Data Protection & Privacy

In an era of behavioural advertising, cloud computing, location monitoring and ever-increasing risk from cyber-threats, businesses and public authorities face new challenges in achieving compliance with a rapidly evolving area of the law.

The EU’s focus for a digital single market led to the long-awaited data protection reform package, which came into force in May 2018. This comprised both the General Data Protection Regulation (GDPR) and a directive dealing with data processing for law enforcement purposes (Law Enforcement Directive), representing a complete overhaul of EU data protection law.

Following the UK’s withdrawal from the European Union, the GDPR applies in Gibraltar in much the same manner as in England & Wales. The Data Protection Act 2004, as amended, now brings in the concept of the “Gibraltar GDPR”, which is essentially means the GDPR as it forms part of Gibraltar law by virtue of section 6 of the European Union (Withdrawal) Act 2019, as read with Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the 2019 Regulations”).

The revised regime now requires in-depth knowledge of the nuanced differences in how the Gibraltar GDPR and the GDPR regimes apply in individual cases. Our team of lawyers take a holistic approach when assisting our clients with these challenges. We regularly update our clients on the latest developments through in-house presentations, seminars, newsletters and publications.



We advise a wide range of businesses including financial institutions, retailers, insurers, information service providers, technology start-ups, and government on mitigating business and legal risks associated with the aggregation, use, dissemination, transfer and storage of information. The breadth of ISOLAS’s expertise in this area spans across the wide range of data protection issues. Our dedicated team can assist on matters such as:

  • GDPR readiness audits and data mapping
  • Direct marketing
  • Drafting privacy statements and data protection policies
  • International data transfers
  • Data protection provisions in contracts and on general terms and conditions/terms of business

Added Value

When providing such advice, our focus is on adding value to your business, making it resilient to the risks related with data management and breaches of information privacy, as well as minimising the costs associated with compliance. We also provide additional advice across the following areas:

  • Personnel and payroll administration
  • Processing of special categories of data (i.e. “sensitive data”) and processing by automated means
  • Data breaches and notification requirements
  • Data protection impact assessments (DPIAs)
  • Monitoring of employees through new technologies (including video surveillance and the recording of telephone calls)

Data Breach Response Plans

Our experts will team up with the board, in-house counsel, chief technology officers, information officers and data protection officers to create cyber-incident / data breach response plans, carry out internal audits and providing general assistance in navigating the complex regulatory landscape.

More insights View all news and insights