We advise small, medium and large private and public bodies and advise on all aspects of data protection compliance and information governance.


The GDPR applies to any organisation that has control over personal data as well as those that process personal data on behalf of another organisation.

It is critical to any business that they are aware of, and have a plan to deal with personal data. The costs of not complying with the GDPR are high. 

It’s important your organisation looks ahead to GDPR and lays the foundations to ensure compliance. 

We can help you with all aspects of GPDR, from offering initial GDPR audits, reviewing contracts, and the steps to take to comply with privacy through to GDPR training and incident response support. Find out more here.

Audits and compliance

We advise on:

  • GDPR -the General Data Protection Regulation
  • compliance with the Data Protection Act 2018 including DPA audits
  • information and records management
  • policies for the collection and processing of personal data
  • information access requests: subject access requests, freedom of information
  • data security including handling breaches of the Data Protection Act 2018
  • liaising with the Information Commissioner in relation to complaints made by individuals
  • the information governance and data protection implications of outsourcing and commercial contracts
  • data protection impact assessments
  • data processing agreements
  • marketing privacy including direct marketing, telemarketing and sharing data with third parties
  • online privacy including cloud computing, cookie compliance, social media and mobile devices
  • employment and data protection  

Data protection

What is data protection?

If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 2018. 

What is meant by 'personal data'?

According to the ICO, personal data means data which relates natural persons who can be:

  • identified or are identifiable directly from that information, or;
  • indirectly identified from that information in combination with other information. 
  • personal data includes names, addresses and telephone numbers.

Subject access requests

What is a subject access request?

The Data Protection Act 2018 gives individuals certain rights and one of which is the right to request a copy of their personal data which the data controller holds.This is called a Subject Access Request (SAR).

There are various reasons why individuals submit SARs, for example, a disgruntled member of staff wanting to be a nuisance, an employee considering issuing Employment Tribunal proceedings, or someone with the belief that derogatory comments have been made about them. It could even be because a customer has not received a good service or experience, or they believe you had shared or received information about them which is causing them some distress or damage. 

The concept is simple enough, however the effect on the organisation can be profound. 

Depending on how long ago the data controller obtained their data, how they have processed it, and how long it has been retained for, there could be thousands of documents for you to trawl through.  This significantly impacts on your normal day-to-day job and therefore causes an expense to the organisation. Data Controllers forget to account for the resources needed to collate, assess, redact, copy and release the data. 

Our experience 

We have undertaken a number of SARs on behalf of our clients; some have been very small and others have contained many thousands of documents. We have supported the housing, health, education, equine and legal sector carry out the disclosure obligations. 

How we can help

  • advise you on how to comply with a SAR;
  • assist with the document review exercise;
  • and draft relevant response letters on your behalf.