Legal Practice Notes

This Practice Note presents the comprehensive Data Protection Negotiation Guide (the Guide), which addresses the negotiation of clauses in contracts and agreements between controllers and processors that fall under the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). It should be noted that the UK GDPR is closely aligned and broadly comparable with the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and this Practice Note concentrates on the UK GDPR position. For background on the UK GDPR and how it relates to the EU GDPR, see Practice Note: The UK General Data Protection Regulation ( UK GDPR)— Summary of key legislation. For additional detail on the EU GDPR, see Practice Note: The EU’s General Data Protection Regulation ( EU GDPR). The Guide is comprehensive and already presumes readers have some...

This Practice Note connects to a collection bringing together an in-depth Data Protection Negotiation Guide (the Guide) covering the negotiation of clauses in contracts between controllers and processors governed by the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). It further provides a range of ancillary resources. Be aware there are notable similarities between the UK GDPR......

Data protection by design and default ( DPb DD) Organisations often pay insufficient attention to data protection by design and default ( DPb DD) when assessing their UK GDPR obligations. This is understandable, as DPb DD is an intangible, pervasive concept that can be hard to turn into specific measures, especially when compared with other discrete duties under the UK GDPR. Nonetheless, the UK GDPR contains a dedicated provision on DPb DD ( Article 25) and the Information Commissioner’s Office provides extensive guidance: ICO, UK GDPR guidance and resources, Data protection by design and default. In essence, DPb DD requires you to consider privacy and data protection from the outset in everything you do, embedding it into your processing and business practices from initial design through the entire lifecycle. Taking a DPb DD approach from the beginning, rather than retrofitting at the end: helps you...

The impact of the UK GDPR on M& A transactions EU GDPR and UK GDPR Regulation ( EU) 2016/679, the EU’s General Data Protection Regulation ( EU GDPR), has applied directly and been fully enforceable across every EU Member State since 25 May 2018. It overhauled EU data protection rules and, in the UK, superseded the Data Protection Act 1998 ( DPA 1998) together with Directive 95/46/ EC (the Data Protection Directive). On 31 January 2020 the UK left EU membership and moved into an implementation period, during which EU law continued to govern. The EU GDPR framework continued to operate under UK law up to the close of that period (11 pm UK time on 31 December 2020) and still applies within the EEA. From the end of the implementation period, the UK General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), has had...

The Data Protection Act 2018 ( DPA 2018) The DPA 2018 sets out a number of data protection frameworks within UK data protection law, covering the following: general processing of personal data subject to the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR) processing of personal data by competent authorities for law enforcement purposes processing of personal data by the intelligence services This Practice Note concentrates on those provisions of the DPA 2018 that relate to general processing in connection with the UK GDPR. It therefore addresses general processing in connection with the UK GDPR. It highlights matters most pertinent to commercial organisations and, for example, does not cover rules applying to manual, unstructured processing by certain public sector bodies, or processing connected with immigration, defence or national security. Accordingly, its scope excludes those special-case...

This Practice Note examines the law and practice in relation to anonymisation, pseudonymisation and privacy enhancing technologies (or PETs). It specifically outlines what constitutes robust anonymisation and pseudonymisation and sets out core methods that can be applied. It further introduces the suite of tools referred to as PETs. It assesses the framework under the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), alongside the UK Data Protection Act 2018 ( DPA 2018). Where pertinent to the UK GDPR, EU case law and guidance are taken into account. For information on the position under the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), see Practice Note: in the EU. On this topic, key differences exist between the UK GDPR regime and the EU GDPR. That said, at a high level the UK GDPR and EU GDPR...

This Practice Note responds to frequently asked questions faced by pensions lawyers about the United Kingdom Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018 (which sits alongside the UK GDPR) and associated matters. For more on the UK GDPR and Data Protection Act 2018 ( DPA 2018), see these Practice Notes: Data Protection for pensions lawyers Introduction to the EU GDPR and UK GDPR The UK General Data Protection Regulation ( UK GDPR) The Data Protection Act 2018 What was the impact of Brexit? From 25 May 2018 until IP completion day (11 pm on 31 December 2020, when the UK exited the European Union), the UK followed the data protection framework established by the General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR). Prior to this, the UK’s data protection regime was found in the Data...

This Practice Note monitors the current position of adequacy regulations governing the export of personal data beyond the UK or to international organisations under the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 (the UK GDPR). For an all-round primer on the UK GDPR bringing together core practical guidance, see Practice Note: The UK General Data Protection Regulation ( UK GDPR)— Summary of key legislation, and the UK data protection law collection. Background Article 44 of Chapter V of the UK GDPR bars sending personal data to a third country outside the UK, or to an ‘international organisation’ (a restricted international transfer). Nonetheless, such a transfer may proceed where it is: founded on an adequacy regulation under Article 45 of the UK GDPR and connected provisions in the Data Protection Act 2018 ( DPA 2018) covered by...

The general anti-abuse rule (the GAAR): neutralises—by making adjustments, on a just and reasonable basis, undertaken either by HMRC or by the taxpayer—for the purposes of counteraction any tax advantages that, leaving the GAAR out of account, would otherwise arise from abusive tax arrangements, and has operated since 17 July 2013 (being the date of Royal Assent to the Finance Act 2013 ( FA 2013)), except that, for National Insurance contributions ( NICs), it has applied only from 13 March 2014 This Practice Note explains: that the GAAR can be applied by taxpayers or by HMRC as appropriate in the circumstances how to determine which adjustments should be made to counteract abusive tax advantages in practice the procedure for counteraction by HMRC, including: the different kinds of notices that HMRC may give to a...

The general anti-abuse rule (the GAAR): neutralises, through just and reasonable adjustments made by HMRC or by the taxpayer, as appropriate any tax benefits that, absent the GAAR, would stem from abusive tax arrangements and schemes has been in force from 17 July 2013 ( Royal Assent to the Finance Act 2013 ( FA 2013)), save that, for National Insurance contributions ( NICs), it has only taken effect from 13 March 2014 This Practice Note discusses in detail: the nature and composition of the GAAR advisory panel and why it exists institutionally how the GAAR panel links with the GAAR guidance, together with the function, scope and authority of that guidance the effect of the GAAR panel’s opinions when applying the GAAR not just to the arrangements actually referred, but also to comparable...

Scope of this Practice Note This Practice Note outlines information on the regulated activities of entering, as provider, into funeral plan contracts and performing funeral plan contracts as provider under article 59 of the Financial Services and Markets Act 2000 ( Regulated Activities) Order 2001, SI 2001/544 ( RAO), as amended from time to time. It also highlights the Financial Conduct Authority’s ( FCA) regulatory framework as it applies to those undertaking these regulated funeral plan activities. Entering into funeral plan contracts Under RAO, SI 2001/544, art 59(1), entering into a funeral plan contract in the capacity of provider is a regulated activity. The FCA defines a ‘provider’ as the person who receives the pre-payments and undertakes to provide, or to arrange the provision of, the funeral at a future point. This could be the funeral director or a third party that arranges for someone else to...

STOP PRESS/ FORTHCOMING CHANGES : The UK intends to transpose the OECD’s Cryptoasset Reporting Framework ( CARF) into domestic law from 1 January 2026. This will be delivered via the Reporting Cryptoasset Service Providers ( Due Diligence and Reporting Requirements) Regulations 2025 ( SI 2025/744), laid before the House of Commons on 25 June 2025. On the same day, HMRC issued tax impact and information notes ( TIIN) for the measure, and also released guidance covering CARF reporting. At the same time, the government has brought forward amendments to the domestic implementation of the OECD’s Common Reporting Standard ( CRS) and to the UK’s obligations under the Intergovernmental Agreement with the US for the US Foreign Account Tax Compliance Act ( FATCA). The principal framework remains the International Tax Compliance Regulations 2015 ( SI 2015/878), with changes introduced by the...

ARCHIVED: This Practice Note, now archived, contains a link to a historical Market Standards Trend Report concerning investor voting at the AGMs of FTSE 350 companies in 2022. It is no longer maintained and is provided for background purposes only. What does the Market Standards trend report cover? Download a PDF copy of the Trend Report here. Market Standards conducted a detailed in-depth assessment of AGM voting and formats across the 2022 season. Using insights drawn from the Market Standards database, the report examines last year’s shareholder voting behaviour, highlighting patterns in failed resolutions, notable no votes, and areas of shareholder dissent......

ARCHIVED: Originally published in 2019, this content is not currently maintained. This Market Standards Trend Report reviews the latest market practice and trends emerging from the FTSE 350 annual general meeting ( AGM) season 2019......

This FLASHCARD helps you take in or remember the key issues around the financial services ‘regulatory perimeter’ set out in Part II of the Financial Services and Markets Act 2000 ( FSMA 2000). What is the financial services regulatory perimeter? The financial services regulatory perimeter consists of two central prohibitions that underpin it: the general prohibition the financial promotion restriction Breaching either prohibition is a criminal offence, and agreements entered into as a result of such breaches may not be enforceable. It is also an offence for a person who is neither authorised nor exempt to hold themselves out (in any terms) as authorised or exempt in relation to a regulated activity. What is the general prohibition? Set out in FSMA 2000, s 19, the general prohibition bars any person from carrying on a regulated activity in the UK, or claiming to do so, unless...

The Financial Services Act 2012 ( FSA 2012) introduced a fresh regulatory framework in the UK, shifting the Financial Services Authority’s functions to the Financial Conduct Authority ( FCA) and the Prudential Regulation Authority ( PRA), encompassing duties within the Financial Services and Markets Act 2000 ( FSMA 2000) controllers regime. The pertinent provisions took effect on 1 April 2013. This Practice Note offers an overview of how FSA 2012 amended the controllers regime, outlining the key adjustments and their scope. For further reading on the FSMA 2000 controllers regime as revised by FSA 2012, see Practice Notes: FSMA 2000 controllers regime—key concepts Obligations of controllers—acquiring and increasing control Obligations of controllers—reducing or ceasing control FSMA 2000 controllers regime—obligations for firms FSMA 2000 controllers regime—fund managers Enforcement of the FSMA 2000 controllers regime For practical steps that...

Where and how does the general prohibition apply? At the core of the UK regulatory framework sits a basic restriction: no individual or firm may perform a regulated activity in the UK, or hold themselves out as doing so, unless they are authorised or fall within an exemption. This is the “general prohibition” set out in section 19 of the Financial Services and Markets Act 2000 ( FSMA 2000). In strict terms, the general prohibition only bites when a person carries on, or claims to carry on, a regulated activity in the UK. Yet FSMA 2000 does not exhaustively define the circumstances in which an activity is regarded as being undertaken in the UK, meaning the question of whether an activity is regulated is ultimately determined by the general law. This Practice Note considers the territorial scope of the general...

This Practice Note outlines the role and functioning of the Financial Services Compensation Scheme ( FSCS), and explains how deposits protected by it are ranked within the waterfall of payments to creditors should a relevant firm become insolvent. For further information on the FSCS, see the following Practice Notes: The Financial Services Compensation Scheme Financial Services Compensation Scheme ( FSCS)—the qualifying conditions for compensation Financial Services Compensation Scheme ( FSCS)—automatic assignment or subrogation of rights Financial Services Compensation Scheme ( FSCS)—payment or rejection of compensation Financial Services Compensation Scheme ( FSCS)—funding Role and operation of the FSCS What is the FSCS? The FSCS was created by the Financial Services and Markets Act 2000 ( FSMA 2000) as an independent body that safeguards customers when a financial institution or financial services firm is unable, or likely to be unable, to meet claims...

This Practice Note examines the Financial Services Compensation Scheme ( FSCS) in a pensions setting. For more background on the FSCS generally, consult the following Practice Notes: The Financial Services Compensation Scheme The payment or rejection of compensation under the Financial Services Compensation Scheme ( FSCS) Financial Services Compensation Scheme ( FSCS)—the qualifying conditions for compensation Financial Services Compensation Scheme ( FSCS)—funding Financial Services Compensation Scheme ( FSCS)—automatic assignment or subrogation of rights Financial Services Compensation Scheme ( FSCS)—payment or rejection of compensation What is the FSCS? The FSCS is the UK’s statutory compensation fund for customers of most financial services firms authorised under the Financial Services and Markets Act 2000 ( FSMA 2000). It took effect on 1 December 2001. In strict terms, the FSCS is the set of rules that establish it (the Rules). The Rules were originally made by the Financial Services Authority ( FSA) and, from 1 April 2013, have...

Financial services contracts regime ( FSCR) This Practice Note reviews the financial services contracts regime ( FSCR), which took effect at the close of the implementation period following the UK’s withdrawal from the EU. The FSCR applies by default to EEA passporting firms with pre-existing UK contracts that require permission to service, where those firms did not notify the Financial Conduct Authority ( FCA) or the Prudential Regulation Authority ( PRA) of their wish to enter the temporary permissions regime ( TPR), or where they leave the TPR without obtaining full UK authorisation. The regime permits those firms to go on servicing UK contracts concluded before the end of the implementation period, or before exiting the TPR, for a limited time, provided they satisfy the FSCR’s conditions. The European Union ( Withdrawal) Act 2018, as amended by the European Union (...