Home / Europe / United Kingdom / Commercial / Data Protection & Freedom of Information

Data Protection & Freedom of Information

Back to Commercial

The EU data protection landscape is shifting with a radical new regulatory framework on the horizon. Our 'extensive team' has the data protection expertise to handle the very largest and most complex local and multi-jurisdictional matters.

Our team is composed of experts in data protection and security, data loss and information management and can draw on our extensive experience in order to provide practical solutions for your business. We also advise clients on the risks and opportunities presented by freedom of information legislation and the strategic use of subject access requests.

What sets us apart is our specialist data protection sector expertise, particularly in highly regulated sectors like technology, media and communications, energy and utilities, healthcare and financial services.  

We are at the forefront of thought leadership and policy change in relation to GDPR. We have advised clients extensively on its implementation and have supported them in their lobbying activities in Europe and the US, responded to the Ministry of Justice call for evidence and provided guides, updates and training on the proposals every step of the way.

Our team provides counsel across a wide range of areas including data protection registration and policy development, data security and mobile device encryption, data transfer procedures using model clauses and binding corporate rules, freedom of information requests, data subject access requests and resolving data protection issues arising from outsourcing projects. 

We also advise various insurers and insureds in relation to cyber-attacks, systems failures and security breaches, through the CMS Cyber Network, covering over 40 countries.

The core data protection team is able to draw on the expertise of other practice areas across CMS such as employment, financial services and litigation.

Law-Now: Data Pro­tec­tion & Free­dom of In­form­a­tion
Vis­it Law-Now for leg­al know-how and com­ment­ary


GDPR En­force­ment Track­er Re­port
When the GDPR was already in force, but not yet ap­plic­able (and not a single fine had been im­posed yet), much at­ten­tion was paid to the for­mid­able fine frame­work. For many com­pany of­ficers, this caused fear: if I vi­ol­ate the GDPR, I have one foot in jail (or at least my or­gan­isa­tion has to pay EUR 20 mil­lion or 4% of its glob­al an­nu­al turnover, cal­cu­lated for the whole group, if the com­pany is part of one).We be­lieve that facts are bet­ter than fear.The con­tinu­ously up­dated list of pub­licly known GDPR fines in the GDPR En­force­ment Track­er is our 24/7 rem­edy against fear, while the an­nu­al En­force­ment Track­er Re­port is our deep dive and per­mits more in­sights in­to the world of GDPR fines. We are pleased that our ana­lys­is for this second edi­tion of the ET Re­port is based on a lar­ger over­all data set of more than 570 fine cases, 526 of which made it in­to the ed­it­or­i­al team's work­sheet.More in­ter­na­tion­al­We are even more pleased that more in­ter­na­tion­al col­leagues sup­por­ted us this time and provided de­tailed in­put on en­force­ment prac­tice, in par­tic­u­lar for EU mem­ber states in the new mem­ber state in­ter­views (Ed­it­or­'s note: the United King­dom re­mains part of the En­force­ment Track­er Re­port and the En­force­ment Track­er as the UK Gen­er­al Data Pro­tec­tion Reg­u­la­tion en­sures reg­u­lat­ory con­sist­ency re­gard­less of Brexit).Loc­al law and prac­tice mat­ter­After al­most three years of GDPR ap­plic­a­tion, we are not the only ones to have learned one thing: des­pite the GDPR's full har­mon­isa­tion ap­proach, hardly any oth­er area is shaped more by na­tion­al laws and of­fi­cial prac­tice than GDPR fines. This may be a reas­on why Spain still tops the list of coun­tries with the most fines this year.Ex­ec­ut­ive Sum­mary­As we are aware that pri­vacy pro­fes­sion­als are un­likely to have a peace­ful job in these chal­len­ging times, the second edi­tion kicks off with an ex­ec­ut­ive sum­mary for the quick read­er (in­clud­ing over­all takeaways, in ad­di­tion to sec­tor-spe­cif­ic ob­ser­va­tions). Hav­ing in­ten­tion­ally op­ted for an on­line-only pub­lic­a­tion, the ET Re­port's Ex­ec­Sum is the only part that you can con­veni­ently down­load (or even print out for bed­time read­ing without a di­git­al device).Num­bers & fig­ures and sec­tor ap­proach­We have put to­geth­er an over­all sum­mary of the ex­ist­ing fines in the "Num­bers and Fig­ures" sec­tion, fol­lowed by tried-and-tested ana­lys­is for the fol­low­ing busi­ness sec­tors:Fin­ance, in­sur­ance and con­sultingAc­com­mod­a­tion and hos­pit­al­ity­Health careIn­dustry and com­mer­ceR­eal es­tate­Media, tele­coms and broad­cast­ing­Pub­lic sec­tor and edu­ca­tion­Trans­port­a­tion and en­ergy­In­di­vidu­als and private as­so­ci­ations plus the over­arch­ing cat­egoryEm­ploy­mentY­our takeawaysThis in-depth ana­lys­is per­mits first con­clu­sions to be drawn as to which busi­ness sec­tors at­trac­ted par­tic­u­larly hefty fines. We also ana­lysed the DPAs' reas­on­ings for the fines. These as­pects to­geth­er al­low us to provide you with key takeaways for each busi­ness sec­tor. Apart from the law­ful­ness of each data pro­cessing op­er­a­tion, bol­ster­ing data se­cur­ity should re­main in the spot­light for every or­gan­isa­tion. There are already rel­ev­ant in­dic­a­tions in terms of data pro­tec­tion lit­ig­a­tion – in par­tic­u­lar, data sub­ject­s' claims for ma­ter­i­al or im­ma­ter­i­al dam­ages un­der Art. 82 of the GDPR are on the rise. This trend is un­likely to stop, be­ing in par­tic­u­lar sup­por­ted by col­lect­ive re­dress mech­an­isms and leg­al tech of­fer­ings that are already in­creas­ing the risks of and re­sources needed for data pro­tec­tion claims man­age­ment.Meth­od­o­logy­We do not re­sort to witch­craft nor do we have pref­er­en­tial ac­cess to GDPR fine in­form­a­tion (at least in most cases, but we are still work­ing on that…) when work­ing in the En­force­ment Track­er en­gine room and pre­par­ing the En­force­ment Track­er Re­port. In ad­di­tion to our ne­ces­sary fo­cus on pub­licly avail­able fines, there are some oth­er in­her­ent lim­its to the data be­hind this whole ex­er­cise. For the "small print", please see our more de­tailed re­marks on meth­od­o­logy. On a more gen­er­al level, al­though we have done our best to break down a com­plex top­ic in­to neat pieces, we have res­isted the tempta­tion to fol­low SEO re­com­mend­a­tions for the whole con­tent pack­age and would ask you to con­sider it a "long read" format if you de­cide to read it in full.What's next?The En­force­ment Track­er Re­port and the En­force­ment Track­er are a work in pro­gress. We highly ap­pre­ci­ate any form of feed­back (prefer­ably con­struct­ive…) and would like to thank every­body who has reached out over the last year. We re­ceived in­ter­est­ing ideas, in­form­a­tion about for­got­ten fines (hid­den deeply in re­mote corners of a sup­posedly com­pletely cap­tured world) and re­com­mend­a­tions for ad­di­tion­al fea­tures (our buck­et list is grow­ing stead­ily), as well as rel­ev­ant con­tri­bu­tions from stake­hold­ers out­side the EU – demon­strat­ing that the data pro­tec­tion land­scape is evolving rap­idly on a glob­al scale and in­ter­faces between na­tion­al/re­gion­al con­cepts are de­vel­op­ing even in the ab­sence of a glob­al data pro­tec­tion law. We have en­gaged with peers from the leg­al pro­fes­sion, pri­vacy pro­fes­sion­als with a more ad­vanced tech back­ground as well as re­search­ers from vari­ous dis­cip­lines. We strongly en­cour­age you to con­tin­ue en­ga­ging with us. And we apo­lo­gise in ad­vance if our feed­back may take some time; the data pro­tec­tion world is not a quiet one right now.Stay safe – and keep on fight­ing, Chris­ti­an Runte, Mi­chael Kamps, ed­it­ors and the en­force­ment track­ing and re­port­ing team
HR data pro­tec­tion is­sues - keep­ing on top of com­pli­ance
This ses­sion looks at key data pro­tec­tion is­sues that busi­nesses need to con­sider in re­la­tion to their em­ploy­ees and wider work­force.In the last year health and safety has taken pri­or­ity as work­places...
Uni­ver­sal, hu­man­ist­ic: adtech
Dur­ing a speech at this year’s vir­tu­al Com­puters, Pri­vacy and Data Pro­tec­tion (CP­DP) Con­fer­ence in Brus­sels, Tim Cook (CEO of Apple) urged on­line at­tendees to “… send a uni­ver­sal, hu­man­ist­ic re­sponse...
The data se­cur­ity per­ils of work­ing from home (video)
Whilst some busi­nesses are now in the pro­cess of re-open­ing of­fices and premises to staff and cus­tom­ers, for many of us there is still likely to be an ex­ten­ded peri­od of work­ing from home. As they ad­just...
Data pro­tec­tion and cy­ber­se­cur­ity laws in the United King­dom
Data pro­tec­tion 1. Loc­al data pro­tec­tion laws and scope The Data Pro­tec­tion Act 2018 (“DPA”) cov­ers gen­er­al pro­cessing of per­son­al data in the UK.The DPA sup­ple­men­ted the EU Gen­er­al Data Pro­tec­tion...
Priv­ilege: What you need to know
The last couple of years have seen some im­port­ant de­vel­op­ments in Eng­lish case law in the area of leg­al pro­fes­sion­al priv­ilege, from the Court of Ap­peal over­turn­ing a re­strict­ive in­ter­pret­a­tion of lit­ig­a­tion...
The data se­cur­ity per­ils of home work­ing
Whilst some busi­nesses are now in the pro­cess of re-open­ing of­fices and premises to staff and cus­tom­ers, for many of us there is still likely to be an ex­ten­ded peri­od of work­ing from home. As they ad­just...
Risk Es­sen­tials Break­fast: What do you want from me? Un­der­stand­ing risks...
Dir­ect­ors don’t al­ways re­ceive form­al train­ing on their leg­al du­ties, yet the risks of get­ting it wrong are con­sid­er­able. Dir­ect­ors may find them­selves re­spons­ible for as­pects of a com­pany’s op­er­a­tions...
Risk Es­sen­tials Break­fast: U Turn Ahead? Sub­ject to Con­tract, Heads of...
Con­trac­tu­al cer­tainty is fun­da­ment­al to avoid­ing dis­putes down the line and dis­pos­ing of them quickly and cost ef­fect­ively when they do arise – but al­though it’s a ba­sic re­quire­ment, it’s not as...
Risk Es­sen­tials Break­fast: Don’t be the weak­est link: Man­aging data and...
With the av­er­age UK busi­ness suf­fer­ing some form of on­line at­tack every two minutes, this ses­sion will as­sess the scope of the risk, its leg­al im­plic­a­tions and how you can pro­tect your busi­ness. We will...
GDPR: Are you ready?
Data pro­tec­tion is now tak­ing centre stage, as the com­ing in­to force of the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) across the EU from May next year fast ap­proaches. The GDPR will have a sig­ni­fic­ant...
Spot­light Series: Sub­ject ac­cess re­quests in the em­ploy­ment con­text (Ab­er­deen)
The rules on Sub­ject Ac­cess Re­quests are chan­ging, and the pen­al­ties for get­ting it wrong will in­crease sig­ni­fic­antly. This is against a trend of in­creas­ing use of the re­quest pro­ced­ure. In this ses­sion...