Data Protection & GDPR

We advise a multi-jurisdictional client base on UK, EU and US data governance and privacy laws including:

  • The EU and UK General Data Protection Regulation (“GDPR”)
  • e-Privacy Directive, Privacy and Electronic Communications Regulations (“PECR”)
  • Children’s Online Privacy Protection Act (“COPPA”)
  • Network and Information Systems Directive (“NIS Directive”)
  • Family Educational Rights and Privacy Act (“FERPA”)
  • California Consumer Privacy Act (CCPA)
  • The Health Insurance Portability and Accountability Act (“HIPPA”) 

Please click on the titles below to find out more about the data protection and privacy services we provide. 

Data Protection and GDPR


We provide a complete compliance support service to help organisations adapt to the GDPR:

  • Data protection framework
  • Policies and procedures 
  • Data flow audit
  • Gap analysis
  • Data protection impact assessments (DPIAs)
  • Bespoke transition services
Data privacy in M&A transactions

Whether acting as buyer or seller, companies should be aware of the sheer volume of personal data handled throughout an M&A transaction and the relevant data protection issues at each stage. Whether you are the buyer or seller, you are accountable for the data you share and receive during a transaction. We can assist you navigate the following stages:

  • Initial scoping of transaction
  • Data room considerations
  • Due diligence queries
  • NDA negotiations 
  • Releasing employee data 
  • Data transfers and notice on completion 
  • Post completion data protection matters
Cookie notices and collection

As a high-level reminder, EU law mandates that non-essential cookies are not to be dropped by a website operator until and unless a user consents to those cookies – meaning that having a banner merely informing visitors that they “agree to the use of cookies” is in violation of the law. Such was the case with Amazon’s banner, despite its use of tracking cookies (i.e., non-essential) cookies.

Moreover, transparency is required as to the use of cookies, and in both cases, the French DPA CNIL found violations as to transparency (or lack thereof) in addition to improper consent mechanisms and implementation

The ability to simply visit websites and observe a company’s practices is a low-cost and rapid way for authorities to select entities against which to launch full-scale investigations.

We can assist you review their website your cookie practices with care, ensuring that no non-essential or functional cookies are dropped prior to user consent, and that adequate information notices are provided in the form of banners and more detailed policies.

Although a proposal to update the ePrivacy Directive is in the pipeline, these CNIL decisions signal that control and sanction under the current ePrivacy Directive remain a real risk for organisations. Unburdened by the GDPR’s “one-stop-shop” mechanism, the ePrivacy Directive can provide greater territorial reach for national authorities that are willing to take on independent investigations and sanctions.

We can assist you audit and capture consent for cookies, tracking technologies, and marketing communications on web forms and mobile apps. Be transparent about online tracking and provide preference management for consumers to update consent over time.

The transition period for cookie compliance across European DPA has now come to an end.

EU–US GDPR Data Transfer Assessment and Action Plan

This service will help you remain compliant with the GDPR (General Data Protection Regulation) when transferring personal data outside of the European Union, following the Schrems II privacy ruling.

The penalty for non-compliance with Schrems II is immediate termination of access to data, not fines. 

  1. Do you or your suppliers transfer data between the EU and the US?
  2. Do you or your suppliers use services built by US-owned companies such as Microsoft, Salesforce or Facebook?
  3. Do you need help to make sure your data transfers are lawful?

Establish your level of compliance related to the location and lawfulness of your data processing.

Receive a practical, step-by-step action plan setting out what you need to do when transferring EU residents’ data to the US.

What the service includes

  • Our data privacy experts will conduct a detailed review of your records of processing, process maps and data flow maps to identify the processes that need to be addressed.
  • A customised set of questionnaires, relevant to your business will be sent to your suppliers to review their data processing arrangements.
  • The responses provided by your suppliers will be reviewed and assessed.
  • A gap analysis will be undertaken to identify any missing information.
  • We will review your suppliers’ privacy notices and other supporting information.

What you can expect

  • A clear, actionable report on the key findings and recommendations for EU–US data transfers, presented during a one-hour meeting.
  • Clear information about remaining GDPR compliant in relation to EU–US data transfers.
  • A practical action plan that sets out the steps to take to improve your level of compliance.
  • Optional support to implement your action plan. 
GDPR Contract and Legal services

Our specialist legal and privacy team will help you draft, review and update privacy notices, data protection policies, supplier contracts and international data transfer agreements.

  • Reviewing and updating data protection documentation and commercial agreements to align with the GDPR can be significant, time consuming and legally complex. 
  • Lead on queries and negotiations on data protection contract clauses with customers and suppliers.
  • Translate and merge multi-jurisdictional data processing requirements.

You may need to:

  • Increase the amount of information you need to include in your privacy notices. The notices must also be clear, concise, and intelligible.
  • Review and update your privacy, data retention and information security policies. In some cases, you may need to create new policies.
  • Update or include new data protection clauses in your contracts with suppliers, customers, and employees; and
  • Ensure where you transfer personal data outside the EEA, the appropriate legal provisions are in place, such as model contract clauses.
Privacy Product Counsel

The guidance of product counsel is critical for businesses bringing new technology products to market. Product counsel advice blends commercial contract, regulatory, privacy, intellectual property, and consumer protection practice areas. We work to understand your company’s products, priorities, plans, and process.

Through strategic advice we can review external communications about a product, help represent your company both externally and during regulatory engagements.

Common issues for product counsel often surround privacy regulation, contracts, intellectual property, and mergers and acquisitions. Here at illume we have a strong team with expertise in all these areas.

“Business as Usual” Privacy Advice

We can work with your company’s legal counsel, management, individual departments, and committees including providing advice on: 

  • Whistleblowing programmes
  • HR advice
  • New marketing initiatives
  • Legitimate re-purposing of current data sets
  • Conflict of interest policies
  • Diversity and inclusion programmes
  • Analysing the privacy landscape of new countries
  • Manage timely, appropriate, and professional responses to data subject rights requests and complaints.
  • Ensuring appropriate privacy/confidentiality consent, authorisation forms, privacy notices etc are maintained.
Online Consultancy

For those needing short, sharp bursts of expert consultancy support on specific issues. 

Bridge the skills gap

Our online consultancy service enables you to purchase consultancy support by the hour. Enabling you to receive the consultancy support you need quickly and cost-effectively.

Data Protection Impact Assessment (DPIA)

DPIAs (data protection impact assessments) under the GDPR (General Data Protection Regulation) are mandatory for any new personal data processing operations that are likely to result in a high risk to the rights and freedoms of individuals. Every time you embark on a new project that processes high risk & high volume personal data, you need to complete a full DPIA. They can be difficult and time consuming,

Our DPIA service provides a remote assessment of the data protection risks associated with a new or existing single data processing operation within your organisation and recommendations on the appropriate controls to mitigate these risks.

The DPIA service

Contract our DPIA service and we will conduct a remote assessment of the data protection risks present for a new or existing single data processing operation within your organisation.

The DPIA report will detail the data protection risks identified and prioritise them according to severity, include a statement of the likely impact on the rights of individuals should those risks occur, and recommend appropriate controls to mitigate the risks and reduce them to an acceptable level.

The report will be delivered within ten working days of completing the data-gathering phase of the DPIA.

GDPR DPO support service

A flexible, pay-as-you-go service for DPOs (data protection officers) needing complementary DPO support. Ideal for those who don’t want to commit to a monthly contract – simply prepay for the support hours you need. illume’ s DPO support service (GDPR) is ideal for existing DPOs who need additional support, resources or expertise. It offers a flexible and cost-effective service that draws upon our DPO expertise.

Support and expertise for DPOs

Many DPOs find it challenging to successfully meet their DPO responsibilities, particularly if fulfilling the role part-time or for a group of organisations.

We will:

  • Review and advise on policies, procedures and documentation relating to processing personal data – Article 39(1)(a).
  • Advise on the establishment and maintenance of the personal data processing register (the ‘Article 30 Record’) – Article 39(1)(a).
  • Provide guidance on data breach monitoring, management, and reporting – Article 39(1)(a).
  • Provide advice and guidance on responding to privacy rights requests from individuals (information, access, rectification, objection, erasure, right to data portability) – Article 38(4). The process management of privacy rights requests is not within the scope of the DPO service.
  • Advise on contacting data protection authorities for all data protection issues – Article 39(1)(d) and (e); and
  • Advise on monitoring compliance with the GDPR – Article 39(1)(b). Assist clients with information collection to identify personal data processing activities, verify GDPR compliance of the processing activities, and provide advice and guidance on compliance best practice.
GDPR Data Privacy Manager Service

A flexible data protection service for organisations that are not required to appoint a DPO (data protection officer) but want GDPR (General Data Protection Regulation) advisory support without committing to a monthly contract. Simply prepay for the support hours you need.

Data protection support with the GDPR

Compliance managers may find meeting their GDPR compliance responsibilities challenging, particularly if fulfilling the role part-time or working for a group of organisations.

The Data Privacy Manager Service (GDPR) is for GDPR compliance managers who want support or need extra data protection expertise. It is a flexible and cost-effective virtual service that allows you to draw upon our DPO expertise. Simply prepay a set number of hours and we’ll be available when you need us.

Prepaid support hours

The prepaid GDPR advisory support hours are available to purchase in blocks or as an annual subscription and are valid for 12 months.

We will be on hand to:

  • Review and advise on policies, procedures and documentation relating to the processing of personal data – Article 39(1)(a).
  • Advise on the establishment and maintenance of the personal data processing register (the “Article 30 Record”) – Article 39(1)(a).
  • Provide guidance on data breach monitoring, management and reporting – Article 39(1)(a);
  • Provide advice and guidance on responses to privacy rights requests from individuals (information, access, rectification, objection, erasure, right to data portability) – Article 38(4).
  • The process management of privacy rights requests is not within the scope of the DPO service.
  • Advise on contacting data protection authorities for all data protection issues – Article 39(1)(d) and (e); and
  • Advise on monitoring compliance with the GDPR – Article 39(1)(b). Assist clients with information collection to identify personal data processing activities; verify GDPR compliance of the processing activities; provide advice and guidance on compliance best practice.
GDPR data flow audit

Meet GDPR requirements by taking this essential first step in the compliance process.

Receive a thorough audit of your organisation’s personal data and a data flow map that will help you identify where data resides. This will enable you to implement measures to reduce your risk of an information security breach.

By conducting a data flow audit, you will be able to:

  • Gain visibility of your data flows.
  • Have better insights for developing effective strategies to protect personal data.
  • Improve efficiencies related to processes, systems, and controls.
  • Improve data lifecycle management.
  • Better classify your data.
  • Identify areas for contractual updates with third-party providers.
  • Reduce privacy-related risks and associated data breaches.

A data flow audit delivers the following:

  • A data inventory and data flow map of your company’s personal data, which will plot data in all of its forms, origins, paths, exit points and storage locations.
  • An indication of where personal data exists in your network infrastructure and devices, servers, endpoints and protocols, and all data exit points (including firewalls, printers, and endpoints where sensitive information can be copied to portable media).
GDPR Gap Analysis

Get a quick, professional assessment of what is required to achieve General Data Protection Regulation (GDPR) compliance with this in-person review of your privacy management and information security arrangements against the requirements of the Regulation. We will interview key managers and perform an analysis of your existing data protection and privacy arrangements and documentation.

Following this, you will receive a gap analysis report of the findings. The report outlines the areas of compliance and improvement, providing further recommendations for the proposed GDPR compliance project.

Understand your GDPR compliance requirements

Our data protection consultant will assess your organisation’s privacy management and data protection practices in  the following areas:

  1. Data protection governance – the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance are in place and operating throughout your organisation.
  2. Risk management – your organisation’s arrangements for privacy risk management, the extent to which information-specific risks are incorporated into corporate risk management, and the extent to which risks to the rights and freedoms of data subjects are addressed.
  3. GDPR project resourcing – the extent to which your organisation has implemented and appropriately staffed, funded, and supported GDPR compliance programme.
  4. DPO (data protection officer) – whether your organisation is required to appoint a DPO, whether one has been appointed and, if so, whether they meet the Regulation’s requirements.
  5. Roles and responsibilities – the extent to which your organisation has defined and established appropriate roles and responsibilities and delivered appropriate training and awareness.
  6. Scope of compliance – whether your organisation has clearly defined the scope of its GDPR compliance, taking account of all data processing in which, it has a part, whether as data controller or processor, as well as any data sharing.
  7. Personal data processes – the extent to which each of the GDPR’s data processing principles are established for each process that involves personal data, whether a lawful basis for processing has been identified and documented for each, and whether a DPIA (data protection impact assessment) is mandatory under the Regulation.
  8. PIMS (personal information management system) – whether your organisation has implemented a PIMS that documents its GDPR compliance, and addresses staff training and awareness.
  9. ISMS (information security management system) – whether your organisation has implemented an ISMS to meet the GDPR’s requirements for “appropriate technical and organisational measures” in order to ensure the security of the personal data it processes.
  10. Rights of data subjects – the processes your organisation has implemented to facilitate and respond to data subjects exercising their rights under the GDPR.
GDPR Article 32 Technical and Organisational Measures Audit

Get independent, professional assurance that your data processing activities comply with Article 32 of the GDPR (General Data Protection Regulation) with this audit service, which provides an overview of your compliance levels against the required technical and organisational controls.

What you can expect

We will assess your organisation’s data protection practices focusing on the following:

  • Technical measures being applied.
  • Policies, processes, and procedures.
  • Staff training programme.
  • The application of privacy by design.

What the service includes

You will receive a detailed audit report providing an assurance rating for each area, in addition to an executive summary that can be provided to your board.

The report will explain areas of weakness and greatest risk and identify areas of good practice.

Prioritised recommendations will be highlighted to help you develop an action plan to address weaknesses and risk

Benefits of the GDPR Article 32 audit service

  • Meet your obligations to review and evaluate the effectiveness of your data processing activities.
  • Demonstrate accountability for the personal data you process.
  • Ensures your technical and organisational measures are fit for purpose.
  • Obtain an independent view of your systems and processes.
  • Build your defensive position in light of regulatory challenges.
Website & App Privacy Solutions

Global privacy laws like the CCPA and GDPR have created many challenges for organisations trying to manage privacy policies and disclosures throughout their digital channels. The complexity of managing policies across the range of regulations, geographical regions, languages, and digital platforms has become inefficient, unscalable for businesses of all sizes.

We can assist you your organisation identify web forms, policies and disclosures that exist across their digital properties and update and publish them within specific time periods to adhere to the range of global privacy regulations.   

Data Access Requests

Responding to privacy rights requests is a time-consuming process full of manual tasks, making it a challenge to respond to regulatory requirements and the need to detect exactly where personal data exists, in order to access, port, redact, delete it, or comply with CCPA opt-outs (if your business processes data belonging to Californian residents). 

As data models become more complex and individuals continue to exercise their data privacy rights, fulfilling these tasks manually is no longer a scalable solution for any organisation.

Regulatory authorities have come down hard on organisations that fail to fulfil data subjects’ rights, imposing nearly €16 million in related fines

Privacy Awareness Training

Build a privacy-first culture and comply with privacy law by training your employees across role-based training modules. Customised Privacy Training includes details of your company’s data privacy policies and requirements for teams who regularly handle data.