Home / Expertise / Compliance & regulatory / Data protection and privacy

Data protection and privacy

We advise small, medium and large private and public bodies and advise on all aspects of data protection compliance, GDPR and information governance.

If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 2018. 

"... through the training, coaching and mentoring  I have found a passion for privacy and data protection."

Annie Bromwich-Alexandra, Governance Support Manager, Isos Housing


The GDPR applies to any organisation that has control over personal data as well as those that process personal data on behalf of another organisation.

It is critical to any business that they are aware of, and have a plan to deal with personal data. The costs of not complying with the GDPR are high. 

It’s important your organisation looks ahead to GDPR and lays the foundations to ensure compliance. 

We can help you with all aspects of GPDR, from offering initial GDPR audits, reviewing contracts, and the steps to take to comply with privacy through to GDPR training and incident response support. Find out more here.

Audits and compliance

We advise on:

  • GDPR -the General Data Protection Regulation
  • compliance with the Data Protection Act 2018 including DPA audits
  • information and records management
  • policies for the collection and processing of personal data
  • information access requests: subject access requests, freedom of information
  • data security including handling breaches of the Data Protection Act 2018
  • liaising with the Information Commissioner in relation to complaints made by individuals
  • the information governance and data protection implications of outsourcing and commercial contracts
  • data protection impact assessments
  • data processing agreements
  • marketing privacy including direct marketing, telemarketing and sharing data with third parties
  • online privacy including cloud computing, cookie compliance, social media and mobile devices
  • employment and data protection  

"... very helpful and informative workshop on GDPR. Your workshop brought it all to life and gave a much deeper insight into the obligations and cultural changes needed to take place in our business"

Trica Pearson, Webmoco

Data protection

What is data protection?

If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 2018. 

What is meant by 'personal data'?

According to the ICO, personal data means data which relates natural persons who can be:

  • identified or are identifiable directly from that information, or;
  • indirectly identified from that information in combination with other information. 
  • personal data includes names, addresses and telephone numbers.

Subject access requests

What is a subject access request?

The Data Protection Act 2018 gives individuals certain rights and one of which is the right to request a copy of their personal data which the data controller holds.This is called a Subject Access Request (SAR).

There are various reasons why individuals submit SARs, for example, a disgruntled member of staff wanting to be a nuisance, an employee considering issuing Employment Tribunal proceedings, or someone with the belief that derogatory comments have been made about them. It could even be because a customer has not received a good service or experience, or they believe you had shared or received information about them which is causing them some distress or damage. 

The concept is simple enough, however the effect on the organisation can be profound. 

Depending on how long ago the data controller obtained their data, how they have processed it, and how long it has been retained for, there could be thousands of documents for you to trawl through.  This significantly impacts on your normal day-to-day job and therefore causes an expense to the organisation. Data Controllers forget to account for the resources needed to collate, assess, redact, copy and release the data. 

Our experience 

We have undertaken a number of SARs on behalf of our clients; some have been very small and others have contained many thousands of documents. We have supported the housing, health, education, equine and legal sector carry out the disclosure obligations. 

How we can help

  • advise you on how to comply with a SAR;
  • assist with the document review exercise;
  • and draft relevant response letters on your behalf.

Recent articles

July 24th, 2020 Privacy Shield invalidated

Privacy Shield is no longer deemed to provide adequate security for the transfer of personal data from to the United Sta...

Read article
July 3rd, 2020 Pubs, Pints and Privacy

The 4th July is upon us, and with it, the country’s “end of hibernation” in the words of Boris Johnson. For many of us, ...

Read article
May 27th, 2020 Track and Trace: what are the limitations of the new NHS COVID-19 app?

The government’s new NHS Track and Trace app is at the heart of its plans for tackling the coronavirus, lifting the lock...

Read article
How can we help?
01926 732512