As the anniversary of the General Data Protection Regulation (GDPR) passed on 25 May 2019, it is opportune to reflect.  The aim of a Regulation, as opposed to a Directive, is to ensure greater harmony across the European Union, but one has to ask whether that has been achieved.  There are many areas where derogations are permitted at member state level, and this has given rise to wide variations across Europe.

Examples include special categories of personal data, with Spain requiring more than consent alone to process certain types of personal data, and a lower threshold for compulsory appointment of a Data Protection Officer in Germany.  Legislation is still awaited in some states.  There have also been wide variations in levels of data breach reporting with 442 in Belgium up to January 2019, compared with 21,000 in the Netherlands in 2018.

The recent case of Rudd v Bridle & Another [2019] EWHC 893 (QB) gave consideration to various issues in relation to a Subject Access Request under the Data Protection Act 1998, which may be equally applicable under GDPR, including an unsuccessful claim of legal professional privilege and what constitutes ‘personal data’.

In Dawson-Damer v Taylor Wessing [2019] EWHC 1258 (Ch), the latest decision in a case which has already been to the Court of Appeal, the High Court determined that solicitors must search 35 paper files on which the clients were trustees and disclose personal data to the beneficiaries.

The decision in Wm Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339, in which the supermarket employer was held vicariously liable for a data breach by a rogue employee which affected 100,000 other employees, is being appealed to the Supreme Court.

Firms with the Law Society’s Lexcel accreditation are now required to review their data protection compliance with specific attention to the appointment (or not) of a Data Protection Officer, record keeping and procedures for compliance.  We can assist with these.

As many have observed, a hard Brexit would force firms with European offices to review the basis upon which they transfer personal data from those offices to the UK.  On the face of it, this would not be a huge challenge, given that many such firms already have to address the point when transferring data to offices outside the EU.  A large proportion of these firms rely on the European Commission’s Standard Contractual Clauses.  However, as will have been seen by readers of our November 2018 issue, it is important to note that this is not a mere paper exercise: the £500,000 fine on Equifax was based in part on a failure to audit for compliance and inadequate safeguards and security requirements.

We have advised dozens of US law firms and many UK firms on data protection.  Links to many data protection resources can be found on

‹ Back to Publications