Data Protection & ICO Compliance Solicitors

This is an area with significantly increased relevance to many businesses and other organisations, due to the implementation of the General Data Protection Regulation (GDPR) in May 2018.

This legislation contains some onerous obligations, many of which take considerable time and effort to prepare for.  Non-compliance has serious penalties in the form of fines. The new GDPR maximum fine is €20m, or 4% of an organisation’s global turnover (if higher).

What can Lupton Fawcett do to help?

We can help you address the steps you will need to take to ensure your GDPR compliance including:

If you are facing an ICO investigation or associated court hearings we are able to advise and represent you.

GDPR (EU General Data Protection Regulation) – what it is and key points to consider

  • Who does the GDPR apply to?
  • What information does the GDPR apply to?
  • Principles of GDPR
  • Consent
  • Data Subject rights
  • Data Processors
  • Governance
  • Enforcement
  • How Lupton Fawcett can help with GDPR compliance

 Who does the GDPR apply to:

The GDPR applies to “controllers and processors”. The controller is the person who determines the purpose, and the manner in which personal data is processed. The processor acts on the controller’s behalf.

What information does the GDPR apply to:

The GDPR applies to “personal data” but the definition is more expansive to reflect changes in technology and how information on people is collected.

Personal data such as HR records, customer lists or contact details are all covered by the GDPR. The GDPR applies to both automated personal data and certain manual filing systems.

Sensitive personal data needs to be treated with extreme caution, and includes raicial or ethnic origin, religious or philosophical beliefs, trade union membership, health data and information about a persons sex life or sexual orientation, genetic and biometric data.

Principles of GDPR

Under the GDPR the data protection principles set out the main responsibilities for organisations, for example, that data is processed lawfully, is collected only for specified, explicit and legitimate purposes and is accurate and appropriately secure.

The GDPR introduces an accountability requirement with a focus on the legal basis for processing personal data and transparency.

You are expected to put into place comprehensive and proportionate governance measures to minimise the risk of breaches and to protect personal data. Practically this will mean policies and procedures for organisations.


The giving of consent is one of the gateways through which a controller can establish a legal basis for processing personal data.

The definition of “consent” is strict under the GDPR. Consent should be freely given, specific, informed and unambiguous. Implied consent (e.g. not responding to a request) will not be sufficient.

Consent must be explicit so if consent is to be given in a written document it must be made in a manner which is clearly distinguishable from other aspects of the document.

Data Subject rights

The GDPR sets out the rights for individuals:

  • The right to be informed on what data is being processed, typically through a privacy notice which must include detailed information;
  • The right to access their personal data – information must be provided within 1 month;
  • The right to rectification if data is inaccurate or incomplete;
  • The right to erasure: this is known as the “right to be forgotten”. Data subject has the right to require a controller to delete data files if there are no legitimate grounds for retaining them.
  • The right to restrict processing: i.e have the right to block the processing of data, for example when the accuracy of personal data is contested.
  • The right to data portability: which allows individuals to move, copy or transfer personal data easily between one IT environment to another in a secure and safe manner;
  • The right to object: individuals have the right to object to processing on grounds relating to his or her particular situation unless there are compelling legitimate grounds for processing.
  • Rights relating to automated decision making and profiling: the GDPR provides safeguards for individuals against the risk of a decision being taken without human intervention.

Data Processors

The GDPR directly regulates data processors, extending the formal contractual requirements needed between data controllers and data processors. Data processors have a duty to comply and potential liability if they fail.


The GDPR increased responsibility and accountability on organisations to manage how they control and process personal data. This complements the transparency requirements.

Organisations are expected to put in place comprehensive and proportionate governance measures. The measures include:

  • Keeping a detailed record of processing operations;
  • Conducting a privacy impact assessment;
  • Designating a data protection officer (“DPO”) if required (this only applies if you are a public authority, carry out large-scale systematic monitoring of individuals, or carry out large scale processing of special categories of data). If appointing a DPO is not a requirement for your organisation you must still ensure someone has the skills to discharge the organisation’s obligations under the GDPR;
  • Notifying the Regulator of data breaches. Mandatory notification promptly and at the latest, within 72 hours is a significant new measure imposed by the GDPR. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data;
  • Implementing “privacy by design and default”. Under the GDPR organisations have an obligation to implement technical and organisational measures to demonstrate that you have considered and integrated data protection into your processing activities.


The regime under the GDPR provides for regulators to impose high financial sanctions, £20m or up to 4% of the annual worldwide turnover of an organisation if higher.

The GDPR is applied consistently across all EU member states thereby creating uniformity of approach in imposing sanctions for breach.

The significant financial consequences for data security breach under the GDPR requires businesses toimplement clear policies and procedures to mitigate operational risk.

How Lupton Fawcett can help with GDPR compliance 

  • Audit of your data protection practices 
    • We will visit your premises and interview the key personnel who manage data in your organisation.
    • We will view the physical and digital arrangements that you have for storage of documentation.
    • We will review your key data protection policies, consent forms and other documents.
    • We will review your key data protection statements on your website.
  • We will provide you with a report of the steps you must take to become GDPR compliant and how you can achieve them
    • Following our audit visit, we will draft a full audit report.
    • We will highlight the areas where you are compliant with data protection legislation.
    • We will highlight any areas where your processes and arrangements fall short of the requirements of the data protection legislation.
    • We will recommend the steps that you should take to ensure that you are fully compliant with the data protection legislation.
  • We can prepare all policies, notices, consent forms etc you will require to ensure GDPR compliance
    • Data protection policies
    • Fair processing notices
    • Consent forms
    • Electronic consent forms/email consent forms/web consent forms
    • Subject access request documentation
  • We will advise you about your obligations concerning the transfer of data to foreign locations and provide guidance on the steps and limits you must implement to ensure compliance
    • We will review your current contracts and advise on any amendments to be made.
    • Where necessary we will provide further contractual documentation.

ICO Investigation

If you are facing an ICO investigation or prosecution, we will provide you with the best possible advice and representation to ensure the best possible outcome for you and your business.


The Data Protection Act (DPA) creates a number of criminal offences that can only be instituted by the Information Commissioner or with the consent of the Director of Public Prosecutions (DPP). The most relevant DPA offences to consider are:-

Unlawful obtaining etc. of personal data – s.55(1) and 55(3) DPA 1998

It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller.

Selling and offering to sell personal data – s.55(4) and 55(5) DPA 1998

If a person has obtained personal information illegally, it is an offence to offer or to sell that personal information. For the purposes of section 55(5) DPA, an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

Prohibition on processing personal data without registration- s. 17 DPA 1998

The DPA contains a number of notification offences. This is where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing. Personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner.

Sentences – unlimited fine

Cases can be heard in either the Magistrates Court or the Crown Court with a maximum sentence in either Court of an unlimited fine.  As the body responsible for enforcing and overseeing the DPA 1998, the ICO enjoys enforcement powers quite separate from the court. The Information Commissioner can impose a fine (up to a maximum of £500,000) for serious contraventions of the DPA 1998.

Sentences – imprisonment

Some have called for stronger sentencing powers and for breaches of the Act to carry a possible sentence of imprisonment. However, there already are offences which carry custodial penalties for which those who breach section 55 of the DPA 1998 can be convicted. A person who has breached section 55 could, dependant upon the facts, be prosecuted for:

  • Unlawful interception of communications – Regulation of Investigatory Powers Act 2000;
  • Unauthorised access to computer material – Computer Misuse Act 1990;
  • Fraud by making a false representation – Fraud Act 2006; or
  • Misconduct in a public office contrary to the common law.

Investigation & prosecution

If you are facing an investigation or prosecution for an alleged breach, the early intervention of a specialist solicitor is a must. Our data protection and regulation team has dealt with many cases where their timely advice and assistance has ensured a much better outcome for the client.

It is often the case that an unrepresented business will say or do things which prejudice the future defence of their case. We will assist from the very beginning of an investigation and avoid this. We will liaise with the regulator to obtain full disclosure. Our experienced team will then provide strong guidance on how to deal with investigations, formal interviews under caution and any subsequent court appearances.

We aim to protect you and your business from the potential negative outcomes of an investigation or prosecution. This can often be critical as the consequences of getting it wrong can include significant financial penalties, damage to the reputation of the business, loss of business and possible prison sentences.

Therefore the stakes are high and at Lupton Fawcett, we are able to obtain the very best result for a business by carefully managing all aspects of an investigation. When dealing with an investigation we can often avoid a subsequent prosecution or conviction and the negative consequences of the same. If this is not possible then we aim to ensure that the most lenient sentence is achieved and that the negative consequences of this are limited.

Directors, members and other company officers

Directors and other officers of companies who have committed offences, under the DPA 1998, can become liable for prosecution. Where it is shown that a company has committed an offence and it is proved to have been committed with the consent, connivance of, or due to any neglect on the part of a director or other officer, that person will be guilty of the offence in addition to the company itself That person becomes liable to being sentenced personally.

This principle also applies to the members of a company which is managed by its members.


If your organisation becomes aware of a data breach, then a decision needs to be made as to whether or not to report it to the regulator and/or to anyone affected by the breach.

At present, for most businesses, there is no mandatory obligation to report breaches to the ICO, and no fixed penalty for not doing so.

Whilst it might be beneficial for a company’s reputation to remain silent, self-reporting is currently a factor that will be taken into consideration by the ICO if the breach is later discovered and the ICO considers what enforcement action to take (if any). The cooperation of self-reporting may result in a lower or no financial penalty being imposed.

When the GDPR comes into force the position on self-reporting will change. Businesses will be obliged to self-report without undue delay if they become aware of a serious personal data breach. A breach will be deemed as serious if it is likely to result in a risk to the rights and freedoms of individuals.
At Lupton Fawcett, we can advise you from the offset as to the best ways to prevent, manage and control data breaches and how to deal with the fallout of any such breach.

Jeremy Scott and the Regulatory team are available 24/7 on 07971 520407 to advise and assist you. Please call now for a free, no obligation discussion of your case.

Contact us for help

To speak to a solicitor about our GDPR services or for advice, call us on 0333 323 5292, or download our team sheet. Alternatively, send us an email or complete the form on this page to let us know that you would like to hear from us.

Why Choose Lupton Fawcett?

Having advised and supported many local families, individuals and businesses, we are proud to offer clients a dedicated service from specialist solicitors who are experts in their field:

We're Award Winning

We were awarded the Legal 500 HR/Employment Law team of the year in 2017

We're Connected

We're connected to the people, businesses and infrastructure throughout Yorkshire

We Put You First

You can be sure to expect superb client service from us. Our clients are our priority

We're accredited

Recognised by leading Legal Directories Chambers & Partners and the Legal 500

Frequently Asked Questions

What does it apply to?

Personal data is information relating to an identified or identifiable natural person. This include provisions which take into account advances in technology; therefore online identifiers, such as an IP address, are also included.  ‘Special categories of personal data’ or sensitive data, such as sexual orientation and religious beliefs, are covered by the GDPR and includes genetic and biometric data where it is possible to identify an individual as a result of that data being processed.

Who does it affect?

The GDPR applies to businesses, charities and other organisations that are located in the EU, and those which are solely located outside the EU and process personal data of EU residents and sell goods to them.

Will I need to register with the Information Commissioner?

Most data processors will have to register with the Information Commisioner’s Guide and pay an annual fee.


Organisations must show how they adhere to the GDPR’s principles by, for example, demonstrating what procedures are in place to protect the data that they hold. Many organisations will currently have in place adequate measures; however, it is likely that others will be required to examine and address their current practices to ensure compliance with the GDPR.

What rights does a data subject have?

Below is a summary of some of the rights that a data subject has:

There is a right of access to the data stored by a processor and confirmation of the processing of it.  Most requests should be responded to within 30 days of the initial request being made.

If any information held is incorrect, the data subject is entitled to request that it is rectified. Where information has been disclosed to third parties, the disclosing party is also obliged to ensure that this information is rectified.

Where there is no compelling reason for personal data to be held, a data subject has the right to request that any data be deleted. The data subject may also request that any processing of data ceases. This request must be complied with unless there are compelling and legitimate grounds for processing that personal data.

Do I need to appoint a data protection officer (DPO)?

If you are a public authority or carry out large scale processing of special categories of data or the systematic processing of large amounts of data for monitoring purposes, then it is likely that you will be required to appoint a DPO.

Larger organisations may find that it is prudent for them to appoint a DPO to ensure compliance with the GDPR. 

Do I have to report all personal data breaches?

Any breach of security which leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data is likely to be a breach of the Regulation.

Not all breaches are reportable; an organisation will need to determine whether there has been, or there is likely to be, a significant detrimental effect upon individuals. 

What to do now?

Organisations should consider what policies and procedures they have in place, and whether these are adequate to meet the obligations imposed upon them under the GDPR. Where appropriate, any supply contracts should be considered to ensure that adequate rights are in place, for example relating to reporting of security breaches.

Related Blog Posts

Auto Draft 113

Cavalier attitude to data protection leads ICO to levy its first fine under the GDPR

The long awaited and much anticipated first UK fine issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) has

Pencil iconBy Ellie Leatherday on 3rd January 2020

Auto Draft 113

Important update for UK Digital Service Providers post Brexit

With Brexit on the horizon, deal or no deal, the Department for Digital Culture, Media and Sport has drafted updated compliance information for the Network

Pencil iconBy Joan Pettingill on 28th October 2019

Auto Draft 113

Immigration control & the GDPR

To what extent do employers need to comply with the GDPR when processing immigration data?

Pencil iconBy Ellie Leatherday on 22nd October 2019

Data protection – new changes which will shock employers

A patient’s right to access their data need not be a headache for GPs

A look at what effect the GDPR has had on a patient’s rights to access their data from their GP Practice and what steps

Pencil iconBy Joan Pettingill on 17th April 2019

Data protection – new changes which will shock employers

Damages for Breach of Confidence

The Court of Appeal has upheld an award of “Wrotham Park damages” in a business sale for breach of confidentiality, non-compete and non-solicitation covenants.

Pencil iconBy Simon Lockley on 9th January 2019

Data protection – new changes which will shock employers

Subject Access Requests under the GDPR – how are you coping?

Changes introduced by the GDPR and the Data Protection Act 2018 have increased the time pressure on organisations that have to respond to Subject Access Requests (“

Pencil iconBy Louise Connacher on 7th August 2018

Data protection – new changes which will shock employers

Data Protection Act 1998 vs the GDPR – which applies?

In the aftermath of the furore on the 25 May 2018, the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues, has

Pencil iconBy Ellie Leatherday on 6th August 2018

Data protection – new changes which will shock employers

Data protection doesn’t apply to agricultural businesses – does it?

Recent changes to legislation mean that data protection law is something that agricultural businesses have to take seriously.

Pencil iconBy Louise Connacher on 4th January 2018

Data protection – new changes which will shock employers

Can an employer be liable for its rogue employee’s data breach?

Mr Skelton was employed by Morrisons as a Senior IT Consultant. He was not at all happy when Morrisons gave him a verbal warning for

Pencil iconBy Louise Connacher on 13th December 2017

Data protection – new changes which will shock employers

Are you ready for the new data protection laws?

The European Parliament has now adopted the General Data Protection Regulation (“GDPR”).

Pencil iconBy Louise Connacher on 29th August 2017

Automatic Unfair Dismissal - does there have to be an actual breach of statutory right or is the threat of infringement enough?

Monitoring Employees – New Guidance

New data protection guidance issued this month warns employers to think twice before using social media to vet job applicants.

Pencil iconBy Louise Connacher on 25th August 2017

Data protection – new changes which will shock employers

Information Commissioner on primacy of data protection for all professionals – backed by swingeing penalties

Our current regime of data protection legislation came into force in 1998.

Pencil iconBy Louise Connacher on 10th February 2017

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.