Follow us


After months (and even years) of trepidation over the looming GDPR compliance deadline, the time has finally come.

The GDPR comes into force today and brings with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.

With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO's specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. But how this will all play out in practice remains to be seen.

For those of you still on the compliance journey, there is a wealth of information out there to assist you. In the run up to GDPR-Day, we launched our GDPR campaign to help our clients navigate the GDPR minefield. This campaign centres around our GDPR hub, accessible here, and has included a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:

If you haven't done so already, now is the time to assess your organisation's level of GDPR compliance and act accordingly. Consider your suite of privacy documentation, including privacy policies, data protection impact assessments, and other internal documentation. Put in place appropriate technical and organisational security measures to protect the data you hold and be prepared to act quickly in the event of a data breach. Know and understand the rights that individuals have with respect to the data you hold about them; and be able to respond to those rights should they be exercised. And importantly, make sure everyone within your organisation is aware of the data protection rules and how they impact employees on a day-to-day basis.

Additionally, the GDPR requires organisations to amend their commercial contracts to include GDPR standard contractual clauses, often involving a large task of amending and negotiating third party contracts (known as "re-papering"). Herbert Smith Freehills is uniquely placed to design and implement highly time-efficient, value for money GDPR re-papering projects due to our innovative and market-leading Alternative Legal Services (ALT) capability. You can explore our practical re-papering offering here.

No matter what stage your organisation is currently at in implementing its GDPR strategy, our cross-disciplinary Data Protection, Privacy and Cyber Security practice is able to offer pragmatic, market-leading, cost-efficient solutions to tackle data issues as and when they arise.

The GDPR hub

Key contacts

Miriam Everett photo

Miriam Everett

Partner, London

Miriam Everett
Nick Pantlin photo

Nick Pantlin

Partner, Head of TMT & Digital UK & Europe, London

Nick Pantlin
Christine Young photo

Christine Young

Partner, London

Christine Young
Andrew Moir photo

Andrew Moir

Partner, Intellectual Property and Global Head of Cyber & Data Security, London

Andrew Moir