What’s included?


Data Audit

  • Guidance on how to carry out a data audit
  • Provision of necessary documentation to carry out GDPR compliant documentation
  • Assistance to identify what personal data you hold, where you hold it, where you hold it and why?
  • Review of existing data protection processes and procedures
  • Reviewing and updating your consent mechanisms and the language used for the purposes of obtaining consent from data subjects

£650 plus VAT


Website Privacy Policy

  • A bespoke customer-facing website privacy notice that complies with the GDPR, notifying website visitors about how you collect, uses and stores personal data through the use of your website and to provide goods and/or services

£400 plus VAT

Privacy Policy (Internal; for employees, workers and contractors)

  • A tailored privacy notice for your employees, workers and contractors that complies with GDPR
  • To be used to notify to notify employees, workers and contractors about the personal data that you hold, how they can expect their personal data to be used and for what purposes

£400 plus VAT

GDPR Third Party Questionnaire


  • Drafting of questionnaire to be completed before any contractors (i.e. ‘data controllers’) undertake work for your business (during which they will be involved in handling or processing of personal or commercially sensitive information on your behalf)
  • The purpose of the questionnaire is to allow your business to carry out a risk assessment to ensure that the processing does not constitute a potential breach of Article 28 of the GDPR

£500 plus VAT


GDPR Candidate Privacy Notice

  • A notice that complies with GDPR, for use with individuals applying for jobs or assignments with your business
  • It notifies prospective employees, workers and contractors about the personal data that the employer proposes to hold relating to them, how they can expect their personal data to be used and for what purposes

£400 plus VAT

Data Protection Policy

  • Drafting of a policy setting out the principles and legal conditions that organisations must satisfy when obtaining, handling, processing, transporting or storing personal data in the course of their operations and activities, including customer, supplier and employee data
  • This document not only demonstrates how the organisation processes personal data but also makes workers and contractors aware of their data protection obligations
  • Tailored to comply with GDPR £500 plus VAT Subject Access Request Procedure
  • Drafting of an internal facing document setting out the procedures when responding to requests from data subjects in respect of the rights that data subjects have under GDPR e.g. the right to access their personal data, have it erased, rectified etc.

£400 plus VAT

Website Terms of Use

  • Drafting of terms regarding access to and use of a website under English law, designed for publication on your website and contains provisions dealing with access to, and use, your respective websites
  • Contains rules about how information may be used and unacceptable user behaviour such as hacking, introducing viruses and uploading illegal or defamatory content
  • Suitable for use in conjunction with the cookies, website acceptable use and website privacy policies

£400 plus VAT

Website Acceptable Use Policy

  • A policy for publication on a website, stating the terms on which visitors are permitted to use the features of the site

£400 plus VAT


What is included in the price:

  • Initial telephone conversation
  • Email and telephone correspondence throughout the service
  • Expert review of existing policies and procedures
  • New GDPR compliant policies

What is excluded from the price:

Legal advice outside of the service requested


None anticipated

How long will it take?

We aim to have the relevant service completed within 48-72 hours of formal instruction. We will endeavour to meet any deadlines you have and we ask that you inform of any relevant timescales at the outset of our instruction so that we can endeavour to meet the same.

What changes does GDPR bring about and why should I be concerned? 

The introduction of GDPR will change the dynamic of the data protection landscape, with the most important changes being:- 

  • Enhanced right of erasure: Data subjects will be able to request that their personal data is deleted where it is no longer necessary, the employer has no other ground for processing or the data subject objects to processing or there is no compelling grounds that overrides their interest.  However, in certain circumstances data subjects can be denied this right. In short, data controllers can deny requests if the data being processed is exercising the right of freedom of expression and information or to comply with a legal obligation for the performance of a public interest task. At present, a data subject right ‘to be forgotten’ can only be exercised where the personal data in question is causing unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. Data subjects also have a right of rectification 
  • Increased notice obligations: Data processors (e.g. employers) will need to review and update privacy notice so as to ensure that they meet the GDPR’s expanded definition of personal data, set out the personal data they hold relating to them and explain how data subjects can expect their personal data to be used and for what purposes. Furthermore, the notice should explain to the data subject the lawful basis for collecting personal data, the period of time they intend to hold the data and provide details of the data subject’s right to complain to the Information Commissioners Office (ICO) if they believe their data is being processed illegitimately.
  • Consent: GDPR revises the general consent definition to require a "freely given, specific, informed and unambiguous" indication of the data subject's wishes. Consent must be documented and therefore records kept so as to demonstrate when and how a data subject provided their consent. Data subjects will also be given continuous choice and control over how their data is used. Consent can no longer assumed or obtained via pre-ticked boxes. Importantly, data subjects must be able to withdraw their consent as straightforward and conveniently as it was to give it, at any time. For that reason, organisations will need to review the way in which they have acquired consent. If existing consent has been established illegitimately and lacks the GDPR standard then organisations will need to refresh consent. For example, sending an email to active data subjects explaining if they still wish to receive emails from the organisation they will need to give their consent again, such email setting out specifically the purposes for which personal data will be used. Organisations would wish to avoid the tactics employed by both Honda and Flybe, who used historical data to distribute service messages to active and inactive users asking them to opt in. They were fined £83k in total by the ICO and serve as a useful reminder that organisations can still fall foul of data protection laws even where, such as here, an attempt to act in accordance with data protection law ultimately resulted in them breaking them. 
  • Subject Access Requests: The current fee of £10 will no longer be chargeable and the current 40 day turnaround time is removed and replaced with an obligations to comply “without undue delay” and at the latest within one month of the request.
  • Data Breaches: Organisations must ensure they have the right procedure in place in regards to any data breach, whether potential or substantial and the steps to take in order to remain compliant with GDPR. Under GDPR data breaches must be reported to the ICO within 72 hours of the breach. At present there is no express obligation to report breaches.
  • Giving more control to individuals: Organisations need to ensure all procedures are in agreement with those rights. For example, data subjects will have the right to obtain confirmation from the controller (organisation) as to whether or not personal data concerning them is being processed and for what purpose. 
  • Increased non-compliance risk: All organisations who process personal data must comply with the GDPR before its introduction in May. Organisations who fail to make the requisite transition could face fines from regulators of up to €20m (£17.7m) or 4% of their global turnover for the most negligent of offenders. The current limit under the Data Protection Act 1998 is £500k. This increased risk can most clearly be seen by reference to a recent case involving TalkTalk. In 2016, TalkTalk received a record £400k fined for security failings which led to the theft of personal data of almost 157,000 costumers. Under the GDPR this fine would have been astonishing £72m….a 18,000% increase. Such stark figures serve as just one example of the needs for business to get GDPR compliant sooner rather than later. A further point worth considering is the fact that the ICO is not government funded. As such, some commentators have suggested that as a result it has a greater incentive to fine the higher amounts where applicable and ICO fines can be expected to become more regular from May 2018 onwards. 

How do I comply with GDPR?

First and foremost, organisations need to identify the personal data they’re holding, where it came from and who their sharing it with. Organisations are required to maintain records of all processing activities and therefore it may be necessary to conduct an information audit. Furthermore, they will need to produce a data register to establish the names and contact details of every data controller and data subject. 

Equally important, organisations must identify their lawful basis for processing the data. This should be done before the processing begins and must be documented. There are six lawful bases for processing data which include: consent, contract, legal obligation, vital interests, public task and legitimate interests. 

How can Attwells help?

Our GDPR expert Lloyd Clarke is experienced on advising businesses on data protection issues and has drafted many articles and delivered talks on both data protection generally and the implications of GDPR compliance. By May 2018 your organisation must be GDPR compliant and we can work with you to deliver the following:- 

  • A compliance plan covering key steps, milestones, project plans, personnel and budgets. 

A data audit of all the personal data your organisation currently holds so as to establish:- 

  1. What data you have and what should be deleted 
  2. Where you store it
  3. Why you have it
  4. How it is processed
  5. Who has access to it
  6. Ways to identify and report any breach 
  • New GDPR compliant policies covering data breaches, privacy notices, response procedures for subject access requests, privacy standards and data protection. 
  • Other necessary GDPR documentation including data protection impact assessments, records of processing activities, job descriptions for Data Protection Officers, GDPR accountability questionnaires for senior management and GDPR checklists for employers. 
  • Assisting with responding to and managing subject access requests, requests for rectification of personal data held and the identification and reporting of data breaches to the ICO and responding to any enforcement action taken thereafter. 
  • Reviewing and updating your consent mechanisms and the language used for the purposes of obtaining consent from both data subjects and your employees, for instance by amending standard data processing consents given in existing contracts of employment.
  • Deliver in house training to all your staff so as to ensure that they are fully abreast of their obligations in ensuring your organisations meet the necessary GDPR requirements.

How much will I pay?

Attwells Solicitors will ask you for money on account in advance of work on each service beginning.

How to instruct Attwells Solicitors?

Instructing us is simple. You can either click on the instruct button below to register your interest or you can call your local office. We have offices in Ipswich, Colchester and London. When instructing us please inform us of the office you would like to use.


Instruct Attwells