• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

GDPR and the role of the Data Protection Officer

The GDPR, which is due to come into effect on 25 May 2018, will make it mandatory for certain organisations to designate a data protection officer (‘DPO’)[1]. These are controllers and processors of personal data that are –

  • public authorities and bodies (except certain courts);
  • organisations whose core activities consist of regular and systematic monitoring of data subjects on a large scale; and
  • organisations whose core activities consist of processing special categories of data on a large scale.           

Aside from these mandatory categories laid down in the GDPR, a Member State’s law can designate DPOs in other cases, and controllers and processors outside of these categories can also appoint a DPO voluntarily. 

DPOs will play a key role in compliance with the General Data Protection Regulation (‘GDPR’) for many organisations[2] and the Article 29 Working Party has published ‘Guidelines on Data Protection Officers’[3] (‘Guidelines’) and a set of FAQs[4] that set out useful information on the professional qualities, position and tasks expected of DPOs, which we have summarised below -

The DPO must be selected on the basis of professional qualities and, in particular, expertise in national and European data protection law and practices and an in-depth understanding of the GDPR.  A higher level of expertise is required the more sensitive, complex and greater the amount of data that the organisation processes. Knowledge of the business sector and of the controller’s organisation is useful also so that the DPO understands the processing operations, information systems, data security and data protection needs. 

The DPO is expected to have certain personal qualities and knowledge - such as integrity and high professional ethics - to enable them to fulfil their tasks, and to play a key role in fostering a data protection culture within the organisation and helping to implement essential elements of the GDPR. 

The DPO’s contact details must be published and communicated to the relevant supervisory authorities so that data subjects and the supervisory authorities can contact the DPO easily, directly and confidentially. A group of undertakings can designate a single DPO so long as they are easily accessible from each establishment and are a contact point for data subjects, the supervisory authorities and within the organisation, including in the language(s) of the supervisory authorities or data subjects concerned.  As an alternative to appointing a DPO internally, an organisation could enter into a service contract with an external individual or organisation that fulfils the function of the DPO. 

The controller and processor must ensure that the DPO is involved, from the earliest stage possible, in all issues which relate to data protection. The organisation should ensure that the DPO is invited to participate regularly in meetings of senior and middle management, the DPO should be present where decisions with data protection implications are taken, and all relevant information must be given to the DPO in a timely manner in order to allow the DPO to provide adequate advice. The DPO’s opinion must always be given due weight and if an organisation disagrees with the DPO’s opinion, the reasons for not following the DPO’s advice must be documented. The controller must seek the DPO’s advice when carrying out a data protection impact assessment. 

The DPO must be given active support by senior management, the necessary resources (e.g. time, budget, infrastructure and staff) to carry out their tasks, access to personal data, processing operations and other functions within the organisation, and continuous training to stay up to date with developments in data protection. 

The DPO must also have a sufficient degree of autonomy within their organisation.  DPOs must not receive any instructions regarding the exercise of their tasks and they must be able to perform their duties and tasks in an independent manner. DPOs should not be dismissed or penalised (e.g. denied or delayed promotion, prevented from career advancement or denied benefits that other employees receive) by the controller or processor for performing their duties as a DPO. 

If the DPO has other tasks and duties, they must not cause a conflict of interests.  In particular, the DPO cannot also hold a position in the organisation in which they determine the purposes and the means of the processing of personal data (e.g. the role Head of Marketing or Head of IT would be incompatible with the role of DPO).  The structure of the organisation should be considered in each case. 

Failure to appoint a DPO in the 3 mandatory situations listed above is grounds for a fine of the greater of up to €10 million or up to 2% of total worldwide annual turnover[5].  In relation to these and other fines, the regulator will take into account any action taken by the controller or processor to mitigate the damage suffered by data subjects – this could well include being able to show that you have appointed a DPO either mandatorily or voluntarily[6]


[1] Article 37 GDPR. 

[2] See Articles 37 to 39 of the GDPR for the designation, position and tasks of a DPO. 

[3] Article 29 Data Protection Working Party Guidelines on Data Protection Officers (‘DPOs’), adopted on 13 December 2016 http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf

[5] Article 83(4)(a) GDPR. 

[6] Article 83(2) GDPR.  

Contact our experts for further advice

Nicola Fulford