Trethowans’ data protection team is working on a series of data protection Q&A articles which will cover the main concepts of data protection law and issues of interest to businesses. Here you will find the articles published so far.
Our data protection specialists
Louise Thompson has many years of experience in supporting clients from a wide range of industries in relation to their commercial and technology contracts and also advises on data protection law with particular focus on the data protection aspects of commercial agreements.
Sarah Wheadon is a regulatory solicitor and experienced advocate who helps clients navigate the regulatory law that impacts on business life including data protection, health and safety, trading standards and environmental law compliance.
Megan Richards is a paralegal in our Commercial/Tech and IP team with a strong background in supporting legal and operational teams within complex international environments.
Data Protection Guide for Organisations
- What is data protection law, why do we have it and why do we have to comply with it?
- What is personal data?
- What is special category/ sensitive personal data?
- What is criminal offence personal data?
- What does “processing” of personal data mean?
- Does my organisation need a Data Protection Officer (DPO)?
- Does my organisation need to register with the ICO?
- Is my organisation a controller or a processor under data protection law?
- What does it mean if my organisation is a joint controller of personal data?
- Jargon explained: encryption, anonymisation and pseudonymisation
- For what purposes can my organisation collect, use and process personal data?
- On what basis can we process employee criminal conviction data?
- On what basis can we process special category personal data?
- What if we are processing personal data about children?
- What do we need to do a data protection impact assessment (DPIA)?
- What do we need to do a legitimate interests assessment (LIA)?
- What is a privacy notice and what should it include?
- Do we need to update our 2018 GDPR privacy notice?
- Should we have more than one privacy notice?
- What data protection considerations apply to our website?
- What are the Data Protection Principles and why do they matter?
- What rights does an individual have under data protection law?
- New complaints process required by the Data (Use and Access) Act
- Do I have to delete the personal data my organisation holds about an individual if they ask me to do so?
Subject Access Request (SAR) series
- What is a subject access request (SAR)?
- How long do we have to respond to a SAR?
- Can we clarify a SAR?
- What steps must we take to respond to a SAR?
- Do we have to provide all information requested in a SAR?
- Recent case on SARs: issues for organisations to consider
- When can we refuse a SAR?
- Can we ignore a SAR?
- Subject access request Q&A
- A Wake-Up Call for SAR Compliance
- When is a data subject access request abusive?
Cyber
- 2026 – the year to focus on supply chain cyber risk?
- Cyber threats continue to rise: why UK businesses must prioritise cyber resilience
- Help – there has been a cyber attack!
Enforcement
- ICO issue fine of £1.2m for UK GDPR failings
- Lessons from the ICO’s Capita enforcement action – what can we learn?


