentation and processes required for effective compliance, including:
Data Mapping Exercises
We map how personal data flows through your business, identifying where data is collected, stored, accessed, shared and transferred, to assess risk and improve compliance.
Data Subject Access Requests (DSARs)
We support businesses in responding to DSARs and can draft internal procedures and training materials to ensure efficient and compliant handling.
Privacy Notices
We draft tailored privacy notices covering employee, customer and online data, ensuring transparency and alignment with your data practices.
Data Protection Impact Assessments (DPIAs)
We advise on when DPIAs are required and prepare bespoke assessments for high-risk processing activities.
Data Sharing & Processing Agreements
We draft and negotiate data sharing and processing agreements, including those involving international transfers, ensuring compliance with UK and EU requirements.
Direct Marketing & PECR
We provide guidance on lawful marketing practices, including consent mechanisms and compliance with PECR.
International Data Transfers
Many organisations transfer personal data outside the UK, often through cloud-based services or international operations based outside the EU.
We advise on lawful transfer mechanisms and appropriate safeguards, including Standard Data Protection Clauses, including the ICO’s International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum (the Addendum)
Breach Response
In the event of a data breach or suspected breach, we provide rapid support to:
- Investigate and assess risk
- Contain and manage the incident
- Prepare reports to the ICO (Information Commissioner’s Office)
- Manage regulatory engagement and communications
Who We Help
Our data protection solicitors support a wide range of organisations, including:
- SMEs and large corporates
- Technology, SaaS and FinTech businesses
- Healthcare and life sciences organisations
- E-commerce and digital platforms
- Professional services firms
- Start-ups and scale-ups
We provide tailored advice aligned to your operational needs, management priorities and risk profile.
How We Can Help
Effective data protection compliance requires more than policies, it demands a practical framework embedded within your business.
Our team delivers clear, actionable advice to help you meet your legal obligations with confidence.
Compliance & Strategy
- Advice on UK GDPR and Data Protection Act obligations
- Controller vs processor analysis
- GDPR audits and compliance reviews
Data Mapping & Risk Assessment
- End-to-end data flow analysis
- Risk identification and mitigation strategies
Documentation & Policies
- Privacy notices and internal policies
- Records of Processing Activities (ROPA)
- Data breach response plans
- We also support incident response, including internal investigations, escalation processes and remediation strategies.
Data Subject Rights
- DSAR handling and procedures
- Support with complex or high-risk requests
DPIAs & High-Risk Processing
- DPIA preparation and advice
- Risk mitigation for new systems and technologies
Data Sharing & Transfers
- Data sharing and processing agreements
- Cross-border transfer compliance
Marketing Compliance
- PECR advice
- Consent and communication reviews
Where regulatory scrutiny arises, our GDPR solicitors support you in dealing with the ICO, including preparing reports and demonstrating compliance.
Data Protection Case Studies
International technology business expanding into the UK
Client Intro
Our client is an international technology business providing software and systems to customers across multiple jurisdictions, including Australia and New Zealand.
Case Overview
We advised the client on a range of commercial and data protection matters in connection with the rollout of its services in the UK.
This included adapting existing overseas customer terms for use in the UK, preparing data processing documentation, and advising on compliance with UK data protection laws. The work required careful consideration of international data flows between the UK, Australia and New Zealand, particularly given the absence of an adequacy decision for certain transfers.
We also supported the client in establishing its UK presence, including corporate setup and employment documentation, ensuring the business was positioned to operate effectively in a new market.
Working alongside specialist advisers where appropriate, we helped the client implement a compliant and commercially practical framework for its UK operations.
“When supporting international businesses entering the UK market, it’s essential to align legal compliance with how the technology operates in practice. We focused on delivering a framework that achieved both.” – Richard Meehan, Partner
Reverse Rett – Reverse Rett App
We assisted Reverse Rett with the drafting of App terms and conditions and a Privacy Notice as part of the launch of its new Reverse Rett App aimed at matching clinical trials conducted by the pharmaceutical industry with potential patients. Our instruction consisted of a detailed data protection assessment to cater for the processing and sharing of special category personal data of minors by the App and third-party pharmaceutical companies.
International FinTech Software Provider
Drafting a suite of documents (including a Data Protection Policy, DPIA, Record of Data Processing Activities, and Data Breach Policy) for a software provider offering banking and peer-to-peer wallet solutions within the international Fintech sector.
IT and Tech Provider - Social Media Data Collection and Analysis
We assisted an IT and Tech provider offering social media data collection, harvesting and analysis services with the drafting of, and advising in relation to, their DPIA including conducting an extensive data mapping exercise.
GDPR Audits
GDPR Audits for a plethora of our clients prior to the GDPR coming into effect.
Watch: Data Protection and UK GDPR
FAQ’s
What level of fine could the ICO issue for a breach of data protection laws?
The Information Commissioner’s Office (ICO) has the power to impose significant financial penalties for breaches of UK GDPR and the Data Protection Act 2018.
The maximum fine is the greater of:
- £17.5 million (or €20 million), or:
- 4% of a company’s global annual turnover
In addition to fines, the ICO can take enforcement action such as restricting or suspending data processing activities, which can have serious commercial consequences.
Our data protection solicitors can advise on responding to ICO investigations, preparing regulatory reports, and protecting your position where enforcement action is threatened.
What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request (DSAR) is a request made by an individual to access the personal data your organisation holds about them, along with information about how it is used.
This may include:
- Names and contact details
- IP addresses and online identifiers
- CCTV footage or images
- Employee records
- Customer account or transaction data
Businesses must respond within strict timeframes and ensure the response is complete and compliant.
We help organisations manage DSARs efficiently, particularly where requests are complex, high-volume or contentious.
What rights do individuals have under data protection laws?
Under UK GDPR, individuals have a range of rights in relation to their personal data, including:
- The right to access their data
- The right to have inaccurate data corrected
- The right to request erasure (“the right to be forgotten”)
- The right to restrict or object to processing
- The right to data portability in certain circumstances
Organisations must have processes in place to respond to these rights promptly and lawfully.
What privacy notices does my business need?
If your business processes personal data, you are required to provide clear and transparent privacy notices to individuals.
A compliant privacy notice should include:
- What data you collect
- Why you process it and your legal basis
- How long you retain it
- Who you share it with
- The rights available to individuals
You may need multiple privacy notices depending on your activities, for example:
- Employee privacy notices
- Customer privacy notices
- Website privacy notices
Well-drafted notices help demonstrate compliance and build trust with your stakeholders.
What is a website privacy notice?
A website privacy notice explains how your business collects and uses personal data through its website.
This includes data gathered via:
- Contact forms
- Cookies and tracking technologies
- User accounts or subscriptions
It ensures compliance with transparency obligations and helps obtain valid consent where required.
Your privacy notice should be clearly accessible at all points where personal data is collected.
What is “Big Data” in the context of data protection?
“Big data” refers to extremely large and complex datasets that are generated from multiple sources and processed at high speed.
It is typically characterised by:
- Volume – large quantities of data
- Variety – data from multiple structured and unstructured sources
- Velocity – rapid processing and analysis
Where big data includes personal data, it falls within the scope of data protection laws.
Does Big Data come under data protection laws?
Yes, where big data involves personal data, it must comply with UK GDPR and the Data Protection Act 2018.
Examples include:
- Health or clinical trial data
- Location data from mobile devices
- Consumer behaviour and purchasing data
- Biometric or wearable technology data
Organisations must ensure lawful processing, transparency, and appropriate safeguards when using such data.
What should businesses do when processing Big Data?
Businesses using big data must ensure compliance with core data protection principles, including:
- Processing data fairly, lawfully and transparently
- Collecting data for specific, legitimate purposes
- Ensuring data is relevant and not excessive
- Limiting retention to what is necessary
- Implementing anonymisation where possible
- Respecting individuals’ rights
In many cases, a Data Protection Impact Assessment (DPIA) should be carried out to assess risks.
What are the data processing recordkeeping requirements?
Most organisations are required to maintain a Record of Processing Activities (ROPA).
This record should include:
- Categories of personal data processed
- The purpose and legal basis for processing
- Details of data sharing and transfers
- Retention periods
- Security measures in place
Maintaining accurate records is a key part of demonstrating compliance and is particularly important in the event of a data breach or ICO investigation.
Why Work With Our IT/Technology Team
- Myerson Solicitors' IT lawyers can provide businesses with extensive legal advice and support on a wide range of IT-related matters.
- Members of the Society for Computers & Law
- Active participants in the UK technology ecosystem
- Working with Myerson Solicitors means you'll have access to legal experts who can support and help your business stay ahead of the curve in today's ever-evolving digital landscape.
- An alternative to the major, regional, and national firms by offering high-quality Technology law advice from specialist solicitors, but on a much more cost-effective basis.
- By working closely with our IT clients, we can ensure we meet their expectations for business operations and provide clear, specialist expertise. We are easy to deal with and understand that a common-sense approach is often required.
- Extensive experience in dealing with a broad range of IT disputes, such as data protection and software development issues, giving businesses fast and helpful advice based on knowledge of their business, its history, and pressures.
- A partner-led service and a genuinely accessible team of experienced IT law solicitors due to our size, structure, and unique culture.
- Our Technology Solicitors are happy to discuss your situation in a free, no-obligation telephone consultation. We are committed to transparent pricing and will always discuss costs with you at the outset. Fixed fees and retainers may be available where appropriate.
We are trusted by founders, investors and in-house counsel who require commercially astute advice delivered with accessibility and strategic insight.
Testimonials
Meet Our Technology Solicitors
Home-grown or recruited from national, regional or City firms. Our Technology lawyers are experts in their fields and respected by their peers.
Contact Our Experts
You can contact our lawyers below if you have any more questions or want more information: