Our focus is you

Our lawyers

  • Work with clients to ensure compliance with relevant UK data protection law. The amount of work required depends on a variety of factors such as how data rich a business you are and how compliant you already are with the UK (and, if applicable, European) data protection laws.
  • Support businesses in the event of a data breach or when faced with data breach damages claims from individuals.
  • Help public bodies and businesses when faced with or wording to make an information request and contractual obligations surrounding this.

We provide advice on contentious and non-contentious matters, including:

  • Data audits – helping you understand the flows of data into and out of your organisation, enabling you to focus on areas of highest risk
  • Designing your processes for compliance including drafting of notices and policies, conducting impact assessments and appointing DPOs
  • Reviewing internal and external policies and procedures, including privacy policies, data breach response plans, data retention policies, data protection strategies, and binding corporate rules and helping you update these in line with the data protection legislation
  • Reviewing and updating data protection clauses in your contracts with third parties (including contracts which you have in place with your suppliers and customers, as well as your employment contracts), including compliant data processing provisions and, where necessary, international data transfer agreements / Standard Contractual Clauses, for dealing with international data transfer arrangements
  • Supporting your DPO if you fall within the requirements under the data protection legislation to appoint one
  • Assisting in dealing with data subject access requests, including drafting responses, dealing with data redaction, extraction or provision exercises and communications with the ICO
  • Privacy advice and statements – ensuring your staff, customers, suppliers and other stakeholders understand how you use their data
  • In-house training for your managers and key staff – delivering UK GDPR know-how in an accessible and practical way
  • Data protection consultancy services – ensuring your DPO or others within your organisation can get guidance from our team on areas specifically relevant to them
  • Advice on how to manage data breaches – enabling you to respond quickly and effectively to the ICO when a breach occurs
  • Defending compensation actions brought by individuals claiming they have suffered harm and/or financial loss as a result of your processing of their data

Your key questions answered

Does GDPR/UK GDPR apply to my business?

If you handle personal data (information that relates to a living identified or identifiable individual) then the way you and your employees handle that information is regulated by the data protection legislation.

You’ll be required to comply with UK GDPR for example if you:

  • Keep or use personal data about your stakeholders, whether that is your customers, staff, suppliers or other individuals
  • Have a website that collects personal data (e.g. via cookies, an enquiry form or subscribing to newsletters)
  • Transfer personal data from the UK (or EU, if based there) to countries other than the UK or EU – whether that is other companies within your group, or other customers or suppliers overseas
  • Process personal data on behalf of another company

DMH Stallard assists businesses in the assessment of whether information they hold is personal data under UK GDPR. From a legal perspective, the question is not always clear cut. For example:

  • When assessing whether the information you hold about individual customers or clients is ‘personal’ remember that the data can include factors like IP address – it’s not limited to the more obvious identifiers like names and addresses
  • The information must ‘relate’ to a living individual so we must consider the content of the information, the purpose or purposes for which a business is processing it and the likely impact that processing will have on the individual

UK GDPR applies to data processing carried out by businesses which operate in the UK, as well as to companies outside the UK if they sell goods or provide services to, or otherwise process personal data about, individuals in the UK.

How do I stop data breaches?

You’re required by law to store and process personal data securely and to minimise the threat of personal data breaches. But irrespective of any legal obligation it makes commercial sense to implement data security measures across your organisation. When a breach occurs, there may be reputational damage as well as possible fines. Dealing with the fallout from an avoidable breach can also use up valuable staff resources. Some ways you can reduce the possibility of data breaches include:

  • Staff training on IT security and data protection rules
  • Protocols for data minimisation so that you don’t hold personal information for longer than legally required and reduce risk on the data you do hold
  • Ensuring access to information is carefully controlled so that, for example certain categories of information are accessible only to staff above a certain seniority level
  • Implementation of clear desk policies so that personal information is not left exposed
  • Having clear rules about how staff handle information when they are working remotely
  • Introducing specific measures for highly sensitive information, including medical information or employment history
  • Practical measures like locking cabinets, ensuring windows and doors are secure and ensuring staff use strong passwords and that adequate firewalls and anti-virus software are in place
Do I always need consent to use personal information?

The data protection legislation is complex and in our experience there are a lot of misconceptions about the rules around UK GDPR compliance. A common misunderstanding is that to use someone’s personal information you always need their consent. This isn’t the case. The legislation sets out what are known as ‘lawful bases’ for processing data. Consent is one of six lawful bases. Other lawful reasons for processing data include where you need to process the information to fulfil a contract with the individual (for example to supply goods or services) or where you need to process the information to comply with a legal obligation.

Consent however is very commonly required. For example, you will need an individual’s agreement to use personal information when you want to use it in an intrusive way and for many types of marketing calls and messages. The ICO has issued multi-million pounds fines against companies responsible for nuisance (that is made without the consent of the recipient) calls, texts and emails since April 2022.

Do I need to report every breach of personal data?

The ICO describes a personal data breach as a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. It’s important to note then that not every breach of personal data needs to be reported to the ICO.

When a breach occurs it’s for the business to make an assessment as to whether the breach is reportable or not. At DMH Stallard we assist businesses in this kind of situation, providing proportionate and pragmatic guidance on how to handle the breach.

The key consideration is the likelihood and severity of the risk to people’s rights and freedoms following the breach. If it’s likely there will be a risk, then you must report the breach to the ICO. If there is no likelihood of risk to the individuals’ rights then instead of reporting the matter, internal measures such as logging the breach and strengthening procedures in response may be more appropriate.

Does your business need a data protection policy? What should it cover?

UK GDPR doesn’t oblige companies to have a formal data protection policy but in our experience most businesses appreciate the need to develop a data protection policy that’s comprehensive, easily accessible and regularly reviewed.

It’s important that any policy is tailored to the needs of the particular business. Data protection obligations will always vary from company to company depending on the nature of the business and the kind of information that’s being processed. Common provisions in a data protection policy include:

  • Categorisation of the data processed and controlled by the company
  • Details of the perceived risk to data posed by the company and its activities
  • Identification of staff responsible for data protection and their contact information, including the Data Protection Officer(s)(DPO) and an explanation of roles and responsibilities of those handling data
  • A list of data protection measures that are in place
  • Data storage and back up procedures
  • Details of how the company will lawfully process data (using one of the six bases contained in UK GDPR like consent)

To be clear, a data protection policy is not the same as a Privacy Notice – the latter is mandatory as you must inform data subjects about your use of their personal data.

What happens if your business breaches data protection law?

A lot of the publicity around UK GDPR is about the enormous fines that can be imposed on businesses that breach the rules. But the potential for fines isn’t the only repercussion of a business breaching data protection law. We’ve seen in cases involving internationally renowned brands the reputational damage that can be caused by data breaches of any significance. In addition, individuals affected by the data breach can instigate proceedings against the business and obtain large compensation awards for financial loss as well as for the distress and harm they have suffered.

Stay connected, sign up for updates

Stay connected
Tim Ashdown

Recent work

Long-term commercial, IP, IT and data protection advice

We have worked with our client for over 16 years acting as an outsourced in-house legal function for all business and day to day legal matters, supporting on all commercial, employment issues and property matters. Our ongoing legal support helps to minimise risks across the business.

Providing complete data protection service to global brand in the technology market

Advising on data protection matters, data processing agreements, privacy notices and policies and part-processing / data sharing arrangements for controller processing with third party suppliers, including data processing arrangements to potential providers of marketing services in the USA and international data transfer arrangements (including standard contractual clauses).

Advising a communications specialist in the travel sector

Advising in connection with data protection matters and continued compliance issues with GDPRs and revised data protection laws. Advising on data processing agreements, carrying out legitimate interest assessments, privacy policy and updates to notices and other documentation for compliance with GDPRs. Including complex issues relating to data protection transfers outside of the EEA, and implementing group data sharing agreements and US-based data processing contracts with hosting providers.

Supporting in house lawyers on all data protection issues in the finance sector

Advising on the operation and activities connected to the database of the company in administration, advising on data protection implications, data transfer arrangements and processing requirements. Drafting appropriate data processing agreement to cover all aspects of data sharing activities, including complex charging structure and customer journey arrangements to mirror data flows.

Providing streamlined data protection support to innovative technology company

Advising on data protection matters, regulatory compliance and drafting suite of data protection documents including general Privacy Policy, Cookies Policy, Data Handling Policy, Employee Data Protection Policy, Data Protection Impact Assessments, Legitimate Interests Assessments, Subject Access Request Process, intra-company Data Sharing Agreement and Data Retention Policy.

Advising a global business on data flows and risk

Mapped out data flows, including the service provision, data access and sharing points and where data transfers were made. We re-drafted the Data Processing Agreements and incorporated template Standard Contractual Clauses for EU GDPR transfers and UK International Data Transfer Agreement / Addendum, for use within the business, dependent on where client data is sourced from and where it would be shared. DMHS to provide.

Providing data protection advice for a global luxury brand

Advising on data protection matters, regulatory compliance and drafting suite of data protection documents including general Privacy Policy, Cookies Policy, Data Handling Policy, Employee Data Protection Policy, Data Protection Impact Assessments, Legitimate Interests Assessments, Subject Access Request Process and Data Retention Policy.

Intellectual Property

Advising digital costume design company on licensing and other rights

We act for a fast-growing digital design company that provides digital services to major film productions. Recent work for this client includes advising on Non-Fungible Token (NFT) Intellectual Property rights, preparation of standard terms and conditions to deal with data protection and intellectual property. We also advised on privacy notices, website terms and conditions, and data protection policies for the business. We worked closely with the company on the terms of a contract with a Hollywood film production.

IT services contract

Negotiating and finalising an IT managed services contract for a charitable body, including advice on data protection issues.

Web shop terms and data processing

Advising a plumbing fixtures manufacturer on an agreement with an Instagram influencer and their web shop terms, as well as the provision of advice relating to data processing.

News and insights

Penalties for breaching environmental legislation


An overview of the environmental regulator’s approach to the enforcement and prosecution of environmental offences which outlines the potential penalties and other implications for a businesses who breaches environmental legislation


Enforcing possession orders – how not to do it


We explain how not to enforce possession orders, as shown in London Borough of Southwark -v- AA [2014] EWHC 500 (QB)