Data protection and data privacy

We work with clients from a broad range of sectors advising them on all aspects of their data protection compliance. We regularly advise clients on the creation and roll-out of compliance programmes (including audits, the development of policies and documentation and the delivery of training). We regularly advise on the creation of privacy notices, cookie policies, data protection impact assessments and records of processing. We also advise clients on the complexities of international data transfer issues (including intra-group and with service providers).

Our deep experience and expertise in digital and technology feeds into our privacy and data protection work. We frequently advise on cutting-edge privacy and data protection issues involving areas such as AI, immersive technology, digital marketing, adtech and programmatic advertising. We also have particular expertise in advising large entertainment, retail and other consumer facing businesses and global brands on the data privacy implications of their digital transformations.

We work closely with our clients to help them to lawfully collect and process data whilst managing the careful balance between compliance risk and commercial opportunities. We also work closely with our extensive network of independent law firms in other jurisdictions allowing us to support not only clients’ UK but also pan-European and global transactions and operations.

Our data protection advice also includes supporting a large number of clients on the data protection aspects of commercial and corporate transactions, including drafting and negotiating data processing agreements, and supporting with data protection related due diligence for mergers, acquisitions and investments.

Cyber-attacks and data loss are unfortunately common place and a risk to all businesses. We help clients with legal advice in the event of a data breach. We are uniquely placed to do so, combining our data privacy expertise with our extensive experience in the field of reputation management. We advise clients on complying with regulatory obligations including breach notification requirements, communicating with key stakeholders and clients, and dealing with related reputational issues.

We also help clients faced with a wide range of contentious data protection issues, including complaints to the Information Commissioners Office, litigation in the High Court and dealing with contentious data subject access requests. Responding to a subject access request, whether from a customer, ex-employee or potential litigant can be a time-consuming and complex undertaking and we help clients navigate the legal landscape.

Creating the right core team to deal with a data crisis is key, and we are very familiar with working alongside a client’s own in-house legal team, and other advisors such as forensic IT experts, marketing and crisis communications teams. We can also help introduce clients to experts in those fields if required.

Please see our Data litigation, data breaches and cybersecurity page for more details.

• Compliance Week coverage on British Airways data breach class action
• EU adopts UK adequacy decisions allowing free flow of data
• Harbottle & Lewis advises NASDAQ quoted client Take-Two Interactive on its acquisition of Nordeus
• Data & Privacy eBulletin: Spring 2021
• Further safeguards are put in place to protect patients’ confidential information
• Sacha Wilson quoted on BA/Marriott GDPR fines
• Data & Privacy eBulletin: Autumn 2020
• Data & Privacy eBulletin: Schrems does it again
• Coverage: Dan Tozer on UK-US data sharing
• ICO report: mobile phone data extraction by police must improve
• ICO reshapes priorities in light of pandemic
• People Management coverage for Yvonne Gallagher
• Supreme Court to decide on key features of Class Action Data Compensation Claim against Google
• US eBulletin: Winter 2020
• Data & Privacy eBulletin: ad industry in the spotlight, Schrems II and Brexit developments
• H&L advises Sargent-Disc on sale to Cast & Crew
• January start for California data privacy law
• Data & Privacy eBulletin: (Still) preparing for Brexit
• Court of Appeal allows class action against Google

• New EU standard contractual clauses for international data transfers published
• GDPR Article 27 Representatives not liable for data protection breaches by controllers
• GDPR-style AI regulation proposed by the European Commission
• EDPB opinions see the UK take one step closer to an adequacy decision
• British Airways fined £20m by the ICO for data breach
• Are you ready for the P2B Regulation? Coming into force on 12 July 2020
• Implementation of revisions to Audiovisual Media Services Directive in the UK
• COVID-19: Ofcom decisions on fake news
• COVID-19: The debate about contact tracing apps and privacy safeguards rumbles on
• COVID-19: ICO issues guidance on its approach during the coronavirus public health emergency
• COVID-19: Contact tracing apps and the privacy challenges that need to be overcome
• Supreme Court finds Morissons not liable for data breach
• COVID-19: ICO publishes guidance on data protection compliance
• Court of Appeal rules (again) on beneficiaries’ subject access request for trust documents
• ICO publishes Age Appropriate Design Code
• Status update on cryptoassets, smart contracts and private keys
• Facial recognition technology: the way of the future?
• Protecting private medical information