bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

Data Protection


For the latest on Data Protection visit our Blog


"They are really useful, helpful and responsive. They always understand our position in order to give advice to our organisation. I'm delighted with them."
 (Chambers UK)

The handling of personal information in accordance with the Data Protection Act 1998 (DPA) is a minefield. In May 2018 the General Data Protection Regulation (GDPR) comes into direct effect throughout the EU and, Brexit or not, any organisation processing the personal data of an EU citizen will have to comply with stricter conditions set out there.

Edward Snowden and his whistleblowing revelations that the US Stat Authorities are carrying out mass surveillance on non-EU citizens has increased privacy concerns resulting in the demise of the Safe Harbour agreement and concerns about the legality of sending personal data safely to the US and elsewhere.

Any person information held in digital or paper format is protected by the DPA and if it is lost, misused or shared inappropriately it is likely that the DPA has been breached and since April 2010 the Information Commissioners Office (ICO) has had the power to issue substantial fines to organisations who do not process data in compliance with the DPA. The ICO has used its powers to impose significant fines of up to £500,000 on public bodies, non-profit making organisations, individuals and private companies. In 2018 it will have the power to impose substantially higher fines of up to 20,000,000 euros.

In addition, it has become easier for individuals to claim compensation under the DPA if personal data is lost, misused or shared inappropriately resulting in pecuniary loss or distress.

BTO’s Data Protection Team is the only team of lawyers in the UK who have experience of successfully challenging a fine imposed by the ICO for a breach of the DPA. Therefore, its lawyers speak with authority on how best to handle a data breach, how best to handle the ICO and how best to handle all forms of personal data.

The team also provides compliance advice and training in relation to the DPA; the eight processing principles and how to avoid coming into contact with the ICO. In Scotland, BTO’s team is unique and at the forefront of providing DPA advice.

The team provides strategic advice in relation to information requests from data subjects, the police and other regulators and under freedom of information legislation; in particular, handling the tricky situations where this legislation overlaps.

Paul Motion, winner of the Corporate Livewire - Global Awards 2015 in the category of Data Protection UK

What we do:

  • Strategic advice and options to management when a potential data protection issue emerges
  • Drafting and redrafting of DP policies and procedures
  • DPA Compliance Training
  • Advice on data sharing, data retention and subject access requests, including the new Privacy Shield
  • Keeping your marketing within the law
  • CCTV and surveillance compliance
  • How to handle ICO investigations and appeals to the Information Tribunal
  • How to handle information requests
  • Making Subject Access Requests (Individuals)
  • Managing Subject Access Requests (Organisations)


Motion __paul _crop

Paul Motion, Partner and Solicitor Advocate, was already specialising in technology law several years before the Data Protection Act 1998 or Freedom of Information Acts came into force. He chaired the Law Society of Scotland’s Technology Committee for sixteen years from May 2000, pre-dating (and observing and commenting upon) the introduction of virtually all modern E-commerce and privacy related legislation such as the DPA and FOI. Paul is also “on his feet” in court regularly since he is a highly experienced civil Solicitor Advocate.

A recognised expert in Data Protection and contentious IT/IP law, Paul has run many ground breaking cases, notably [with BTO Partner, Laura Irvine] the only successful appeal to date anywhere in the UK against a DPA penalty imposed following a DPA breach. Paul and Laura were acting on behalf of Scottish Borders Council, against a £250,000 Data Protection Monetary Penalty.  In 2012 following a case involving fake online reviews Paul set up the BTO Online Reputation Team which has attracted referral work from other solicitors. Paul also drafts and advises on the content of data protection and privacy policies

Laura _irvine _croppedLaura Irvine is a Solicitor Advocate and along with BTO Partner Paul Motion represented Scottish Borders Council at the successful appeal against the civil monetary penalty of £250,000 imposed following a DPA breach. As a criminal lawyer, Laura’s view is that these substantial fines should in fact be seen as criminal in nature and has written on this subject – Data Protection Monetary Penalties: Absolutely Criminal? Laura has continued to advise clients in relation to data breaches and also has experience of advising public and private bodies in relation to subject access requests, freedom of information requests and general data protection issues.

To discuss your data control/protection issues, please contact Paul Motion or Laura Irvine on T: 0131 222 2939 E:


  • Subject Access Requests

Dealing with complex SAR from ex-employee who asked for a huge amount of detailed information through the use of a forensic IT consultant and significant redaction of documentation. 

  • ICO Notification

Providing advice to a client about how to notify the ICO about a data incident, successfully avoiding enforcement action from the ICO, twice. 

  • Housing Associations

Advising housing association about how to manage their employees being recorded covertly by service users’ families.

  • Named Person in schools and Data Protection Act 1998

Providing compliance advice on the provision of the Named Person in schools and the Data Protection Act 1998. 

  • CCTV and surveillance compliance

Assisting with the review of data protection policies and procedures.

  • Data Protection Training

Providing training for: Audit Scotland; Fife Council; SHARE; South Lanarkshire Council; Aberdeenshire Council; Grampian Health Board and George Watson's College.



  • "We could not have asked for better legal advisers."

    BTO Client
  • "They are really useful, helpful and responsive. They always understand our position in order to give advice to our organisation. I'm delighted with them."

    BTO Client


The Data Protection Team regularly provides training in relation to data protection, the new Regulation and information law. This is always tailored to the audience we are talking to and to the sector that our audience comes from. Training is fundamental to compliance with the Data Protection Act 1998. See our Compliance Training page for further info or speak to a member of the team on about how we can assist you to comply.

Recent feedback:

A number of the delegates who have attended BTO’s courses have commented specifically on the team's knowledge of DP, the manner in which they put it across (in a non-lawyer fashion) and their friendly and outgoing personality. What became apparent following the courses was that delegates were reciting examples BTO had delivered at the training, giving us confirmation that they not only understood the training, but were able to remember and demonstrate what they had learned.

Contact: T: 0131 222 2939 E:

“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO


  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803


  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949