Data Protection (Mishcon Private)

GDPR and Data Protection

The landscape of data protection is increasingly important, to businesses and to individuals. Barely a week goes by without a data or privacy story leading the news. The General Data Protection Regulation (GDPR) is now in place, and both EU and non-EU entities must understand its implications and be ready to comply with the rules.

GDPR reaffirms and enhances, sometimes significantly, the rights of citizens and consumers to access their data electronically, to have it corrected or deleted and to scrutinise data processing. The potential penalties for non-compliance have also risen sharply, requiring proper judgement and design to be applied to data collection, and rapid notification if data is lost. But data is also a strategic issue – choosing what data to collect, how to use it, and how to protect it can bring great benefits; the value of a business can be greatly increased by good data practice.

We advise our clients on how best to achieve their strategic objectives whilst complying with an evolving regulatory regime. We can highlight gaps in compliance and explain how to implement the policies and procedures needed, as well as dealing with any incidents that may occur.

Our group comprises data protection experts as well as non-lawyer cyber security specialists, allowing us to give the full spectrum of advice. The GDPR regime means both process and technology changes and we can guide our clients through, from initial data audit and ongoing compliance to industry standard benchmarking techniques. We also offer a Virtual DPO service for organisations that are required to appoint a Data Protection Officer but may not have the capability in-house.

GDPR explained in three short films:


Our approach

Each data protection strategy will be unique to the given business or personal situation. The first step is a conversation with our team who will map out the best solution. Depending on the outcome of this assessment and the maturity of existing measures, we will recommend a combination of the following:

A process to explore and document the flow of personal data through the organisation, capturing how, where and why data flows from team to team and system to system.

A series of document reviews and interviews with key staff will be undertaken so that we can detail any operational, cyber, or legal gaps in GDPR compliance with respect to policies and procedures and day to day operations.

Based on learning from the Data Mapping and Analysis activities, a review is undertaken to identify and document gaps in compliance. Gaps are reviewed to identify any trends or commonalities with regards to remediation, and remedial actions are selected such that they will fit into the organisational structure of the business.



  • Advising on GDPR compliance, including:
    • Policy review, gap analysis and data protection strategy
    • Preparing Data Protection Impact Assessments (DPIAs) Privacy Impact Assessments (PIAs), data protection policies and data processing agreements
    • Preparing Privacy Impact Assessments, data protection policies and data processing agreements
    • Review of cyber security processes and controls to protect data
    • Data breach procedures
    • Subject access request procedures and handling requests, responses, complaints and enforcement
    • Data portability procedures
    • Advising on direct marketing and compliance with privacy regulation
  • Multi-disciplinary approach to cyber security and data breaches
  • Managing claims before the Courts in relation to data protection, data theft and privacy issues, and investigations by the Information Commissioner's Office
  • Advising on issues of data protection and privacy in relation to reputation management


  • Advising a major property developer on data protection aspects of loyalty cards and mobile tracing techniques
  • Advising a leading charity in relation to an Information Commissioner investigation into charity practices concerned with cold calling and data list selling
  • Representing a major online gaming business on its multijurisdictional data protection compliance obligations and its handling of personal data in the context of the Data Protection Act, gambling regulation and historic player terms, and under GDPR, as well as on its direct marketing practices and plans
  • Acting for a medical publisher on its ability to use sensitive personal data and anonymised and aggregated data under licence from a public sector data provider
  • Advising a provider of a communications platform in a regulated sector on its GDPR compliance, and that of its market competitors
  • Advising clients on European data protection and electronic marketing strategies, working with a network of lawyers in other countries to provide EU-wide advice
  • Assisting clients in their dealings with the Information Commissioner's Office in connection with potential enforcement action, and in handling subject access requests and refusals to supply personal data, by or to our clients
  • Acting for individuals in bringing court proceedings against governmental bodies, banks and other organisations
  • Representing businesses and not-for-profits on handling subject requests


How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

Emergency number:

I'm a client

Please enter your first name
Please enter your last name
Please enter your enquiry
Please enter a value

I'm looking for advice

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select a department
Please select a contact method

Something else

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select your contact method of choice