GDPR Lawyers

It is vitally important that companies do all they can to work towards GDPR compliance.  You should be thinking continuously about the ways in which your business processes personal data and adapting as your processes change over time.

We understand how daunting and time consuming this can be, and we are here to help.  The experienced GDPR Lawyers on the Data Protection and Privacy Law team at Lupton Fawcett will work with you to ensure you know what your rights and responsibilities are, prepare all the necessary documentation and advise you in the event of investigations.

No matter what stage your business is at with GDPR compliance, or what size and type your business is, our experienced data protection team will provide tailored, jargon free advice to get you where you need to be.

The General Data Protection Regulations

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), have been in force for a number of years now, and the provisions for the post-Brexit GDPR implementation have been set out, which effectively mean that the UK will maintain the standards set by the GDPR.

The GDPR applies to “controllers and processors”. The controller is the person who determines the purpose, and the manner in which personal data is processed. The processor acts on the controller’s behalf.

The GDPR applies to “personal data” but the definition is more expansive to reflect changes in technology and how information on people is collected.

Personal data such as HR records, customer lists or contact details are all covered by the GDPR. The GDPR applies to both automated personal data and certain manual filing systems.

The risks of not complying can potentially be quite serious – a breach of the GDPR could carry a fine of up to €20 million or 4% of your company’s annual worldwide group turnover, and may also be a criminal offence under the DPA. The regulator in the UK is the Information Commissioner’s Office (ICO).

It is therefore imperative that businesses do all they can in order to work towards GDPR compliance.

Here at Lupton Fawcett our team of specialist Data and Privacy lawyers have a wealth of experience and can help you in any way you need, including:

Data Processing Audits

Conducting data processing audits to help you identify your data processes, compliance, and policies, and their strengths and weaknesses, with specific focus on HR and Employee data.

GDPR Compliance

Providing guidance reports on recommended actions you can take to improve your compliance with the GDPR.

Privacy Notices, Forms and Policies

Drafting and reviewing relevant documents for your business, including privacy notices, data protection policies, consent forms and data processing agreements.

Permitted Use of Personal Data

Advising on permitted uses of personal data, including how you collect, store, market and transfer that information.

Contractual Terms

Negotiating appropriate contractual terms with other data processors and controllers.

Personal Data Breaches

Assisting and advising on appropriate action in the event of a personal data breach.


Advising and representing you in respect of regulatory investigations and court hearings.

Data Subject Access Requests

Assisting and advising you in the event you receive a data subject access request including providing a review and redaction service

Training Courses

Providing flexible and tailored training courses for your staff to help them understand the issues and steps they need to be aware of in ensuring compliance with the likes of GDPR, PECR, NIS and FOIA.

Am I processing personal data?

A key question, and one which can often be underestimated, is to ask whether your business is processing personal data. Personal data means any information that relates to a living person and can be used to identify that person, either directly or indirectly. This can therefore include obvious things like a name and email address, but could also include more subtle pieces of information such as an IP address which, when combined with other available information could be used to identify a person.

The idea of processing is also one which can be misunderstood, and it is a very broad concept. In effect, processing means any action performed on personal data. This can include obvious actions where personal data are actively analysed by a business, but it also includes other much more incidental actions. For example, storing personal data on your systems, collecting data on behalf of another party, or transmitting data to another party will all count as processing.

There are some exceptions, but generally, if you can identify personal data within your business, the likelihood is that your business is processing personal data. The more detailed the data and the more complex or large-scale your processing, the greater your obligations will be. These obligations also apply even if you are processing data on behalf of another organisation.

What do I need to do?

Whilst compliance can seem daunting, there are some key principles that underpin the GDPR and the rest of the data protection legislation, and it can be helpful to keep these in mind when running your business.

One of the main aims of the GDPR is to ensure that people are more informed about how their personal data are being processed and that they have the opportunity to control what happens with their data. Processing should be lawful, fair, transparent, and for legitimate purposes. This does not always require consent if there is another necessary and legitimate reason. In addition, personal data should be kept secure. Your business should only process personal data when it needs to and should do so with these principles in mind.

In practice, what this means is that you should clearly inform individuals about how, why, and when your business will process their personal data, as well as what they are entitled to do about it. A good way to do this is with a carefully constructed privacy notice. If necessary, you should seek consent. It is important for you to continuously think about the ways in which your business processes personal data as an ongoing consideration, especially if your processes change. It is important to be aware of how and when to conduct data protection impact assessments as a useful (and sometimes required) tool in demonstrating these considerations.

You may also consider appointing a data protection officer to manage your compliance obligations on a day-to-day basis. Some businesses will be required to do this by law.

If you are unsure what personal data your business is processing, or whether it is doing so in ways which are compliant with the GDPR and the DPA, you may wish to conduct a data processing audit to help highlight areas that may need addressing and get a clearer picture about your rights and responsibilities.

Data Subject Rights

Data subjects have several rights under the data protection legislation, including amongst others:

  • a right of access to their personal data (also known as a Subject Access Request or SAR);
  • a right of erasure of their personal data (also known as the “right to be forgotten”); and
  • a right of rectification of errors.

Your business may receive a request from a data subject asking you to provide, delete, or correct their personal data that you hold. These requests can be confusingly and clumsily made, and may not always be easy to respond to. The timescales can be quite short and so prompt action may be needed. Under the GDPR, a request has to be responded to “without undue delay and in any event within one month of receipt of the request”. Our experienced lawyers can help you to identify what information you can and should provide, and will advise you on what actions you can take in response to these requests.

You may also receive a request for information under the Freedom of Information Act if you are working in or for the public sector. This is a separate regime and process to a SAR and different rules apply as to what can and cannot be disclosed. Our solicitors can advise you on the appropriate action if you receive a request for information under FOIA.

GDPR Compiance Training

Our team of specialist GDPR lawyers offer a variety of training days to suit your needs. We host half day training sessions on:

  • Introduction to GDPR, PECR and NIS;
  • How to Manage Subject Access Requests and Freedom of Information Requests;
  • An Introduction to Network and Information Systems (NIS); and
  • An Overview of PECR and Cookies.

Please visit our events page for details of our training sessions and upcoming dates. We are also available to host our training sessions in-house for groups of your employees at a venue that suits you. Please contact any member of the Data and Privacy Law team to discuss further.

Contact us for help

We have experienced Data Protection Solicitors ready to answer your enquiries about any data protection law issues via email or telephone.

Lupton Fawcett are a leading personal and commercial law firm in Yorkshire with well-established offices of highly experienced solicitors in Leeds, Sheffield and York.

We provide a personalised service, with sector specialists and extensive resources to ensure we are giving you the best solutions to your problems.

Within every area of law, we put your interests first.

Our specialist GDPR Lawyers work regularly with clients across the United Kingdom including Bradford, Birmingham, Hull, Leeds, Liverpool, London, Manchester, Sheffield, York and Nottingham.

We can support your needs wherever you live in England, Wales, Northern Ireland and Ireland.

We will always respond promptly, and we will be happy to help.



Related Blog Posts

Data Law

Morrisons not responsible for data breach

The Supreme Court has today ruled that the grocery retailer was not liable for a substantial data breach committed by a disgruntled employee.

Pencil iconBy Alex Evans on 2nd April 2020

ICO provides clarification on Data Protection principles in light of Covid-19

ICO provides clarification on Data Protection principles in light of Covid-19

As is the case with many organisations across the globe, the Information Commissioner’s Office (ICO) has released responses to some frequently asked questions they

Pencil iconBy Ellie Leatherday on 27th March 2020

Keep calm and don't forget the GDPR! 1

Keep calm and don’t forget the GDPR!

The nation and world at large are currently gripped by a Covid-19 induced panic.

Pencil iconBy Ellie Leatherday on 16th March 2020

Data Law

UK law does not meet EU conditions for data adequacy

On 12 February 2020 the European Parliament stated in a resolution that it does not consider the UK data protection framework to be adequate. What impact could

Pencil iconBy David Baines on 19th February 2020

Data Law

Cavalier attitude to data protection leads ICO to levy its first fine under the GDPR

The long awaited and much anticipated first UK fine issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) has

Pencil iconBy Ellie Leatherday on 3rd January 2020

Data Law

Important update for UK Digital Service Providers post Brexit

With Brexit on the horizon, deal or no deal, the Department for Digital Culture, Media and Sport has drafted updated compliance information for the Network

Pencil iconBy Joan Pettingill on 28th October 2019

Data Law

Immigration control & the GDPR

To what extent do employers need to comply with the GDPR when processing immigration data?

Pencil iconBy Ellie Leatherday on 22nd October 2019

Data protection – new changes which will shock employers

A patient’s right to access their data need not be a headache for GPs

A look at what effect the GDPR has had on a patient’s rights to access their data from their GP Practice and what steps

Pencil iconBy Joan Pettingill on 17th April 2019

Data protection – new changes which will shock employers

Damages for Breach of Confidence

The Court of Appeal has upheld an award of “Wrotham Park damages” in a business sale for breach of confidentiality, non-compete and non-solicitation covenants.

Pencil iconBy Simon Lockley on 9th January 2019

Data protection – new changes which will shock employers

Subject Access Requests under the GDPR – how are you coping?

Changes introduced by the GDPR and the Data Protection Act 2018 have increased the time pressure on organisations that have to respond to Subject Access Requests (“

Pencil iconBy Louise Connacher on 7th August 2018

Data protection – new changes which will shock employers

Data Protection Act 1998 vs the GDPR – which applies?

In the aftermath of the furore on the 25 May 2018, the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues, has

Pencil iconBy Ellie Leatherday on 6th August 2018

Data protection – new changes which will shock employers

Data protection doesn’t apply to agricultural businesses – does it?

Recent changes to legislation mean that data protection law is something that agricultural businesses have to take seriously.

Pencil iconBy Louise Connacher on 4th January 2018

Why Choose Lupton Fawcett?

Having advised and supported many local families, individuals and businesses, we are proud to offer clients a dedicated service from specialist solicitors who are experts in their field:

We're Award Winning

We were awarded the Legal 500 HR/Employment Law team of the year in 2017

We're Connected

We're connected to the people, businesses and infrastructure throughout Yorkshire

We Put You First

You can be sure to expect superb client service from us. Our clients are our priority

We're accredited

Recognised by leading Legal Directories Chambers & Partners and the Legal 500

Frequently Asked Questions

What does GDPR apply to?

GDPR applies to the processing of personal data wholly or in part by “automated means” or forming part of a “filing system”. However, there are some exceptions, including that it doesn’t apply where personal data is processed by a person purely in the course of a personal or household activity.

Personal data means any information relating to an identified or identifiable natural person. This includes provisions which take into account advances in technology; therefore online identifiers, such as an IP address, are also included.  ‘Special categories of personal data’ or sensitive data, such as sexual orientation and religious beliefs, are covered by the GDPR and includes genetic and biometric data where it is possible to identify an individual as a result of that data being processed.

Who does GDPR affect?

The GDPR affects any individuals located in the EU and also any businesses, charities and other organisations that process personal data and are established or located in the EU, as well as those which are located outside of the EU but still process personal data of individuals located in the EU and/or sell goods to them.

Will I need to register with the Information Commissioner’s Office?

Unless your business is exempt, you are required to register with the Information Commissioner’s Office and pay an annual data protection fee. Your business may be exempt from paying the fee if it only processes personal data for specific purposes, such as staff administration, marketing, or accounts and records. Our team of solicitors can help you determine whether you need to pay a fee.

The amount of the fee varies depending upon the size of your business, but currently starts at a cost of £40.


Organisations must show how they adhere to the GDPR’s principles by, for example, demonstrating what procedures are in place to protect the data that they hold. Many organisations will currently have in place adequate measures; however, it is likely that others will be required to examine and address their current practices to ensure compliance with the GDPR.

What rights does a data subject have?

Data subjects have several rights under the data protection legislation, including amongst others:

  • a right of access to their personal data (also known as a Subject Access Request or SAR);
  • a right of erasure of their personal data (also known as the “right to be forgotten”); and
  • a right of rectification of errors.

The timescales can be quite short and so prompt action may be needed. Under the GDPR, a request has to be responded to “without undue delay and in any event within one month of receipt of the request”.

If any information held is incorrect, the data subject is entitled to request that it is rectified. Where this information has been disclosed to third parties, the disclosing party is also obliged to ensure that this information is rectified.

Where there is no compelling reason for personal data to be held, a data subject has the right to request that the personal data be deleted. The data subject may also request that any processing of their data ceases. This request must be complied with unless there are compelling and legitimate grounds for processing that personal data.

Do I need to appoint a data protection officer (DPO)?

If you are a public authority or carry out large scale processing of special categories of data or the regular systematic monitoring of data subject on a large scale, then the data protection legislation states that in most circumstances you will be required to appoint a DPO.

Otherwise, appointment of a DPO is optional, although larger organisations may find that it is prudent for them to appoint a DPO to ensure compliance with the GDPR. 

Do I have to report all personal data breaches?

Any breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data will be a personal data breach under the GDPR.

Not all breaches have to be reported; the ICO does not need to be notified if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Your business will also need to determine whether there has been, or there is likely to be, a high risk to the rights and freedoms of individuals. Decisions are then made whether the regulator, other controllers, and/or data subjects need to be informed.

What to do now?

Organisations should consider what policies and procedures they have in place, and whether these are adequate to meet the obligations imposed upon them under the GDPR. Where appropriate, any supply contracts should be considered to ensure that adequate rights are in place, for example relating to reporting of security breaches.

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.