Expert legal advice can help your business navigate the Covid-19 crisis – click here for your free 15 minute consultation

Business Data Protection & GDPR Legal Advice

What is GDPR?

The GDPR (General Data Protection Regulations) which came into force in May 2018, creates new and higher standards of compliance than applied previously for organisations collecting and using customer data.

Whenever you collect and use identifiable personal data about customers (like name, email, address and preferences) you need to stay compliant with the law.

If you don’t comply, you can be fined by the regulator (the ICO)  – up to 20 million Euros, or 4% of your turnover. Or, even more worryingly, the ICO can issue a ‘Stop Now’ order, which prevents you from collecting or using personal data at all, either permanently or until you have complied with their requirements.

Data protection legal advice – How our lawyers can help

We understand that GDPR compliance can seem overwhelming – with all those new rules and ongoing processes to comply with. Every business is unique so a one-size approach doesn’t work for everybody. We will work with you speedily and affordably to understand what your business needs, provide data protection legal advice and agree on a pathway to compliance.

Our expert service includes:

  • Data protection advice on what GDPR means operationally for your organisation
  • A GDPR legal health audit for your business showing you what changes you need to make and giving you an action plan
  • Identifying whether you are a ‘Data Controller’ (who is in charge of deciding what data is to be collected, how it is to be collected, and the purposes for which it is to be used) or whether you are a ‘Data Processor’ (who analyses and processes the data on behalf of a Controller). Different obligations apply to each role
  • Helping you set up contracts between Data Processors and Data Controllers
  • Reviewing and drafting employment contracts and providing HR advice related to GDPR and data protection
  • Helping you prepare the policies you need for GDPR compliance (eg Data Protection Policy, Privacy Policy, Cookie Policy, Security Policy (designed to minimise breaches) and Retention Policy (designed to define for how long you retain data)
  • Data protection advice on handling Data Subject Access Requests (where individuals exercise their legal right to know or change the data you hold about them)
  • Advice on dealing with suspected breaches of GDPR by your organisation in a compliant way (you can make things much worse if you get this bit wrong)
  • Advice on how to gain compliant consent from customers to collect and use their data for purposes which are compliant with GDPR

Discover our GDPR Products


Send us your enquiry and receive a free no-obligation 15 minute legal phone consultation with one of our expert GDPR lawyers.

1 Ask a question

This field is required
This field is required This field is required
File size must be less than 20MB.
Only "jpg", "jpeg", "tif", "png", "pdf", "doc", "docx", "xlsx", "zip" file types are allowed.
This field is required

2 Contact details

This field is required Invalid Name
This field is required Invalid Email Account exists for this email address – please click on ‘Already Registered’ above
This field is required Only numbers are allowed
This field is required Invalid password Your password should be at least 10 characters and contain one lower case letter (a-z) , one upper case letter (A-Z), a number (0-9) and a special character ([email protected]£$%^&*()-). It also cannot contain a string of 4 or more identical characters.
This field is required
This field is required
This field is required
You must agree to the terms and conditions before proceeding.
Captcha is required Recaptcha Verification Error
This field is required
This field is required

LawBite's webinar: "GDPR One Year On: Continuing Compliance"

During the first nine months that the GDPR was in effect, the total penalties imposed under the statute added up to €55,955,871, according to a report published in late February by the European Data Protection Board. The ICO, the UK regulators, are placing far stricter enforcement when data protection breaches take place. Fines have already mounted to over £4.2m. Businesses must continue to actively remain GDPR compliant by reforming and improving their processes and policies if they want to protect themselves from investigation and enforcement action by the ICO. It's more important than ever to follow best practices around this issue to ensure you can avoid costly fines and bad publicity.
In this new webinar, our expert GDPR/Data Protection lawyer, Rachel Robinson, provides you with details on ongoing processing obligations under GDPR including:
    • A quick refresher background to the GDPR and the Data Protection Principles
    • What your organisation should be doing now and your ongoing obligations (i.e. data protection policy, data security policy, staff privacy notice, to name a few)
    • The tools you need to use to self-audit your practices
    • The recent ICO enforcement activity to keep you up-to-date and what to watch out for
    • What you need to do if a data breach has occurred
  GDPR Webinar

GDPR and Data Protection FAQs

Does GDPR apply to company data?

The GDPR applies to all organisations (which includes sole traders, charities, partnerships and limited companies) who have a branch in an EU member state or if the organisation is based outside the EU, then if that organisation either “processes” personal data in the European Union or if customer, employees, users etc are based in the EU.  “Processing” includes if the data is in transit, stored, or otherwise.

What are the GDPR requirements?

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

The GDPR requires organisations who process personal information (known as “personal data”) relating to others to keep that data safe, and to only process the data if they have lawful grounds to do so.

Companies that collect data on citizens in European Union (EU) countries need to comply with strict rules around protecting customer data. The General Data Protection Regulation (GDPR) sets a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to maintain compliance.

In summary, the GDPR obliges organisation who processes personal data to protect that personal data and only process it if they have lawful grounds to do so (including being transparent about what data is held and why and what is done with it, only processing the data for the purpose for which is was collected, only processing – collecting- the minimal amount of data needed for the lawful processing and making sure that the organisation has appropriate technical and organisational measures in place to protect.

Is GDPR part of the Data Protection Act 2018?

The GDPR is an EU wide piece of legislation that (once passed by the EU institutions) directly applies and is enforceable at national level.  This means that the nation state (for example the UK) doesn’t need to introduce national legislation to bring the GDPR into force. This means that the rights protecting individuals which are set out in the GDPR (for example on subject access).

However the UK (and other member states) have passed supplementary national legislation (such as the Data Protection Act 2018) to deal with national issues such as additional powers for the state or the regulator (ICO in the UK) as well setting out the powers and responsibilities of the national regulator (such as the power to levy registration fees).  

So the GDPR and the DPA2019 effectively sit along side each other.

How many individual rights are provided under GDPR?

GDPR provides 8 main rights for individuals and strengthens those that already exist under the current Data Protection Act.

Individuals have the right to know what organisations are doing with their personal information, who that information is shared with, how long it is stored for etc.  

They also have various rights of access to that information including:

  • Information
  • Access
  • Rectification
  • Erasure (‘Right to be Forgotten’)
  • Restriction of processing
  • Portability (in a format to enable transfer)
  • Object to processing
  • Automated decision making, including profiling.

How do I become GDPR compliant?

There is no “one-size fits all” answer, and each organisation has to not only process personal data lawfully etc but they must also be accountable for the way that they process data (for example by keeping records of actions and decisions taken etc).  Organisations can demonstrate that they are complaint by complying with the 6 GDPR Principles, by being “transparent” with individuals (the data subjects) and being accountable for that compliance.  

The GDPR imposes many different obligations on organisations that includes the organisations having to demonstrate compliance with the GDPR’s requirements including:

  • establishing and maintaining a comprehensive data protection compliance program;
  • appointing individuals responsible for overall data protection matters (for example a Data Protection Officer:
  • Rolling out policies and operations;
  • Providing staff training on GDPR;
  • Implementing appropriate technical and organizational measures (“TOMS”), for example carrying out Privacy Impact Assessments;
  • determining and documenting a lawful basis for each instance of processing personal data (including satisfying any additional requirements if processing Sensitive or Special Personal Data)
  • keeping records of data processing activities;
  • being transparent with Data Subjects by providing them with information about the processing that is taking place with their Personal Data (including Privacy Notices);
  • making sure that the rights of individuals are protected, for example following out Subject Access Requests in the timescales set;
  • making sure that arrangements with joint controllers, data processors and international transfers of data comply with the minimum standards set out in the GDPR.

Supplementary legislation made along side the GDPR (The Data Protection (Charges and Information) Regulations 2018 ) provides that every organisation that processes personal information to pay a fee to ICO (unless exempt).  This fee is between £35 and £2,900 per year (depending on size and turnover). Details of organisation published on public register (see  Failure to do so may result in a fixed penalty and ICO has started to issue fines for non payment of the fee to organisations across a range of sectors including business services, construction, finance, health and childcare.

What is the purpose of GDPR?

The purpose of the GDPR is to provide a set of standardised data protection laws across all the EU member countries. 

GDPR is trying to achieve protection for individuals’ personal information. It is also trying to achieve minimum standards of protection for that information across the European Union.  

This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.

What are the 6 Principles of GDPR?

The six principles governing the processing of personal data under Article 5(1) of the GDPR are:

1. Lawfulness, fairness, and transparency, which means that :

  • there must be a lawful basis to process personal data and 
  • that, among other things, organisations must be open with individuals about the data held by them and what processing is carried out.

2. Purpose limitation, which means that:

  • an organization should only collect personal data for specified, explicit, and legitimate purposes; and
  • should not process the personal data in a manner that is incompatible with those purposes, except under limited circumstances.

3. Data minimization, which means that personal data should be:

  • adequate;
  • relevant; and
  • limited to what is necessary for the purpose of processing.

4. Accuracy, which means that personal data must be:

  • accurate and kept up-to-date; and
  • corrected or deleted without delay when inaccurate.

5. Storage limitation, which requires that the organization keep personal data in identifiable form only for as long as necessary to fulfill the purposes the organization collected it for, subject to limited exceptions.

6. Integrity and confidentiality, which requires that the organization secure personal data by appropriate technical and organizational measures against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.

Article 5 of the GDPR requires a data controller to both:

  • Comply with the six principles when processing personal data (Article 5(1), GDPR); and
  • Demonstrate that compliance with all six of the principles (Article 5(2), GDPR).

How long can personal data be stored under GDPR?

Personal information should be kept for no longer than it is needed.  Organisations will need to be able to justify why (and how) they hold persona data and for how long. 

Ideally organisations will implement a Data Retention Policy which set out standard retention period where possible.  If data can be anonymised, it might be acceptable to keep that data for longer than usually appropriate but organisations should have carried out a data privacy impact assessment (a risk assessment) to assist them reaching the decision to retain data for the relevant period and to document how the organisation reached that decision. 

What is GDPR replacing?

In the UK, the GDPR replaced the Data Protection Act 1998.

Do I have to be GDPR compliant?

Yes.  All organisations (which includes sole traders, charities, partnerships and limited companies) who process personal data must comply. 

If processing personal data is not a “core” part of the business (integral to the business) and the activities do not create any risks for individuals’ personal data, then an organisation might be exempt from some of the GDPR obligations this must be viewed on a case by case basis. 

phone icon

Need data protection and GDPR help?

Our friendly customer support team are here to help. Call us on 020 3808 8314 or submit your enquiry.

Free GDPR Checklist

How to remain GDPR compliant? The LawBite GDPR Checklist can help you identify if your business is GDPR ready, protect your clients' data, and avoid costly fines for non-compliance. Our free online GDPR checklist can help you secure your organisation, protect your customers’ data and avoid fines for non-compliance. You can also request a non-obligation free 15-minute consultation with our expert lawyers to evaluate your results and next steps.

Stay GDPR Compliant and download your free legal documents today

Find and create the documents for all your legal needs: Terms and Conditions for Website Use Privacy Policy for Website Acceptable Use Policy for Website Website Cookie Policy GDPR Checklist Try our Access Plan for free. You will benefit from all the features of our Access Plan for one week.  It includes reduced rates for business legal advice, free lawyer consultations, full access to document management tools and 3 free business document template downloads of your choice. Start free trial now.


Why use LawBite for Data Protection Legal Advice?

We're GDPR experts - regulated and experienced UK Lawyers

LawBite’s regulated law firm working in conjunction with our platform

Show more
  • Rachel Robinson LawBrief Solicitor
    Rachel Robinson
  • Adrien Herbert
  • Andrew Smith LawBrief Solicitor
    Andrew Smith
  • Lucy Du Jones LawBrief Solicitor
    Lucy Du-Jones
  • Barbara Jamieson LawBrief Solicitor
    Barbara Robinson
  • Elspeth Lowe_Profile photo_crop_resize
    Elspeth Lowe


A very smooth and efficient process. Will definitely use your services again.

Sharon Dixon

"A wide range of expertise with advice provided in an easy to understand and efficient manner – a great business model which is invaluable to our Company. The GDPR service was brilliant."

Julie Bailey
IMG Artists
Lawbite employee 1

"I made the amendments that Louise suggested and I'm very happy with the changes. Your service is great and I will definitely be using you in the future."

Adelle Doughty

For some further reading from a selection of our GDPR articles

From Our Blog

GDPR: We are ready, are you?

Confused about GDPR? Wondering if it even applies to your business? What will the future of the ICO be? 

Read our latest blog posts on GDPR and Data Protection, featuring all the latest legal news, analysis and opinion from our expert lawyers. Learn more about what GDPR is and read practical tips on how you can protect your business.

Disclaimer: The content in these blog posts does not constitute legal advice.

If you need data protection legal advice, do not hesitate to contact us!

They are watching you; ICO sends data warning to small businesses…

One year on…Why GDPR non-compliance could cost you your business

Data Protection – What Have We Learned From 2018?

Brexit and GDPR – ICO Fines and Data Breaches

GDPR Compliance | How to Handle Your Customers’ Data

GDPR And Digital Marketing | Cyber Week 2018

Show more
  • Update on GDPR from the ICO and LawBite
    They are watching you...
  • GDPR One Year On_ Continuing Compliance
    GDPR one year on...
  • GDPR 2018
    Data Protection – What Have We Learned From 2018?
  • GDPR
    Brexit and GDPR – ICO Fines and Data Breaches
  • GDPR advice
    GDPR Compliance | How to Handle Your Customers’ Data
  • GDPR And Digital Marketing
    GDPR And Digital Marketing | Cyber Week 2018