*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Why in-house legal teams need access to data protection lawyers


Most in-house lawyers have a broad remit of responsibilities. That results in the demanding challenge of having to deal with a plethora of seemingly ever-increasing legislative and regulatory changes while performing broad legal functions. In practice this means they don’t have time to dig deep into specialist areas of law and all its implications – they can’t (and usually don’t want to) ‘do it all’. 

Data protection is a growing challenge 

In 2018, the coming into effect of the General Data Protection Regulation was one of the most significant legislative and regulatory changes to have been introduced in the UK for many years. Having the time (and perhaps inclination) to fully get to grips with the GDPR in order to fully understand and appreciate its impact was a serious challenge for every in-house lawyer. 

That challenge has become greater – as a result of Brexit there are now two GDPRs: 

  • The GDPR that exists at the moment will continue apply to the EU Member States. This will be known – in the UK – as the “EU GDPR”. 
  • In the UK, a new “UK GDPR” will come into force, which will effectively mirror the EU GDPR in almost all respects, except for some minor tweaks to make it UK specific. 

This means that: 

  1. UK-based businesses will need to comply with the UK GDPR  
  1. UK-based businesses that offer goods or services to, or monitor the behaviour of, individuals in the EEA will, in addition, need to comply with the EU GDPR 
  1. EEA-based businesses will need to comply with the EU GDPR 
  1. EEA-based businesses that offer goods or services to individuals in the UK or that monitor those individuals’ behaviour will in addition, need to comply with the UK GDPR 
  1. All businesses that are not UK or EEA based, that offer goods or services to, or monitor the behaviour of, individuals in the UK and EEA will need to comply with both the UK GDPR and the EU GDPR 

In addition to the GDPRs, there are of course other data protection laws, in particular the ePrivacy Directive (in the UK the Privacy and Electronic Communications Regulations (PECR)). These laws will continue post -Brexit, but at some point, the EU will introduce a new law – the ePrivacy Regulation. When that eventually arrives, (it has been much delayed), it will not apply to the UK. This means that, as and when that happens there is likely to be significant differences between the respective ‘cookie laws’ and the rules re email marketing between the UK and the EU. 

Can you meet that challenge? 

Every organisation needs to ask if its in-house lawyers: 

  1. Are able to keep fully up to date with changes to UK data protection law? 
  1. Have the time to work out whether the UK or EU GDPR applies in any given situation? 
  1. Can monitor developments in the EU re the ePrivacy Regulation? 

How norm. supports in-house legal teams 

Our specialist data protection team, led by a UK qualified solicitor, fulfils the vital role of supporting in-house lawyers in navigating the ever-changing and increasingly complex data protection landscape. 

We begin by carrying out an analysis of your current data-processing activities with a view to introducing, if required, a privacy accountability framework, to help ensure that your business fully complies with data protection legislation – and demonstrate your compliance. 

That’s because the ICO, your business partners and your customers need to see that you are managing personal data risks, so that you can secure their trust and confidence. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow. 

We also carry out a ‘horizon scanning’ exercise, relating to possible further data protection-related legal and regulatory developments, to help your in-house lawyers identify emerging issues and support business decision-making. 

Leadership and oversight 

One of the principles of data protection is accountability and a fundamental building block of accountability is strong leadership and oversight. This is something we can help with, usually by being appointed as your DPO. 

Data protection as a solution, not a problem  

Often, within a business, seeking support or approval from the legal team is viewed as a hurdle to be overcome. We understand that there is a balance to be struck and that legal input has to be positive, creative and enabling. In practice this means helping you to understand how you should use the GDPR to your advantage. 

For example, if your business is considering developing a new product or service, the early involvement of data protection specialists is vital. This will enable you to design a product or service from the outset with data protection and privacy considerations in mind, and to meet the requirements of the GDPR. 

A solution that’s tried and tested 

What’s clear is that the advice of data protection specialists, who are pragmatic, business- minded and able to cope with legal uncertainty IS worth it. 

But don’t take our word for it – we already provide this service to an international confectionary-maker and a London-based wealth management firm, both of which have in-house lawyers. Our service enables them to focus on what they are best at – building trusted relationships with their customers and growing the business in a sustainable way. 

Robert Wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group