Data Protection and Privacy
This is a complex area of regulation that has potential traps for organisations of all kinds. We help our clients to avoid them, and the very serious penalties that can come with them.
Almost every organisation holds personal data collected from its customers, service users, or other people that it works with in some way. The law requires those organisations to use that data in a way that is fair, lawful, proportionate and accountable – and in a digital world, protecting it can be a big challenge. Adequate operational procedures must be in place at all times. The penalties for failure can be severe: fines in the tens of millions of pounds have been levied. (See ‘Penalties for non-compliance’ below for more details on this.)
The UK’s data protection requirements are set out in the Data Protection Act 2018, the UK GDPR and the Data (Use and Access) Act 2025. Add in The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the UK has a complex landscape of regulation to navigate. We help our clients through this maze.
Whether you need help with GDPR and other privacy regulatory compliance, data breaches, data transfers and data sharing, data subject access requests (DSARs), online tracking or the intersection with Artificial Intelligence, our team can advise.
We also advise on Freedom of Information, helping both our private and public sector clients with requests for information and applying associated exemptions as well as referrals to the Scottish and UK Information Commissioners.
As well as UK data protection and privacy regulation, we advise clients on the regulation of data protection in the EU through our Irish-qualified lawyers with a Dublin base. This can be very useful for clients operating internationally, especially as EU and UK regulation increasingly diverge.
One of the least appreciated requirements of data protection law is the need to have local representatives. Most UK-based organisations that control or process data, and that offer goods or services to citizens in the European Economic Area, need to have an EU Representative in place, whose main role is to communicate with the European supervisory authorities. (There are some exceptions, for example for public bodies.) Similarly, most non-UK-based organisations that offer goods or services to people in the UK need to have a UK Representative.
We offer both services at a fixed fee.
Our expertise includes:
- Advising on personal data collection, use and deletion, including policies and procedures
- Data sharing and international transfer advice
- Digital marketing compliance advice
- Supporting clients on responding to subject access requests and other exercises of individuals’ rights
- Advising on responding to complaints and claims under data protection legislation
- Responding to data breaches and cyber security incidents that clients suffer
- Supporting clients facing investigations and sanctions by regulatory authorities including the UK Information Commissioner (for data protection and freedom of information) and the Scottish Information Commissioner
- EU and UK Representative service
Penalties for non-compliance
The UK’s data protection regime is enforced by the Information Commissioner’s Office (ICO). It takes a ‘risk-based approach’ to this: it focuses on cases involving reckless or deliberate harms, and tries to balance the need to protect people’s data with the need for businesses to operate efficiently.
Fines are one of the responses it can make. There are two tiers of these.
The higher tier is used for the most serious breaches of data protection principles, when an organisation has failed to uphold an individual’s rights or when it has transferred data to other countries. The maximum fine in this tier is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The lower tier is used with less serious infringements – of the legislation’s administrative requirements, for example. It has a maximum fine of £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The ICO can also issue warnings, ban an organisation from processing data (temporarily or permanently), order breaches to be rectified or data to be erased, and more. It will consider mitigating factors – if an organisation has made a genuine attempt to comply with the regulations, for example – before it decides what action to take and the amount of any fine. Once a fine has been ordered, the subject of it can make representations to the ICO, after which the amount may be reduced.
Very large fines levied by the ICO include £20 million on British Airways (nearly £190 million was originally imposed but this was reduced after BA made representations), £18.4 million on Marriott International Hotels (down from an initial £99 million), and £12.7 million on TikTok. Digital Marketing is an area of particular focus for the ICO. Fines for breaches of digital marketing legislation were previously capped at £500,000; however, since the implementation of the Data (Use and Access) Act in June 2025 these fines can be up to £17.5 million or 4% of global annual turnover, whichever is higher.
Meet our key contacts
Joanna Boag-Thomson
Partner
Related articles and insights: Data Protection and Privacy
22 December 2025
European Commission approves extension of UK adequacy decisions
Contributors:
Joanna Boag-Thomson, Alison White
3 December 2025
The benefits of EMI share option plans and why more companies should take advantage of them
Contributor: Gavin Charlton
30 October 2025
Soft Opt-in for charities – ICO issues draft guidance and consultation
Contributors:
Joanna Boag-Thomson, Alison White
2 July 2025
Freedom of information reform on the agenda in Scotland
Contributors:
Joanna Boag-Thomson, Alison White
29 January 2025
Online Harms – enforcement begins in 2025
Contributors:
Joanna Boag-Thomson, Alison White
15 October 2024
290 million reasons to comply: Fine imposed on Uber for non-compliant third-party transfers
Contributor: Joanna Boag-Thomson
Contact us
Joanna Boag-Thomson
Partner
