As specialist legal advisers, our clients rely on our expertise to ensure that their businesses are (and remain) compliant under data protection legislation. At a European level, the most well-known piece of legislation is the General Data Protection Regulation. However, further international and national legislation applies and completes the data protection tapestry. National data protection authorities, created under GDPR, also have the authority to publish guidelines on their interpretation of the legislation – this matters, as they are partially responsible for enforcing compliance with legislation within their jurisdiction.

This article sets out the data protection trends we have identified over the last 12 months which we consider are set to continue to challenge our clients.

Compliant Data Protection Policies and Procedures

Under GDPR, businesses are required to provide individuals with certain information when they collect their data. This information should be set out in publically available policies and procedures. We assist businesses of all sizes, with all manner of data-handling practices, in establishing compliant and robust policies and procedures to establish the framework within which they control and process person data. Compliance is an ongoing obligation, and policies should be reviewed regularly and whenever practices evolve.

These documents also provide users with an insight into your business’s ethos and attitude towards data protection. User-friendly, compliant policies are another way of setting yourself apart from the competition.

Examples of key policies which businesses should be considering are privacy and data retention policies, data protection impact assessments and breach and escalation procedures.


The Information Commissioner’s Office delivered a surprise blow in the summer of 2019 by advising that website landing pages should only have ‘necessary’ cookies in operation. If you run ‘analytical’ or any ‘non-essential’ cookies, they must be deactivated unless and until the user provides positive consent, via a mechanism that the data subject controls. Furthermore, it is not sufficient to flag that you use cookies within your privacy policy, additional details need to be provided in respect of their function, duration, etc.

We can assist you by advising on cookie policies  and privacy by design concerns.


Human error is among the primary causes of data breaches. Whilst the risk is inevitable, it can be mitigated by training. With fines of up to €20million or 4% of annual worldwide turnover at risk, we advise all businesses to invest in adequately training their staff.

We are able to help you respond to the shifting regulatory landscape by providing training solutions, such as courses via Nubright, as well as advising on service-specific concerns.

Subject Access Requests (SAR)

Data subjects have extensive rights in respect of their personal data, for example the rights to rectification of the data a business holds about them, erasure of the data, and even to object to the processing of their personal data. However, the most mediatised and time consuming is the data subject’s right to access the details you hold about them – this is called a Subject Access Request.

The request can be written or oral and does not have to be in any particular form as long as it is clear that the individual is requesting their personal data. However, data protection legislation does dictate how you should respond to a SAR and this is where we can add value to your operations by facilitating and advising on this process.

Children’s Data

If your business is likely to process Children’s personal data (for example if you operate after-school services or an app that engages with children), it is essential that you incorporate data protection into your practices. Children have the same rights over their data as adults, but are considered as requiring particular protection when you collect or process their personal data.

The ICO has released its “Age Appropriate Design Code” setting out 15 standards for those designing, developing or providing online services with the intention of protecting the privacy of children. It has not yet been approved by parliament, but the recommendation appears to be that the providers of online services should start reviewing their practices. This is one to watch and to plan for.

We work with many family-focused businesses to help them to understand the nature and extent of their obligations when processing children’s personal data.