Data and Privacy | Fieldfisher
Skip to main content

Data and Privacy

With a growing number of organisations handling ever-increasing volumes of data, privacy issues have never been more critical for business. Regulators are alive to the risks of data breaches, cyber-attacks and privacy infringements, while commercial operators realise the opportunities that securely managed data offers.

Our Data and Privacy team aligns itself across three broad practice pillars

We are experts in data governance, accountability and advisory work. 

We advise our clients on policies, procedures and practices to ensure their operational processes adhere to the data protection requirements outlined in the UK and EU GDPR. Taking into account regulatory guidance and fines together with any case law, we will provide you with a practical approach via which you can demonstrate your compliance to clients, customers, employees and regulators alike.  With our extensive breadth and depth of knowledge across a multitude of sectors, we can offer examples of what is considered the benchmark level of compliance with best practice.

We offer a roadmap for your ongoing compliance journey, including: a selection of packages for data protection officer services; advice on international data transfers (including Standard Contractual Clauses, Transfer Impact Assessments and Binding Corporate Rules); and data record keeping requirements. We explain how best to manage the most difficult data protection issues your organisation faces.

Today, data is integral to every organisation whether it be the collection and sharing of data, its use in activities like analytics, research or profiling, or how and where it is processed.  Each of these exercises are underpinned by a commercial contract and/or data protection practice (such as DPIAs or data protection by design and by default). Working with some of the largest and most sophisticated technology companies in the world, our Data and Privacy team handles an enormous volume of work in this area. 

This ranges from commercial contracts with customers and vendors through to reviewing new products, sales and marketing advice across all channels (e-mail, text, phone and post) besides profiling and online advertising in the increasingly changing sphere of adtech. We have outstanding experience in helping businesses achieve their commercial and product oriented goals in a way that provides effective protection for individuals’ data.

When suffering a personal data breach, the decision to notify or not is often finally balanced. To determine if an incident merits notification often needs the input of experience to consider the potential consequences of reporting and where to report, which may be across a multitude of jurisdictions. This is a process we are adept to handle and assist you with. Furthermore, organisations sometimes grapple with parallel notification requirements under GDPR, NIS and the ePrivacy Directive and we can support you in navigating the applicable regimes.

In addition, many organisations face increasing challenges through the so-called “weaponisation” of data subject rights, where individuals submit enormously time-consuming and expensive requests easily, and without cost. Our team has significant experience in advising organisations in both preparing for these risks and mitigating against them before or as and when they arise. 

Employee data subject access requests can be extremely complex and time and cost intensive. We can advise in relation to conducting appropriate searches and the use of appropriate technology, which, together with a culture of data minimisation, can help make the process more seamless. We have extensive experience in managing regulatory investigations within the UK and more widely: our links with regulators and understanding of their priorities help us advise our clients on the key issues in any investigation.

Notable deals and highlights

  • We successfully counselled multiple organisations through the process of multiple binding corporate rules applications - both pre- and post-GDPR, and across multiple different Member States as lead authority. 
  • Our team advised clients on post-GDPR regulatory investigations across a number of European Member States.
  • We managed large volume subject access requests (SARs or DSARs) for clients in the public and private sectors. 
  • We provided commercial contracting support to a wide range of leading, household brand clients in the run-up to GDPR, ensuring that their customer and vendor contracting templates were GDPR-compliant, and helping to push those contracts out and negotiate them through to completion successfully. This work was completed both within our team and also using our Condor solution for high volumes.
  • The team managed a large cyber security incident for a multinational business, which resulted in extensive review of potentially compromised data. We supported the client through its communications to the regulatory, staff and affected data subjects.
  • We advised on privacy issues in the Internet of Things (IoT) for multiple clients including connected toys, vehicles and homes.
  • Our team provided data protection officer services for clients in the tech, pharma, retail and leisure industries.
  • We advised a media business on the compliant collection and monetisation of viewing information.
  • We advised various ad tech businesses on their compliance with e-privacy and GDPR consent requirements, and in connection with regulatory enquiries into online advertising practices.

AI Regulatory Guidebook - December 2023

In this guidebook, we provide an overview of the current positions of the national data protection authorities in the EU member states, Norway, Switzerland the United Kingdom with respect to how personal data may be processed in the context of AI systems.

Read more

Fieldfisher Data Breach Manager

Fieldfisher's 24/7 Data Breach Manager service helps organisations manage their data breach compliance obligations by ensuring they have greater capacity to meet the 72-hour window mandated by the relevant supervisory authorities for the initial data breach assessment and reporting to regulators.

Learn more

Sign up to our email digest

Click to subscribe or manage your email preferences.