Data Protection Solicitors for Privacy Law Breaches and Compliance

Dealing with data protection and privacy issues can be incredibly daunting, whether you are a business or an individual.

Are you worried about any aspect of your Data Protection Compliance? Click here to follow our 5 easy steps to avoiding costly management headaches.

For businesses, data protection compliance is more serious now than ever before and data breaches can have serious consequences.  Similarly, individuals are more concerned about what data is held about them and how their personal data is used, and they are more likely to take action if there has been a breach of data protection.

At Lupton Fawcett, our team of specialist Data Protection Solicitors is experienced in all areas of data privacy laws and regulations. We are here to offer you easy-to-understand legal advice to help you navigate this fast-evolving area of law whether you need help with compliance, investigations, data breach claims or training.

What are the data protection laws?

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), have been in force for a number of years now, and the provisions for the post-Brexit GDPR implementation have been set out, which effectively mean that the UK will maintain the standards set by the GDPR.

In addition, there are several other laws and regulations which govern the use of data, such as the Privacy and Electronic Communications Regulations (PECR), Freedom of Information Act (FOIA), and Network and Information Systems (NIS) Regulations. Together, all of these laws and more make up the framework for data protection legislation which businesses have to comply with, whether you are dealing with basic customer details, mailing lists and marketing campaigns, or sensitive personal information.

The risks of not complying can potentially be quite serious – a breach of the GDPR could carry a fine of up to €20 million or 4% of your company’s annual worldwide group turnover and may also be a criminal offence under the DPA. The regulator in the UK is the Information Commissioner’s Office (ICO).

However, many businesses both large and small are still uncertain as to their rights and responsibilities under the current data protection regime and the various laws that apply, potentially leaving themselves exposed to complaints and sanctions.

Here at Lupton Fawcett, our specialist Data Protection Lawyers can help your organisation to navigate this complex aspect of modern business.

How can Lupton Fawcett help your business with Data Protection and Privacy compliance?

Our team of specialist Data and Privacy Lawyers can help advise and assist various data and privacy legislation, including:

  • The General Data Protection Regulations and Data Protection Act 2018;
  • The Freedom of Information Act;
  • Privacy and Electronic Communications Regulations;
  • Network and Information Systems Regulations.

We can help you address various steps to enable and support your compliance in all aspects of data and privacy laws, including:

Data Processing Audits

Conducting data processing audits to help you identify your data processes, compliance, and policies, and their strengths and weaknesses.

Compliance Reports

Providing guidance reports on recommended actions you can take to improve your compliance with data and privacy laws.

Permitted Use of Personal Data

Advising on permitted uses of personal data, including how you collect, store, market and transfer that information;

Contractual Terms

Negotiating appropriate contractual terms with other data processors and controllers;

Data Breaches

Assisting and advising on appropriate action in the event of a personal data breach.

Privacy Notices, Policies and Forms

Drafting and reviewing relevant documents for your business, including privacy notices, data protection policies, consent forms and data processing agreements.


Advising and representing you in respect of regulatory investigations and court hearings.

Data Subject Access Requests

Assisting and advising you in the event you receive a data subject access request or freedom of information request including providing a review and redaction service.

Training Courses

Providing flexible and tailored training courses for your staff to help them understand the issues and steps they need to be aware of in ensuring compliance with the likes of GDPR, PECR, NIS and FOIA.

Does the legislation apply to my business?

The different pieces of legislation have different applications, but in general, if you are processing personal data within the UK, you will need to comply with at least one or more of the GDPR, DPA, NIS and PECR.

Data Protection & Privacy Law Training

Our Data Protection and Privacy Solicitors specialising in the data protection act offer a variety of training days to suit your needs.

We host half day training sessions on:

  • An Introduction to GDPR, PECR and NIS;
  • How to Manage Subject Access Requests and Freedom of Information Requests;
  • An Introduction to Network and Information Systems (NIS); and
  • An Overview of PECR and Cookies.

Please visit our events page for details of our Data Protection and Privacy Law training sessions and upcoming dates. We are also available to host our training sessions in-house so contact our Data Protection and Privacy Law team to discuss further.

How can Lupton Fawcett help you personally?

All living human beings will be classed as a data subject in one way or another. Whether this is in relation to the information your current or prospective employer processes about you, companies that you have bought products from or receive marketing information from or any number of other professional bodies that process your personal data, the GPDR will still apply.

If you are a data subject, you have certain rights available to you under the GDPR to ensure the transparent processing of your personal data. These rights can include:

  • The right to be informed on what data is being processed;
  • The right to access your personal data, a Data Subject Access Request;
  • The right to rectification if data is inaccurate or incomplete;
  • The right to erasure, also known as the “right to be forgotten” in certain circumstances;
  • The right to restrict processing in certain circumstances;
  • The right to data portability: which allows individuals to move, copy or transfer personal data easily between one IT environment to another in a secure and safe manner;
  • The right to object to processing on grounds relating to your particular situation unless there are compelling legitimate grounds for processing;
  • Rights relating to automated decision making and profiling: the GDPR provides safeguards for individuals against the risk of a decision being taken without human intervention.

Breach of your rights as a data subject under the GDPR can have severe and lasting consequences.

Data breaches for example, including the accidental loss of your personal information, can have a significant impact on you as a data subject. In certain circumstances, you may be entitled to compensation for financial damage and distress caused in a data breach.

If you would like further information about your rights as a data subject or believe you are the subject of a data breach please contact one of our specialist Data Protection and Privacy Law team who would be happy to provide further advice.

ICO Investigations

If you are facing an ICO investigation or regulatory prosecution regarding data protection and privacy laws, we can provide you with experienced, pragmatic advice and representation to help ensure the best possible outcome for you and your business.

Jeremy Scott and the Regulatory and Corporate Defence team at Lupton Fawcett are available 24/7. Please call us to discuss how we can help.

Contact us for help

We have experienced Data Protection and Privacy Law Solicitors ready to answer your enquiries about any data protection and privacy law issues via email or telephone.

Lupton Fawcett are a leading personal and commercial law firm in Yorkshire with well-established offices of highly experienced solicitors in Leeds, Sheffield and York.

We provide a personalised service, with sector specialists and extensive resources to ensure we are giving you the best solutions to your problems.

Our specialist Data Protection and Privacy Lawyers act regularly for clients across the United Kingdom including Bradford, Birmingham, Hull, Leeds, Liverpool, London, Manchester, Sheffield, York and Nottingham.

We can support your needs wherever you live in England, or Wales.

We will always respond promptly, and we will be happy to help.


Frequently Asked Questions

What does GDPR apply to?

GDPR applies to the processing of personal data wholly or in part by “automated means” or forming part of a “filing system”. However, there are some exceptions, including that it doesn’t apply where personal data is processed by a person purely in the course of a personal or household activity.

Personal data means any information relating to an identified or identifiable natural person. This includes provisions that take into account advances in technology; therefore online identifiers, such as an IP address, are also included.  ‘Special categories of personal data’ or sensitive data, such as sexual orientation and religious beliefs, are covered by the GDPR and includes genetic and biometric data where it is possible to identify an individual as a result of that data being processed.

Who does GDPR affect?

The GDPR affects any individuals located in the EU and also any businesses, charities and other organisations that process personal data and are established or located in the EU, as well as those which are located outside of the EU but still process personal data of individuals located in the EU and/or sell goods to them.

Will I need to register with the Information Commissioner’s Office?

Unless your business is exempt, you are required to register with the Information Commissioner’s Office and pay an annual data protection fee. Your business may be exempt from paying the fee if it only processes personal data for specific purposes, such as staff administration, marketing, or accounts and records. Our team of solicitors can help you determine whether you need to pay a fee.

The amount of the fee varies depending upon the size of your business but currently starts at a cost of £40.00.


Organisations must show how they adhere to the GDPR’s principles by, for example, demonstrating what procedures are in place to protect the data that they hold. Many organisations will currently have in place adequate measures; however, it is likely that others will be required to examine and address their current practices to ensure compliance with the GDPR.

What rights does a data subject have?

Data subjects have several rights under the data protection legislation, including amongst others

-a right of access to their personal data, also known as a Subject Access Request or SAR

-a right of erasure of their personal data, also known as the ‘right to be forgotten’

-a right of rectification of errors.

The timescales can be quite short and so prompt action may be needed. Under the GDPR, a request has to be responded to ‘without undue delay and in any event within one month of receipt of the request’.

If any information held is incorrect, the data subject is entitled to request that it is rectified. Where this information has been disclosed to third parties, the disclosing party is also obliged to ensure that this information is rectified.

Where there is no compelling reason for personal data to be held, a data subject has the right to request that the personal data be deleted. The data subject may also request that any processing of their data ceases. This request must be complied with unless there are compelling and legitimate grounds for processing that personal data.

Do I need to appoint a data protection officer (DPO)?

If you are a public authority or carry out large scale processing of special categories of data or the regular systematic monitoring of data subject on a large scale, then the data protection legislation states that in most circumstances you will be required to appoint a DPO.

Otherwise, the appointment of a DPO is optional, although larger organisations may find that it is prudent for them to appoint a DPO to ensure compliance with the GDPR. 

Do I have to report all personal data breaches?

Any breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data will be a personal data breach under the GDPR.

Not all breaches have to be reported; the ICO does not need to be notified if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Your business will also need to determine whether there has been, or there is likely to be, high risk to the rights and freedoms of individuals. Decisions are then made whether the regulator, other controllers, and/or data subjects need to be informed.

What to do now?

Organisations should consider what policies and procedures they have in place, and whether these are adequate to meet the obligations imposed upon them under the GDPR. Where appropriate, any supply contracts should be considered to ensure that adequate rights are in place, for example relating to reporting of security breaches.

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.