Data Protection

Keeping your organisation's data safe

Meet our Data Protection team or get in touch with our Head of Data Protection, Piers Leigh-Pollitt.

With GDPR in full swing since May 2018 and new ePrivacy laws due, the regulatory burden on organisations is not letting up.

The Information Commissioner’s Office (ICO) is continuing to expand its staff of over 700 analysts, investigators and lawyers upholding the public’s information rights, giving people more control over how their personal data is stored and used by organisations. In the first year the GDPR was in effect we saw:

  • UK data protection complaints (nearly) double to 41,661
  • Personal data breaches increase by over 300%
  • A 50% increase in ICO personnel (including analysts, investigators and lawyers)

By now organisations should be meeting their personal data processing and management obligations.

Compliance is an evolving process with which many continue to struggle. Complaints have risen significantly. The increased number of investigations risk heightened exposure to fines, damaging publicity and a permanent place on the ICO’s website. We have seen a huge increase (in the UK and across Europe) in proposed fines for data privacy violations, including for British Airways and the Marriott Group. There have also been a number of prosecutions of those who have infringed the rights of employees, customers and other individuals. 

Reasons for ICO complaints

The reasons for complaints are broad, but the most common ones relate to individuals requesting access to their personal data, unlawful disclosure of data and security breaches. Common areas of investigations for the ICO are -

  • Sending or sharing personal information without a lawful basis to do so
  • Collecting and otherwise processing personal data unlawfully
  • Accessing personal information without authorisation
  • Not holding customer data safely or securely
  • Marketing to consumers by text and email without permission
  • Phoning people who have opted out of marketing or sales calls via the TPS register
  • Selling personal data unlawfully
  • Not responding quickly enough or at all to data subject access requests 

What is clear is that organisations, and in particular managers with customer and employee data responsibilities will increasingly find themselves under the ICO’s well-resourced eye. 

How we can help

Our data protection team advises clients on all of the data protection and related issues they face. Areas where we regularly help clients include -

  • Handling large and complex data subject access requests, using an end to end eDiscovery tool, as required
  • Handling and reporting data privacy breaches, including whether notifications need to be made to data subjects and/or the ICO, and the best way to mitigate the impact of such breaches
  • Challenges brought by employees and other data subjects to the ICO
  • Employee monitoring and investigations
  • Employee screening and background checks (including criminal records checks)
  • Drafting and reviewing data protection documentation
  • Data Protection Impact Assessments (DPIAs) for high risk processing
  • Overseas data transfers
  • Training staff to meet a range of needs, from general staff awareness of GDPR through to bespoke training for data protection managers, marketing managers and other areas of your business where specific risks or issues have been identified

Fixed price

We also have a range of fixed price packages which we can discuss with you when we have scoped out the requirements of your organisation including - 

  • Data flow mapping 
  • Data processing activity reports (Article 30 reports)
  • Compliance gap reporting (includes process improvement recommendations to minimise risk of non-compliance)
  • GDPR “one year on” follow up audit
  • Suites of data protection policies, procedures, notices and contracts to cover data breach management, data retention, employee and other privacy notices, data subject access request forms, template data processing agreements

Recent work includes - 

Large, complex data subject access request (DSAR) as part of ongoing litigation - insurance client

What was the problem and why did it matter?

It is a common pre-litigation tool for disgruntled employees to issue data subject access requests (DSARs) to their employers/former employers. DSARs are very often costly and time consuming for organisations to respond to as they often have to search and retrieve a vast quantity of data. In this case, involving a claimant who brought an employment tribunal claim for age, sex and pregnancy discrimination against our client, over 40,000 documents had to be reviewed, all within a very short space of time (one month from the date of the request). Unlike pre-GDPR, it is usually now no longer possible for data controllers to ask data subjects to pay a fee for requesting access to their information and/or copies of it. Although this particular client is a large organisation in the insurance sector, we are finding that even much smaller companies are storing considerable amounts of personal data, particularly for long-serving employees, and it is not unusual for an organisation of any size to have tens of thousands of emails on their system that may be relevant to just one data subject.

What was the client’s exposure?

Failure to respond properly to a DSAR amounts to a breach of Article 15 of the GDPR, which in turn could give rise to a substantial fine for the client of up to 4% of the previous year’s annual worldwide turnover, or €20 million, whichever is the greater. Other, less draconian (and more common) consequences include having to deal with a complaint to the regulator, the Information Commissioner’s Office (ICO). The ICO could take enforcement action and publish details of any enforcement notice on its website. The disgruntled employee could also apply to court to enforce the DSAR and seek compensation. The ICO also keeps an internal register of issues dealt with, which means previous non-compliance will be on the ICO’s radar if there are any further breaches. Our timely involvement in this case significantly reduced the risk of any exposure for our client.

How did we help?

We liaised quickly with the HR team of our client and ensured that our client’s IT department conducted appropriate searches of the client’s systems in a timely fashion. We trained some members of the HR team in the practical exercise of reviewing documentation, provided the client with a tailored summary of steps to take, carrying out redactions of third party data, determining whether exemptions apply, filing the results into folders and compiling the response, all within a very tight deadline of a couple of weeks from the date we were instructed. Our training of the HR team enabled them to have the confidence to conduct their own responses to subsequent DSARs, which they have done, only needing to seek specific legal advice on more complicated aspects. In the long run, this will save our client legal fees while giving the client the comfort of knowing that the support and expertise is there if they need it.

Additionally, it is worth noting that the use of an electronic platform, at a modest additional cost, may significantly reduce the time and cost burden that comes with the interrogation and exchange of electronic documents. This also helps clients maintain the GDPR’s accountability principle, providing a full auditing function in case they need to revisit the methodology used in response to the DSAR at a later date (for example if the data subject challenges the response and/or the ICO questions the methodology).

For more information about how we can help, please get in touch with Mike Hibberd via or +44 (0)118 959 6839.

GDPR compliance project - international restaurant chain

What was the problem and why did it matter?

The GDPR requires all organisations employing 250 or more people (as well as some smaller organisations, depending on the type of personal data they handle) to compile a record of their processing activities.  This particular client, a national restaurant chain, processed a considerable amount of customer, supplier and employee data but had conducted no audit to see what data they held, why, or for what purposes, all of which is necessary as the starting point for GDPR compliance. 

What was the client’s exposure?

Until an organisation understands what personal data they hold, why they hold it, and what they do with it, it is impossible to comply with the GDPR’s core principles. The organisation therefore opened itself up to the risk of serious GDPR breaches.  This could lead to accidental loss or destruction of data, the risk of fines and other enforcement action from the ICO, the loss of trust from employees, suppliers and customers, and a threat to the business as a whole. With the ICO’s increasing resources and previous actions taken under the GDPR, organisations must record their lawful bases for processing data to mitigate the risk of large fines or other enforcement action. 

How did we help?

We assisted the client with its data mapping exercise. By asking pertinent questions about how different aspects of the business use personal data and highlighting the key gaps that needed addressing, we put together a gap analysis report which explained what needed tackling first and how to do it.  We  made it clear which elements were urgent and which could wait.  We also put together a suite of documentation to help with GDPR compliance, including contracts and policies and notices.  Meeting with the key stakeholders enabled us to easily explain what needed doing, answer questions and provide a tailored guide to follow without legal jargon.  We reviewed their website and internal communications to ensure that customers, suppliers and employees can understand how their personal data is used and organised a training session with staff to explain both their rights and responsibilities to others.

For more information about how we can help, please get in touch with Declan Bradley via or +44 (0)20 7329 9090.

“GDPR one year on” practical audit - global gaming company

What was the problem and why did it matter?

The client had previously engaged a consultancy firm to review its processes and provide it with documentation to assist it in its journey towards GDPR compliance. Some comments from a customer of the client, about being able to see information about other customers as he was being led to a meeting room, led the senior management team to question whether the company was properly applying GDPR on a practical, day to day, basis.  

What was the client’s exposure?

Many risks to the business come not from a failure to have the proper documentation in place, or from technical deficiencies, but from organisational mishaps which can nevertheless result in personal data breaches and losses for data subjects. Even if the losses are not financial, they can result in a loss of trust in the organisation and a damage to the organisation’s reputation. These problems can often be easy to rectify, for example, by having a GDPR-compliant visitors’ book, or by only using meeting rooms for customers situated next to reception, rather than meeting rooms that require them to walk past work stations.  

How did we help?

We carried out an on-site audit and inspection of the client’s day to day data protection practices. We reviewed current documentation, interviewed a number of key personnel at the premises, and then compiled a practical, user-friendly report, highlighting areas for improvement and actions that could be taken to ameliorate or eliminate risk.  

For more information about how we can help, please get in touch with Piers Leigh-Pollitt via or +44 (0)118 959 6839.

Handling ICO enquiries and threatened regulatory action - health sector regulator

What was the problem and why did it matter?

The client, a regulator in the health sector, was facing potential action from the ICO over a refusal to disclose certain personal data to a patient in response to a DSAR.  The client needed to avoid an adverse outcome that could have seriously impacted the trust held by medical professionals in their regulator in relation to the duty of confidentiality and the disclosure of sensitive information.

What was the client’s exposure?

Reputational damage, adverse publicity and possible exposure to fines or a claim for damages for financial loss and distress.

How did we help?

Following our intervention, involving a detailed written report to the ICO, the ICO agreed with our client’s position and took no further action.

For more information about how we can help, please get in touch with Piers Leigh-Pollitt via or +44 (0)118 959 6839.

Drafting and negotiating data processing contracts - engineering company

What was the problem and why did it matter?

It is important that the contractual arrangements between the client and its suppliers and other third parties properly reflect the reality of the situation. When engaging a data processor, the GDPR requires controllers to include specific clauses to outline the data processing arrangements. Failing to do so is a breach of the GDPR. Our engineering company client needed assistance with the drafting and negotiation of data protection clauses and schedules in contracts with suppliers.

What was the client’s exposure?

Failure to properly document the relationship can give rise to fines from the ICO, but it can also result in uncertainty between the parties as to what they can and should do with the data subjects’ personal data.  As the data subjects in these cases were employees, it was particularly important for the client that the employees could trust that their employer was exercising proper due diligence before sharing any of their data, especially sensitive health information.

How did we help?

We advised the client in relation to an Occupational Health provider (treated as a joint controller with our client) and drafted a joint controller agreement under Article 26 of the GDPR.  We advised the same client in relation to a contract with a supplier of a cycle to work scheme (treated as an independent controller) and prepared and negotiated agreements to document the data protection relationship between the parties.  We also advised on the rationale for the decisions made in determining the correct relationship (in these cases, joint controllers or independent controllers), as this is essential for complying with the accountability principle set out in the GDPR.  A written rationale will significantly reduce the risk of any challenge or enforcement action from the ICO.

For more information about how we can help, please get in touch with Piers Leigh-Pollitt via or +44 (0)118 959 6839.

Advising on GDPR rights - journalist

What was the problem and why did it matter?

The client wrote numerous journals for a publication for a long period of time. For those published online, a pop-up was introduced by the publisher giving information about the journalist which the journalist believed was misleading and untrue. As a journalist, reputation is key, and they did not want their reputation tarnished by the publisher, while also wanting to ensure evidence of their vast amount of work was still available online for readers. 

What was the client’s exposure?

Given the banner was an automatic pop-up, their work could not be viewed without seeing the pop-up. Therefore, opinions on the journalist would be made prior to any reader being able to read the journal. Given the journalist’s view that the information was inaccurate, this could have had a severe adverse impact on their reputation. The client did not want all information processed by the publication removed, as this would have removed their online presence and profile, requiring them to effectively have to start from scratch to rebuild their reputation.

How did we help?

We reviewed the various rights available to the journalist under Chapter III of the GDPR. We tailored the advice to the client’s needs. 

Options included making use of their right to request data rectification, data erasure, restrict processing of their data and to object to processing of their data. We also assisted in submitting the request to the publication (as the data controller). 

For more information about how we can help, please get in touch with Mike Hibberd via or +44 (0)118 959 6839

GDPR training and risk mitigation

What was the problem and why did it matter?

One of the biggest risk areas in any organisation relates to human error. It is vital that all staff who have any exposure to personal data (which is very likely to be all staff) receive appropriate training, and regular refresher training, in the practical application of data protection legislation.

What was the client’s exposure?

Human error is the cause of the vast majority of personal data breaches, which are time consuming to deal with and can potentially put the organisation at risk of fines and claims for compensation. Action taken so far by the ICO shows that they are willing to use the powers available to them under the GDPR to issue large fines (which far eclipse the fines under the Data Protection Act 1998) and/or significant enforcement action. 

How did we help?

Our data privacy team has provided extensive staff training to clients and other organisations/trade bodies in all areas of GDPR compliance.  We can offer anything from an introductory session lasting up to an hour to a full day’s training involving workshops and case studies and small group sessions.  We focus on the things that matter to the sector you’re in, for instance for schools and education bodies we work closely with our Education team (insert link to Education team) and focus on such things as safeguarding issues, the difficulties presented by parents requesting data on behalf of their children, use of biometric data and so on. We also train clients on the enhanced rights individuals have under the GDPR and how best to compliantly tackle complex requests. We always use “real life” examples to ensure that the training sessions will chime with the audiences.

For more information about how we can help, please get in touch with Piers Leigh-Pollitt via or +44 (0)118 959 6839.

GDPR compliance for marketing and transferring data overseas - international recruitment company

What was the problem and why did it matter?

The lifeblood of a recruitment business is the quality and accuracy of the personal data it holds on candidates and potential candidates. In order to maintain the trust of clients and candidates, it was imperative for this client to understand its data flows and to ensure that its data subjects fully understood the various ways in which their data was being used.  

What was the client’s exposure?

The most likely exposure for this particular client was from its digital marketing methods, as the ICO has a record of “naming and shaming,” as well as fining organisations that cannot demonstrate that they have the requisite consents, particularly from consumers receiving marketing information via email or SMS. The client also transferred a significant amount of data to the US, and if this is not done by a lawful method, that can also lead to the risk of fines and enforcement action from the ICO. Enforcement action can bring organisations to a standstill if they can no longer process the data they need to in their business activities. 

How did we help?

We firstly assisted the company with its data mapping exercise. Compiling a list of potential candidates presents its own unique privacy challenges, and this client also had concerns about international data transfers, particularly in the wake of Brexit and the uncertainty surrounding the EU/US Privacy Shield and its application to UK/US data transfers. We advised the client’s marketing department about consents and how best to deal with imperfections in the consent records of existing recipients of marketing communications. This is a particularly hot topic at the moment, as additional legislation comes into play (the Privacy and Electronic Communications Regulations) when using digital marketing methods.  We worked with the client on a variety of possible solutions, and produced bespoke documentation to cover their requirements.

For more information about how we can help, please get in touch with Piers Leigh-Pollitt via or +44 (0)118 959 6839.

Recent talks include -

  • Employment Lawyers Association (ELA) Annual Conference, June 2019. GDPR: One Year On - Piers Leigh-Pollitt 
  • Employment Lawyers Association (ELA) Update Seminar, September 2019. GDPR: One Year On - Piers Leigh-Pollitt and Mike Hibberd

Recent articles include - 

From Chambers Guide to the UK Legal Profession - 

  • "He (Piers Leigh-Politt) is excellent, responsive, he understands our business and is very good to deal with, very pragmatic and supportive."
  • “He (Piers Leigh-Pollitt) has got a wealth of knowledge around data protection. His commitment is amazing, absolutely phenomenal.
  • "He (Piers Leigh-Pollitt) has a really strong level of technical expertise.” 

To meet some of our data protection team
please click here.

The Data Protection team's latest webinar is available below guiding employers through the thorny questions arising with health data in light of COVID-19 including -

  • Why is health data treated differently to other types of data?
  • Are employers allowed to process such data?
  • What written records must be kept?
  • Can employers screen their staff and ask health related questions?
  • For businesses with many visitors (such as pubs and restaurants) how should they collect visitor data and what can they do with it?
  • What guidance is available from the data privacy watchdog, the ICO?

To get in touch with our Head of Data Protection, Piers Leigh-Pollitt please email or call +44 (0)118 951 6761.

Back to top