Our Data Protection Service

Data Protection in the UK is underpinned by the retained General Data Protection Regulation EU (UK GDPR) and the Data Protection Act 2018 which means that businesses must not only operate and use personal data in line with established data protection principles, but also be able to demonstrate legal compliance.

Our experts work with clients of different sizes and sectors to provide effective, proportionate and affordable compliance solutions. 

The mandatory requirement for specific terms and conditions to be put in place where a processor provides relevant services to a controller can seem daunting.

However our experienced team provide a range of assistance and documentation to aid your business with its compliance.

We can advise you about whether you have responsibilities under data protection laws as a controller or processor and what the implications are for your business. 

We can undertake, draft and advise on:

  • Data Mapping Exercises. We map the journey of personal data within your business including where data is sourced from, stored, processed, transferred, accessed and used to evaluate your current practices and procedures;
  • Data Subject Access Requests (DSARs). We can advise you on how to respond to DSARs, and draft policies to help train and guide your workforce on best practice when dealing with and responding to DSARs;
  • Privacy Notices. We can draft Privacy Notices to cater for the processing of personal data across your business, including employee data, customer or supplier data, or from any online offering;
  • Data Protection Impact Assessments (DPIA). The UK GDPR has prescriptive requirements on what entities are required to conduct DPIAs. We can advise you on such obligations, and draft a DPIA tailored for your requirements;
  • Data Sharing and Processing Agreements. The UK GDPR requires standard terms to be in place between those sharing and processing personal data. We can draft Data Sharing and Data Processing Agreements for your purposes, including international transfers of personal data compliant with UK and EU data protection laws; and
  • Direct Marketing - Data protection laws in the UK are supplemented in the context of electronic marketing by the Privacy and Electronic Communication Regulations (PECR). We can advise you on your direct marketing activities and offer practical guidance on how to comply with the PECR and other data protection law requirements.

Many organisations will regularly transfer personal data outside of the UK and the EU, sometimes unwittingly, for example if your business engages technology providers for cloud computing services, they may store data overseas.

Data protection laws restrict the transfer of personal data outside of the UK or the EU unless appropriate safeguards are put in place to ensure that the personal data is processed in a lawful and secure environment.

This issue can be particularly relevant to organisations which are members of a multi-national group or where business partners or suppliers are based outside of the UK and/or the EU.

For further guidance on the measures that should be implemented when making transfers of personal data overseas, please see our recent article on Standard Contractual Clauses.

Contact Our Data Protection Solicitors

Our Data Protection Experience

  • Reverse Rett - We assisted Reverse Rett with the drafting of App terms and conditions and a Privacy Notice as part of the launch of its new Reverse Rett App aimed at matching clinical trials conducted by pharmaceutical industries with potential patients. Our instruction consisted of a detailed data protection assessment to cater for the processing and sharing of special category personal data of minors by the App and third-party pharmaceutical companies;
  • Drafting a suite of documents (including a Data Protection Policy, DPIA, Record of Data Processing Activities, and Data Breach Policy) for a software provider offering banking and peer-to-peer wallet solutions within the international Fintech sector;
  • We assisted an IT and Tech provider offering social media data collection, harvesting and analysis services with the drafting of, and advising in relation to, their DPIA including  conducting an extensive data mapping exercise. ;GDPR Audits for a plethora of our clients prior to the GDPR coming into effect.

Data Protection and UK GDPR: Safeguarding Personal Data in the Digital Age

Why Work With Our IT/Technology Team

  • Myerson Solicitors' IT lawyers can provide businesses with extensive legal advice and support on a wide range of IT-related matters.
  • We are highly skilled in matters relating to data protection, ensuring that businesses comply with relevant legislation such as the General Data Protection Regulation (GDPR).
  • We can also provide expert guidance on software licensing, reselling, and development.
  • Other areas of expertise include e-commerce, intellectual property, and technology-related disputes.
  • Working with Myerson Solicitors means you'll have access to legal experts who can support and help your business stay ahead of the curve in today's ever-evolving digital landscape.
  • An alternative to the major, regional, and national firms by offering high-quality Technology law advice from specialist solicitors, but on a much more cost-effective basis.
  • By working closely with our IT clients, we can ensure we meet their expectations regarding business operations, providing clear and specialist expertise. We are easy to deal with and understand that a common-sense approach is often required.
  • Extensive experience in dealing with a broad range of IT disputes, such as data protection and software development issues, giving businesses fast and helpful advice based on knowledge of your business, its history, and pressures.
  • A partner-led service and a genuinely accessible team of experienced IT law solicitors due to our size, structure, and unique culture.

Get In Touch With Our Technology Team



What level of fine could the ICO issue for a breach of data protection laws?

The ICO has the power to fine businesses that breach data protection laws the greater of 20 million Euros (circa £17.5 million) or 4% of a company’s group global turnover. Enforcement powers also include the ability to restrict data processing activities resulting in loss of profits. Individual data subjects also have bolstered rights under the legislation.

What is a Data Subject Access Request?

A request from an individual for copies of the personal data a company holds about them. This can include names, IP addresses, photographs, videos (CCTV footage), complaints, registration information, employees’ information – the type of personal data a business holds about data subjects can vary massively depending on the sectors the business operates in, its customer base, and its day to day operations.   

What other rights do individuals have?

In addition to Data Subject Access Requests, individuals have the right to request that personal data held or processed about them is corrected, restricted or erased.

What privacy notices must be issued?

All data subjects about whom your business processes personal data should be issued a formal privacy notice. Such notices include details of: the processing, the purposes of the processing and legal basis, retention periods and data subject’s rights. Privacy notices should be included in employee documentation, consumers terms and conditions and on your business website. Therefore, depending on how your business operates you may need to issue more than one privacy notice. This will allow your privacy notices to be clearer, concise and specific to the particular circumstances in which your business processes personal data.

What is a website privacy notice?

A website privacy notice sets out the processing and what the personal data obtained via a user’s access to and interaction with your website will be used for.  It enables businesses to comply with their “fair processing” obligations and to obtain a user’s “freely given, specific and informed” consent to processing personal data. It should be accessible at every point in which personal information is collected.

What is “Big Data”

Big data describes a massive volume of structured and unstructured data, where the data is so large that it is difficult to process using standard database and software methods. 

Big data:

  • uses massive, diverse, complex, longitudinal, and/or distributed datasets that are generated by, or collected from, a variety of different devices, sensors and transactions (volume);
  • brings together data from different sources, both structured and unstructured (variety); and
  • is processed quickly, often exceeding current processing capacity (velocity).

Does Big Data come under data protection laws?

Although much of big data is not personal data (for instance world climate and weather data) there are examples where big data analytics include the processing of personal data (for instance data from monitoring devices on patients in clinical trials, mobile phone location data, data on purchases made with loyalty cards and biometric data from body-worn devices). As such, the authorities have decided that big data should fall within the scope of data protection laws and therefore must comply with the eight data protection principles.

What do businesses processing Big Data need to do?

Businesses processing big data should:

  • Abide by the rules of fairness and transparency and meet the reasonable expectations of the data subject in processing data;
  • Explain the benefits of analytics to the data subject and obtain prior consent;
  • Collect and use data for specified, explicit and legitimate purposes;
  • Use and collection of data must be adequate, relevant, not excessive and must not be kept longer than is strictly necessary;
  • Anonymise data;
  • Respect the rights of data subjects; and
  • Consider carrying out a privacy impact assessment to assess how big data analytics is likely to affect individuals whose data is being processed and where such use is fair.

What are the data processing recordkeeping requirements?

Most businesses will be required to keep a formal record of their regular data processing activities. A data processing record must include, amongst other details, full details of the categories of data processed, the basis for such processing and details of security measures in place.

Meet Our IT Technology Solicitors

Home-grown or recruited from national, regional or City firms. Our IT Technology lawyers are experts in their fields and respected by their peers.

Carla Murray

Carla Murray

Carla is a Partner and Head of our Commercial Team

Richard Meehan

Richard Meehan

Richard is a Senior Associate in our Commercial Team

Olivia Whittaker

Olivia Whittaker

Olivia is a Solicitor in our Commercial Team

Karam Bhatti

Karam Bhatti

Karam Bhatti is a Solicitor in our Commercial Team

Contact Myerson Solicitors

Complete the form below, or alternatively, you can call Myerson Solicitors on:

0161 941 4000