Data Protection and Information

We specialise in data protection and information law. Typically, we work with clients to design and implement GDPR compliance policies, and documentation and training on these, privacy measures; design data protection impact assessment procedures; write compliant and clear privacy notices policies; respond to data breaches (liaising with cyber security specialists); notify and engage with the ICO; prepare communications to data subjects; and handle media interest.

We represent data controllers who are facing monetary penalty notices and other sanctions by the ICO and on appeals to the First Tier Tribunal.

We also advise and represent clients on all aspects of FOIA; Environmental Information Regulations; HRA; confidentiality; official secrets; Investigatory Powers Act; Computer Misuse Act and the Network and Information Systems (NIS) Directive.

Clients include central government departments and agencies; healthcare providers (primary and secondary); local authorities; financial services providers; security and defence sector; law firms, architects and accountancy practices; charities; utilities and passenger transport operators.

Our approach, always informed by a deep understanding of the law, is pragmatic, risk-based, and commercially astute.

We focus on:

  • Training companies on preventing data breaches
  • Minimising the risks of those breaches
  • Representing data controllers and reducing the penalties and sanctions


We advise on:

  • Designing and implementing privacy policies and measures
  • Data breaches and engaging with the ICO
  • Penalty notices and sanctions faced by data controllers

Key Contacts

Tim Heywood
Rebecca Kelly
Carl Atkinson
Nick Hawkins
Natalie Griffiths
Sarah Purcell
Carol Copland

Recent awards