data protection &
exploitation

What does every organisation in the world have in common? They all hold data. For some organisations, if they could not use their data, they would have no business. For many others, they are walking away from millions of pounds worth of opportunity merely because they are not alive to the possibilities of making data work for them.

At law:matix, we have substantial experience of data protection compliance, avoiding and managing data breaches and dealings with regulators.  We also have unparalleled experience of making data make money for our clients - from global brands to small start-ups. Whether your business is big or small, new or established, local or international – we would like to open your eyes to the data exploitation opportunities that you have not yet considered

Our data services include:

• UK GDPR, Data Protection Act 2018, PECR and Data (Use and Access) Act 2025. Compliance and advice on data protection legislation. learn more
  

• compliance audits to identify the areas that comply with new requirements and those that need change
  

• privacy notices / privacy policies. Preparing and advising on privacy notices and privacy policies and their incorporation

• consent and consent requests.  Advising on and drafting notices that comply with the latest legislation

• cookies.  Providing support for your cookie initiatives including drafting cookie notices and banners and advising on the use of cookies that do not require consent

• subject access advice and support, the application of exemptions and how to deal with subject access rights in disputes

• other data subject rights.  Advising on all other rights afforded to data subjects including data portability and the ‘right to be forgotten’ and how to comply

• privacy by design.  Providing guidance for the development of new systems and changes to existing systems

• children.  Advising on collection and handling of children's data, advising on age appropriate design of systems and use of tools such as parental gating

• data security and breach management and compliance with the reporting obligations

• data processors. Advising on effective provider selection and due diligence to comply with the law and commercial needs, the responsibilities imposed directly on chosen processors and preparing data processing agreements

• data transfers outside the UK. Advising on the adequacy requirement for data transfers and preparing suitable transfer documents

• data migration, data cleansing and enrichment arrangements

• commercial exploitation of data, devising and implementing strategies to facilitate multichannel cross-selling, up-selling and targeted marketing and to maximise cross group and international opportunities.

• policies and templates. Drafting / revising staff policies and templates to ensure consistent and compliant application of the law 

• Information Commissioner investigations. Advising on assessments, investigations and enforcement actions by the Information Commissioner

• data protection officer service.  Fulfilling your need for a data protection officer without the overhead of an in-house privacy resource

 
The UK GDPR, the Data Protection Act 2018 the Privacy and Electronic Communications Regulations (PECR) and the UK approved Standard Contractual Clauses are in full force and effect. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and will have a phased implementation. 

The UK GDPR and Data Protection Act 2018 include reporting obligations, rules on transferring data outside of the UK / EEA, obligations to notify data breaches, tight consent requirements and, in some cases, a legal duty to appoint a data protection officer. We also have extensive rights for data subjects, direct obligations on data processors and penalties for breach of up to 4% of annual worldwide turnover and potential criminal liability for senior personnel.

The Privacy and Electronic Communications Regulations (PECR) set ta number of rules that supplement UK GDPR and the 2018 Act including for the use of cookies and direct marketing using electronic channels.

Over its implementation phases, the new Data (Use and Access) Act 2025 will amend some of the existing data protection legislation with a range of new measures which should make life a little easier for organisations.  The changes include: enabling some cookies to be placed without needing user consent; adding a new lawful basis for certain 'recognised' legitimate interests; giving statutory effect to some ICO guidance such as requiring organisations to carry out only 'reasonable and proportionate' searches when administering subject access requests; clarifying how personal data can be used for research purposes; and removing some restrictions on automated decision making

See also our training page for details of our data protection workshops, tuition, elearning and public speaking services.