Plain English on transactions, drafting, and the structural choices that decide who wins.
A cease and desist is a precursor to litigation, not a substitute for it. The point of the letter is to put the recipient on notice, clearly, professionally, and on the record,
The GDPR is more demanding in practice than most organisations expect when they first read it. The starter kit is the structured response: the documents that together form the foundation of a
Website terms (terms of use) govern the relationship between the operator of a site and its visitors. They are different from terms of sale (which govern transactions) and from the privacy policy
The website legal pack is the basic regulatory furniture every commercial site needs: privacy policy, cookie policy, terms of use, and (for selling sites) terms of sale. The drafting work is in
The website legal pack (privacy policy, cookie policy, terms of use, terms of sale, where relevant) sits in plain view on every site and is often the first place a regulator or
Article 30 of the UK GDPR requires most controllers and processors to maintain a Record of Processing Activities (ROPA). It is an internal document. The ICO can request to see it, but
The privacy policy is the public-facing transparency document that explains how the business processes personal data. The legal requirement is set by Articles 13 and 14 of the UK GDPR, and the
Know-your-customer and anti-money-laundering obligations apply to a defined set of regulated sectors. Financial services, legal services, accountancy, estate agency, and others. The framework is built on the Money Laundering Regulations 2017 (as
International transfers of personal data out of the UK require a transfer mechanism: an adequacy decision (which covers transfers to the EEA and a small number of other jurisdictions), the International Data
Employees are data subjects, and employers process substantial amounts of their personal data, often more than they realise. The employee privacy notice is the transparency obligation under Articles 13 and 14 of
Data subject access requests are time-bound (within 1 month of receipt, extendable in some cases) and broadly scoped (covering all personal data relating to the individual). Most organisations have not searched their
Data sharing between controllers, rather than between a controller and a processor, is a different legal exercise from a data processing agreement (DPA). Each party is making its own decisions about purpose