Data Protection & Privacy

With data being an increasingly crucial asset of organisations, the management of risk in relation to personal data is a critical operational function for many businesses as well as non-profit organisations and schools.

The strength and depth of this team’s specialist knowledge in the field of data protection and privacy issues is of note outside London, with particular expertise in how this topic affects clients in the information technology sector, the financial technology market and also the independent education and healthcare sectors. In respect of this ever-changing legal topic, Shulmans’ support includes conducting risk assessment audits, advising on data breach management and reporting, compiling and implementing bespoke training programmes and drafting compliance documentation to reflect the latest legal and regulatory requirements.

A monumental shift has taken place as to the rules governing the use of personal data and how all organisations handle information relating to individuals, whether it relates to customers, personnel, marketing contacts, contractors or suppliers.  Whilst the new General Data Protection Regulation (GDPR) is now in effect, there is still plenty to do in order to meet the new requirements on an ongoing basis.

A growing proportion of the team’s work, together with the background experience of Emma Roe in dealing with international clients and work enquiries, means this team also has specific expertise in handling issues of international data transfers and work with a global dimension.  Instructions include work for international clients regarding the compliance of their intra-group data transfers and their registration with the Privacy Shield programme.  The team’s international expertise also extends the firm’s scope to handle global data transfers, outsourcing of information handling services and to coordinate client or customer-facing documentation.  It is important to ensure that all new data sharing or data processing arrangements meet the new GDPR standards and appropriate contracts are put in place.

Key developments in this area around the use of subject access requests in parallel with employment claim matters has required specialist knowledge working alongside employment colleagues to ensure this type of data protection issue is handled in a strategic manner on behalf of clients as the case law continues to develop in this area.

Please click on the link to view a copy of our General Data Protection Regulation (GDPR) ‘Getting it right’ brochure.

Specific recent case study examples of the team’s data protection expertise include:

  • Advising on a complex subject access request from a former employee made in relation to employment proceedings.  This involved liaising with employment colleagues to formulate a joined up strategy to align the subject access process with the ongoing litigation and settlement discussions.  We prepared an initial response to be provided at the same time as disclosure bundles, gave advice on the risks of delaying the complete response until a settlement meeting had taken place, and provided advice on data protection wording for inclusion in the settlement agreement.  This type of subject access request alongside an employment claim is something we are increasingly seeing and is also an area of developing case law, so can prove a difficult area for clients to navigate.  As a result it requires the advice of experienced lawyers able to advise tactically and in a practical context.
  • Advising on an MBO of a leading national direct sales and marketing business with sale of household, personal care and gardening products via multiple channels online and through its own magazines and inserts in national publications. Mark Lumley led the advice on complex due diligence on information management and data protection issues across approx. 10 brand titles and data sets.  Advice involved addressing the gathering, storing, cleansing and management of data lists, personal information and PCI DSS information and onward data and database management and use of data within the business and with third parties. Our data protection expertise was key to our client because of the unusual level of complex streams of data (physical and digital), multiple sales channels and range of use of data.     
  • Advising a pay day lender owned by a US company on its compliance obligations relating to the transfer of data to the parent company’s systems in the US under Privacy Shield and in relation to its GDPR preparations.  This included an initial data mapping and audit stage to help the client understand what data it holds and where, and was followed by policy drafting and implementation work.  As a consumer-facing business, handling significant amounts of personal data, much of which is sensitive or financial in nature, this global client recognises the importance of ensuring it takes data protection advice on changes to its activities and handling of that data.  This area poses a major brand and reputational damage risk if not approached in a compliant yet pragmatic manner.
  • Advising an IT provider acting as a data processor on a data breach affecting multiple clients.  Whilst our client was not required to make a notification itself to the ICO, it was necessary for the client to gather a significant amount of information and liaise proactively with its customers in order to assist with their decision as to whether to notify.  We assisted our client with the wording and timing of general communications to its customer base and with more detailed discussions with specific clients.

Partner in the team, Mark Lumley, won 'Data Protection Lawyer of the Year (UK)’ at the Finance Monthly FinTech Awards in 2017 and is also included in the winners 2018 edition.

You can read various articles published in the general and specialist media on the subject of data protection and privacy. 

Our team

Emma Roe


Commercial, IP & Regulatory

Direct Line +44 (0)113 288 2817

Mark Lumley


Commercial, IP & Regulatory

Direct Line +44 (0)113 297 7727

Helen Goldthorpe


Commercial, IP & Regulatory

Direct Line +44 (0)113 288 2829

Sarah Briscall


Commercial, IP & Regulatory

Direct Line +44 (0)113 831 3954