Ethical data protection practices are essential for business, both for maintenance of customer goodwill and for legal risk management.

With the potential for substantial fines for non-compliance, data protection is no longer an issue only for IT, sales and marketing departments, but is on the agenda for every board of directors.

We have substantial experience of advising a range of clients on data protection, privacy and cyber issues including innovative fintech and adtech companies, financial and professional services firms including UK and US law firms, and multinational businesses in the UK, as well as international organisations.

We provide clear, commercial pragmatic advice on compliance with the General Data Protection Regulation (GDPR) and with a rapidly evolving data privacy regulatory regime. We highlight where compliance steps are required, prepare policies and contractual arrangements and support our clients in dealing with data subject requests and complaints. We also provide risk management advice and support in the event of any incident occurring.

Data protection & privacy expertise

Data protection & privacy FAQs

Data controllers are generally required to register with the ICO in the UK, subject to a handful of limited exemptions. As most businesses will be acting as a data controller to one degree or another, the requirement to register applies to most businesses. There are three separate registration tiers (with different fees applicable in relation to each of these) which apply, depending on the number of employees and turnover of the controller. If you would like our assistance registering your company with the ICO, please contact us using the details provided above.

From a legal perspective, there are notification requirements set out under the GDPR which apply to certain types of breaches. You are required to notify the ICO within 72 hours of having become aware of a data breach, unless it is “unlikely to result in a risk” to the rights and freedoms of the individuals concerned. For higher risk breaches, the data subjects affected may also need to be notified “without undue delay”. We are experienced in advising when data breaches occur and are able to assist if a data breach takes place in your business.

The GDPR generally prohibits the transfer of personal data outside of the UK / EEA unless an appropriate transfer mechanism is in place. In terms of transferring data from a UK company to its US parent, unless the US company has signed up to the UK-US Privacy Shield, the most appropriate mechanism will likely be for the parties to enter into a data transfer agreement incorporating standard contractual clauses. If you would like our assistance drafting such a data transfer agreement, please let us know.

The provider of the SaaS solution will be acting as your data processor. As a result, you will need to ensure that the subscription agreement relating to the service contains certain mandatory data processing provisions as set out under the GDPR. These terms will impose clear conditions on what the provider is permitted to do with the data it processes on your behalf. We regularly draft and review data processing provisions and would be happy to provide you with tailored advice if required.

"Fox Williams has a broad team which is very knowledgeable and pragmatic in its approach."

Chambers UK 2024

"The team at Fox Williams are professional, friendly, and exceptionally knowledgeable. They collaborate well and offer a fantastic level of service to clients."

Legal 500 2024



Portfolio Close
Portfolio list
Title CV Email

Remove All