Data Protection & Privacy Solicitors

Dealing with data protection and privacy issues can be incredibly daunting, whether you are a business or an individual.

For business, data protection compliance is more serious now than ever before and data breaches can have serious consequences.  Similarly, individuals are more concerned about what data is held about them and how their personal data is used, and they are more likely to take action if there has been a breach of data protection.

At Lupton Fawcett, our team of specialist data protection solicitors is experienced in all areas of data privacy laws and regulations. We are here to offer you easy-to-understand legal advice to help you navigate this fast-evolving area of law whether you need help with compliance, investigations, breaches or training.

What are the data protection laws?

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), have been in force for a number of years now, and the provisions for the post-Brexit GDPR implementation have been set out, which effectively mean that the UK will maintain the standards set by the GDPR.

In addition, there are several other laws and regulations which govern the use of data, such as the Privacy and Electronic Communications Regulations (PECR), Freedom of Information Act (FOIA), and Network and Information Systems (NIS) Regulations. Together, all of these laws and more make up the framework for data protection legislation which businesses have to comply with, whether you are dealing with basic customer details, mailing lists and marketing campaigns, or sensitive personal information.

The risks of not complying can potentially be quite serious – a breach of the GDPR could carry a fine of up to €20 million or 4% of your company’s annual worldwide group turnover and may also be a criminal offence under the DPA. The regulator in the UK is the Information Commissioner’s Office (ICO).

However, many businesses both large and small are still uncertain as to their rights and responsibilities under the current data protection regime and the various laws that apply, potentially leaving themselves exposed to complaints and sanctions.

Here at Lupton Fawcett, our specialist data protection lawyers can help your organisation to navigate this complex aspect of modern business.

How Lupton Fawcett can help your business with Data Protection compliance?

Our team of specialist Data and Privacy lawyers can help advise and assist various data and privacy legislation, including:

  • The General Data Protection Regulations and Data Protection Act 2018;
  • The Freedom of Information Act;
  • Privacy and Electronic Communications Regulations;
  • Network and Information Systems Regulations.

We can help you address various steps to enable and support your compliance in all aspects of data and privacy laws, including:

Data Processing Audits

Conducting data processing audits to help you identify your data processes, compliance, and policies, and their strengths and weaknesses.

Compliance Reports

Providing guidance reports on recommended actions you can take to improve your compliance with data and privacy laws.

Permitted Use of Personal Data

Advising on permitted uses of personal data, including how you collect, store, market and transfer that information;

Contractual Terms

Negotiating appropriate contractual terms with other data processors and controllers;

Data Breaches

Assisting and advising on appropriate action in the event of a personal data breach.

Privacy Notices, Policies and Forms

Drafting and reviewing relevant documents for your business, including privacy notices, data protection policies, consent forms and data processing agreements.


Advising and representing you in respect of regulatory investigations and court hearings.

Data Access Requests

Assisting and advising you in the event you receive a data subject access request or freedom of information request including providing a review and redaction service.

Training Courses

Providing flexible and tailored training courses for your staff to help them understand the issues and steps they need to be aware of in ensuring compliance with the likes of GDPR, PECR, NIS and FOIA.

Does the legislation apply to my business?

The different pieces of legislation have different applications, but in general, if you are processing personal data within the UK, you will need to comply with at least one or more of the GDPR, DPA, NIS and PECR.

Data & Privacy Law Training

Our team of specialist Data and Privacy lawyers offer a variety of training days to suit your needs.

We host half day training sessions on:

  • An Introduction to GDPR, PECR and NIS;
  • How to Manage Subject Access Requests and Freedom of Information Requests;
  • An Introduction to Network and Information Systems (NIS); and
  • An Overview of PECR and Cookies.

Please visit our events page for details of our data and privacy training sessions and upcoming dates. We are also available to host our training sessions in-house for groups of your employees at a venue that suits you. Please contact any member of the Data and Privacy Law team to discuss further.

How can Lupton Fawcett help you Personally?

All living human beings will be classed as a data subject in one way or another. Whether this is in relation to the information your current or prospective employer processes about you, companies that you have bought products from or receive marketing information from or any number of other professional bodies that process your personal data, the GPDR will still apply.

If you are a data subject, you have certain rights available to you under the GDPR to ensure the transparent processing of your personal data. These rights can include:

  • The right to be informed on what data is being processed;
  • The right to access your personal data, a Data Subject Access Request;
  • The right to rectification if data is inaccurate or incomplete;
  • The right to erasure, also known as the “right to be forgotten” in certain circumstances;
  • The right to restrict processing in certain circumstances;
  • The right to data portability: which allows individuals to move, copy or transfer personal data easily between one IT environment to another in a secure and safe manner;
  • The right to object to processing on grounds relating to your particular situation unless there are compelling legitimate grounds for processing;
  • Rights relating to automated decision making and profiling: the GDPR provides safeguards for individuals against the risk of a decision being taken without human intervention.

Breach of your rights as a data subject under the GDPR can have severe and lasting consequences.

Data breaches for example, including the accidental loss of your personal information, can have a significant impact on you as a data subject. In certain circumstances, you may be entitled to compensation for financial damage and distress caused in a data breach.

If you would like further information about your rights as a data subject or believe you are the subject of a data breach please contact one of our specialist Data and Privacy Law team who would be happy to provide further advice.

ICO Investigations

If you are facing an ICO investigation or regulatory prosecution regarding data protection and privacy laws, we can provide you with experienced, pragmatic advice and representation to help ensure the best possible outcome for you and your business.

Jeremy Scott and the Regulatory and Corporate Defence team at Lupton Fawcett are available 24/7. Please call us to discuss how we can help.

Contact us for help

To speak to one of our solicitors about Data and Privacy Law compliance or advice on any data protection law issues, call us on 0333 323 5292 or download our team sheet to find out more. Alternatively, you can email us or complete the enquiry form below and we will get in contact.

Our Data Protection Solicitors act regularly for clients across the United Kingdom including Bradford, Birmingham, Hull, Leeds, Liverpool, London, Manchester, Sheffield, York and Nottingham.

We can support your needs wherever you live in England, Wales, Northern Ireland and Ireland.

Why Choose Lupton Fawcett?

Having advised and supported many local families, individuals and businesses, we are proud to offer clients a dedicated service from specialist solicitors who are experts in their field:

We're Award Winning

We were awarded the Legal 500 HR/Employment Law team of the year in 2017

We're Connected

We're connected to the people, businesses and infrastructure throughout Yorkshire

We Put You First

You can be sure to expect superb client service from us. Our clients are our priority

We're accredited

Recognised by leading Legal Directories Chambers & Partners and the Legal 500

Frequently Asked Questions

What does it apply to?

Personal data is information relating to an identified or identifiable natural person. This include provisions which take into account advances in technology; therefore online identifiers, such as an IP address, are also included.  ‘Special categories of personal data’ or sensitive data, such as sexual orientation and religious beliefs, are covered by the GDPR and includes genetic and biometric data where it is possible to identify an individual as a result of that data being processed.

Who does it affect?

The GDPR applies to businesses, charities and other organisations that are located in the EU, and those which are solely located outside the EU and process personal data of EU residents and sell goods to them.

Will I need to register with the Information Commissioner?

Most data processors will have to register with the Information Commisioner’s Guide and pay an annual fee.


Organisations must show how they adhere to the GDPR’s principles by, for example, demonstrating what procedures are in place to protect the data that they hold. Many organisations will currently have in place adequate measures; however, it is likely that others will be required to examine and address their current practices to ensure compliance with the GDPR.

What rights does a data subject have?

Below is a summary of some of the rights that a data subject has:

There is a right of access to the data stored by a processor and confirmation of the processing of it.  Most requests should be responded to within 30 days of the initial request being made.

If any information held is incorrect, the data subject is entitled to request that it is rectified. Where information has been disclosed to third parties, the disclosing party is also obliged to ensure that this information is rectified.

Where there is no compelling reason for personal data to be held, a data subject has the right to request that any data be deleted. The data subject may also request that any processing of data ceases. This request must be complied with unless there are compelling and legitimate grounds for processing that personal data.

Do I need to appoint a data protection officer (DPO)?

If you are a public authority or carry out large scale processing of special categories of data or the systematic processing of large amounts of data for monitoring purposes, then it is likely that you will be required to appoint a DPO.

Larger organisations may find that it is prudent for them to appoint a DPO to ensure compliance with the GDPR. 

Do I have to report all personal data breaches?

Any breach of security which leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data is likely to be a breach of the Regulation.

Not all breaches are reportable; an organisation will need to determine whether there has been, or there is likely to be, a significant detrimental effect upon individuals. 

What to do now?

Organisations should consider what policies and procedures they have in place, and whether these are adequate to meet the obligations imposed upon them under the GDPR. Where appropriate, any supply contracts should be considered to ensure that adequate rights are in place, for example relating to reporting of security breaches.

Related Blog Posts

Auto Draft 113

UK law does not meet EU conditions for data adequacy

On 12 February 2020 the European Parliament stated in a resolution that it does not consider the UK data protection framework to be adequate. What impact could

Pencil iconBy David Baines on 19th February 2020

Auto Draft 113

Cavalier attitude to data protection leads ICO to levy its first fine under the GDPR

The long awaited and much anticipated first UK fine issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) has

Pencil iconBy Ellie Leatherday on 3rd January 2020

Auto Draft 113

Important update for UK Digital Service Providers post Brexit

With Brexit on the horizon, deal or no deal, the Department for Digital Culture, Media and Sport has drafted updated compliance information for the Network

Pencil iconBy Joan Pettingill on 28th October 2019

Auto Draft 113

Immigration control & the GDPR

To what extent do employers need to comply with the GDPR when processing immigration data?

Pencil iconBy Ellie Leatherday on 22nd October 2019

Data protection – new changes which will shock employers

A patient’s right to access their data need not be a headache for GPs

A look at what effect the GDPR has had on a patient’s rights to access their data from their GP Practice and what steps

Pencil iconBy Joan Pettingill on 17th April 2019

Data protection – new changes which will shock employers

Damages for Breach of Confidence

The Court of Appeal has upheld an award of “Wrotham Park damages” in a business sale for breach of confidentiality, non-compete and non-solicitation covenants.

Pencil iconBy Simon Lockley on 9th January 2019

Data protection – new changes which will shock employers

Subject Access Requests under the GDPR – how are you coping?

Changes introduced by the GDPR and the Data Protection Act 2018 have increased the time pressure on organisations that have to respond to Subject Access Requests (“

Pencil iconBy Louise Connacher on 7th August 2018

Data protection – new changes which will shock employers

Data Protection Act 1998 vs the GDPR – which applies?

In the aftermath of the furore on the 25 May 2018, the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues, has

Pencil iconBy Ellie Leatherday on 6th August 2018

Data protection – new changes which will shock employers

Data protection doesn’t apply to agricultural businesses – does it?

Recent changes to legislation mean that data protection law is something that agricultural businesses have to take seriously.

Pencil iconBy Louise Connacher on 4th January 2018

Data protection – new changes which will shock employers

Can an employer be liable for its rogue employee’s data breach?

Mr Skelton was employed by Morrisons as a Senior IT Consultant. He was not at all happy when Morrisons gave him a verbal warning for

Pencil iconBy Louise Connacher on 13th December 2017

Data protection – new changes which will shock employers

Are you ready for the new data protection laws?

The European Parliament has now adopted the General Data Protection Regulation (“GDPR”).

Pencil iconBy Louise Connacher on 29th August 2017

Automatic Unfair Dismissal - does there have to be an actual breach of statutory right or is the threat of infringement enough?

Monitoring Employees – New Guidance

New data protection guidance issued this month warns employers to think twice before using social media to vet job applicants.

Pencil iconBy Louise Connacher on 25th August 2017

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.