GDPR & Data Privacy

Chaucer / Digital / GDPR & Data Privacy

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 impacting every European resident as well as nearly every company and private sector entity in the UK and Europe. Due to the extraterritorial reach of the GDPR, non-EU based companies processing personal data of EU residents may also need to comply with this regulatory change.

We are data privacy experts, with years of experience providing support in a broad range of industries. Our Data Privacy team support our core industries of Life Sciences, Energy, Financial Services, Central Government, Telecommunications, Media and Technology.

We additionally specialise in the following sectors:

At the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data. The GDPR brings into UK law a trend that we’ve seen in other parts of the world – a demand that organisations understand, and mitigate – the risks that they create for others in exchange for using a person’s data. It’s about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society.Elizabeth Denham, Information Commissioner

Our Advisory Services:

  • Avoid the expense of hiring a full-time DPO, by outsourcing this role to a specialist team. With decades of experience, our team can adapt to the needs of every scale of business, to help you manage the risk of non-compliance, and provide advice on the best strategy to protect the personal data of your customers, partners and employees.

DPO Counselling

  • Your business has appointed a DPO as required by Article 37, but sometimes your DPO needs support. It might be a tricky DPIA, or the interpretation of an Article 9 derogation, or even a challenging SAR which you want to deny. Our counseling service offers professional DPOs the support they need to ensure they remain confident in their decisions and recommendations.
  • Our standard service offers off-shore businesses the legal representation they need under Article 27, including liaison with supervisory authorities and assisting communication with data subjects. Our service is especially valuable when handling complaints and ICO investigations.

Data Mapping

  • Businesses who have not completed their Article 30 data mapping can benefit from this service, which supports your business analysis teams in understanding the required elements for a data map, including decisions on lawful basis, retention and deletion, rights availability and much more.

Merger & Acquisition Privacy Due Diligence

  • One of Chaucer's unique services involves advising businesses who are considering a merger or acquisition, and who require insight into how to best blend the data lakes owned by each merger candidate with the acquiring business. We especially focus on data protection due diligence, producing a gap analysis that can identify risks to the business arising from poor data protection practices.

Our Audit Services:

  • Multiple countries have now released official standards for auditing compliance with GDPR, Chaucer has prepared its own audit outlines that will thoroughly test your privacy management operational controls and mitigation activities. It will consider processes, procedures, personnel, policies and the management within the context of an Information Privacy Management System (IPMS).

Business Resilience

  • Businesses need to ensure that they have resilience built-in to their critical processes. With GDPR comes the obligation to ensure resilience of data protection, through privacy by design and privacy by default, as well as robust processes to support Business As Usual that can cope with every type of privacy challenge. Our Resilience team will evaluate the weak points in your privacy management and operations, and make specific recommendations to strengthen your posture to maximize your ability to manage privacy risks.

Our Cyber Services:

NIS Readiness

  • The Network & Information Security Directive is soon to be enforced in the U.K. as well as across the whole of the E.U., and sets new standards for managing cyber threats, coordinating CSIRT activities, and strengthening reporting and cyber risk management for critical infrastructure that is recognized both nationally and across the E.U. Our team of cyber experts will help to manage change projects that ensure NIS compliance is built in to your business at every level.

ISO27001 Preparation & Gap Analysis

  • We help customers who wish to improve their cyber security robustness through implementation of an Information Security Management System conforming to ISO27001 and related standards. While we do not conduct audits for this standard, we assist with making all the necessary preparations so you can get yourself ready for an audit. Even for small companies, this preparation can take from six months to a year, so start soon to realize the benefits.

PCI/DSS Advisory

  • While not a required standard, PCI/DSS does offer guidelines to businesses processing card payments in the minimum set of controls and policies they need to properly handle PAN data. Our team of specialists can help your business to prepare for a full PCI/DSS assessment.

Our Risk Services:

GDPR Emergency Response

  • One of our most popular services, the Emergency Response gives you a place to turn when your GDPR preparations fall short, and you have to deal with your first significant data breach, customer SAR-related complaint or supervisory authority investigation. We provide a high-touch fast turnaround response to deal with your data protection crisis. Our team is experienced with handling privacy investigations, and can help to mitigate the most serious enforcement actions, if you follow our advice in a timely manner.

Risk Advisory

  • Our specialist risk team can help you with all manner of privacy risk management, including a general gap analysis, privacy impact assessments, and full-scale Data Protection Impact Assessments (DPIAs). Once risks are known, we can help you to plan mitigation and response protocols to minimize the impact and probability of the most critical risks to your business with a focus on data protection and privacy.

Our Training Services:

DPO Training

  • Data Protection is a complex area, and the work of a DPO is unrelenting, with new interpretations of the relevant laws, new regulations and directives (such as ePR) and legal precedents and advice emerging from the EU Data Protection Board (EDPB) which has replaced the Article 29 Working Party. Our specialized training is intended to help even experienced DPOs to learn about the latest measures and techniques in the industry, and to ensure they are ready to meet emerging threats in the privacy landscape. This training is usually one-to-one and highly intensive, and can be customized to focus on specialized areas, such as management and deployment of encryption, use of pseudonymization, privacy by design and much more.

General Privacy Training

  • Second level training is available for larger audiences of employees who are not privacy specialists, but who need a foundation in understanding the important aspects of data protection and privacy.

ePR & other new laws

  • Keep up with the latest changes with our regular briefings on emerging changes to the privacy and data protection landscape.

How do I get in touch to discuss this?

If you have any questions about Data Privacy, the GDPR or to arrange an initial conversation about how we can help you on your journey to compliance, please contact us on +44 203 934 1099, or email

Related materials: