GDPR compliance, data protection, cybersecurity, IT contracts and technology law.
Filter by specialisation
European law firm with technology and data protection expertise
GDPR applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. A data protection lawyer can advise on compliance.
Fines can reach €20 million or 4% of global annual turnover (whichever is higher). A data protection lawyer can help implement compliant processes to minimise risk.
Browse our verified directory of law firms across United Kingdom's major cities. All listed firms offer English-language legal services to expats and foreign nationals.
Find My Lawyer in 60 SecondsFollowing Brexit, the UK retained a domestic version of the GDPR (the UK GDPR, incorporated into UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection Act 2018). The Data Protection Act 2018 (DPA 2018) supplements UK GDPR and applies national exceptions. The Information Commissioner's Office (ICO) is the supervisory authority; it has power to impose fines of up to the higher of £17.5 million or 4% of global annual turnover (for Tier 1 violations), or £8.7 million / 2% (Tier 2). These are the post-Brexit equivalents of the EU GDPR €20m/€10m thresholds, recalculated in sterling.
| Organisation | Fine | Year | Breach Type |
|---|---|---|---|
| British Airways | £20,000,000 | 2020 | Cyberattack; 400,000 customers' data; inadequate security measures |
| Marriott International | £18,400,000 | 2020 | Starwood Hotels acquisition; undetected breach; 339 million guest records |
| TikTok (UK) | £12,700,000 | 2023 | Children's data; 1.4m UK under-13s; unlawful processing without parental consent |
| Clearview AI | £7,500,000 | 2022 | Facial recognition; UK residents' images; no legal basis (ICO enforcement notice + fine) |
| Easylife Group | £1,350,000 | 2022 | Health inferences from purchase data; direct marketing without consent |
| DSG Retail (Currys) | £500,000 | 2020 | Point of sale cyberattack; 14 million customer records |
Post-Brexit fines are under DPA 2018 / UK GDPR (from January 2021). Earlier decisions were under the Data Protection Act 1998.
| Area | UK GDPR / DPA 2018 | EU GDPR |
|---|---|---|
| Age of consent for online services | 13 (DPA 2018 s.9; UK GDPR Art. 8) | 16 (Member States may lower to 13) |
| Max fine | £17.5m / 4% global turnover | €20m / 4% global turnover |
| Adequacy decisions | UK makes own adequacy decisions; EU has granted UK adequacy (reviewed periodically) | EU Commission makes decisions |
| SCCs / transfer mechanism | International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs | EU Standard Contractual Clauses (SCCs, 2021) |
| DPO requirement | Same as EU GDPR (public bodies, large-scale processing, special category data) | Same thresholds |
| Recognised Legitimate Interests Assessment (LIA) | Three-part test; no explicit right to object to LI processing via DPA 2018 s.13A | Three-part test; Art. 21 right to object |
Law enforcement processing: governed by DPA 2018 Part 3 (implementing LED 2016/680 into domestic law). Intelligence services: DPA 2018 Part 4. Employment records: DPA 2018 Schedule 2 para 4 — consent is rarely valid as lawful basis for employee data given power imbalance; legitimate interests or legal obligation more appropriate. Subject Access Requests (SARs): 1 calendar month to respond (extendable by 2 months for complex/numerous); no fee for first copy (UK GDPR Art. 15). Data breach notification: to ICO within 72 hours of becoming aware (UK GDPR Art. 33); to data subjects without undue delay if high risk (Art. 34).
A UK fashion retailer suffered a ransomware attack; 450,000 customer email addresses, delivery addresses and hashed passwords were exfiltrated. ICO investigation under UK GDPR Art. 32 (technical and organisational security measures). Findings: failure to apply multi-factor authentication to admin systems; no penetration testing in 3 years; no encryption of personal data at rest. Provisional Monetary Penalty Notice: £2.1 million. Representations filed by DPO and external counsel. Final penalty reduced to £1.35 million (acknowledging prompt notification, full cooperation with ICO, and post-incident remediation including ISO 27001 certification). ICO also issued enforcement notice requiring a third-party security audit.
