Privacy & Cookies


Berrymans Lace Mawer LLP (also known as ‘BLM’) is a Data Controller who processes personal data and special categories of data, which we will refer to as personal information.

At BLM we understand the importance of data protection compliance, we know that excellent data protection practice is not only necessary to meet our legal obligations but it’s also essential to meet our obligations to the individuals whose personal information we process and the clients we serve. 

We have built a strong data protection programme supported by robust information security standards to ensure we use personal information lawfully and responsibly and that we afford it the necessary safeguards at all times whilst it’s in our possession. Our data protection programme enables us to provide the highest assurances to the individuals whose information we process and to our clients when processing personal information as part of our services we provide.

BLM always respects privacy of the individuals whose personal information we process, we will always ensure that it is only used for specified and lawful purposes as provided for under the General Data Protection Regulation (GDPR) and any other UK legislation subsequently enacted that may relate to, replace or supersede GDPR.

Key terms

  • We, us, our - Berrymans Lace Mawer LLP also known as BLM
  • Personal data - any information relating to an identified or identifiable individual
  • Special categories - personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data, data concerning health, sex life or sexual orientation
  • Processing - any action or operation including collecting, recording, viewing, accessing, analysing, assessing, sharing, disclosing, retaining and disposing of personal data
  • Data Controller - the person or organisation who determines the purpose and means of processing personal data
  • Data Processor - the person or organisation who processes personal data on behalf of a Data Controller
  • Data Subject - the person to whom the personal data relates

What we use personal information for

Legal Services

BLM is an insurance risk and commercial law firm with both a domestic and international focus. We work with large number of customers, across a wide range of sectors, throughout the UK and Ireland as well as across the world. The legal services we provide help our customers to reduce the time and money spent on managing risk and resolving disputes, whilst offering a practical, commercial and solutions driven approach to non-contentious business law.

The legal services we provide to our customers require that we process of variety of personal information where necessary for:

  • the purpose of, or in connection with, any legal proceedings (including prospective proceedings)
  • the purpose of obtaining legal advice, or
  • the purposes of establishing, exercising or defending legal rights.

The types and volumes of personal information and the manner in which we process it varies between the different sectors that we operate – more information on the sectors we operate in can be seen on the SECTORS page of our website. 

Our approach is to only process the minimum personal information necessary in a responsible and proportionate manner in order to preserve the rights of data subjects and achieve the best outcome for our customers.

Compliance with legal obligations

We may need to process personal information where necessary to comply with professional, legal and regulatory obligations that apply to our business, for example, those under health and safety regulations or rules issued by the Solicitors Regulation Authority (SRA) and the Information Commissioners Office (ICO). That processing may include gathering and providing personal information as required by or relating to audits, enquiries or investigations by regulatory bodies.

Marketing and promotion

We may process personal information to carry out a range of marketing and promotional activities about the services we offer to current, former and prospective clients and customers, to provide legal updates and to send invitations to events we are holding or involved in.

Our marketing activities include:

  • sending promotional materials by email and post regarding the legal services BLM offer and about news, articles and other publications that relate to the work we do
  • hosting and participating in events that relate to the services BLM offer

We will always ensure any personal information we hold for marketing purposes is stored securely and is not shared with any other person without the individuals awareness and permission – for attending events we may need to share some personal information with carefully selected third parties in order to manage attendance, in which case we ensure that individuals are informed in advance and that those third parties keep the information secure and use it for these purposes only.

We will only hold personal information for marketing purposes for as long the individual wishes to receive marketing from us. We offer individuals the opportunity to unsubscribe and opt out from marketing at any point and will remove their details from our marketing lists where they wish for us to do so.

If you are currently receiving marketing from BLM and no longer wish to do so you can let us know by contacting:

Data and Digital, BLM
Go To Market Team
King's House
42 King Street West
M3 2NU


You can learn more about what marketing activities we carry out on the INSIGHTS page of our website. 

Prevention and detection of fraud

We may also process personal information where it is necessary for the prevention and detection of fraud, including fraudulent insurance claims and we may share information with other agencies for such purposes.

Other business functions

We also process personal information in order to effectively manage our business activities including statistical analysis to support our practices in relation to financial performance, client base, work type or other efficiency measures and to maintain our accounts and records. As an employer we also process personal information about our partners and staff to help us support, develop and manage them.

What personal information we collect?

We always aim to use the minimum personal information necessary to support the business activities and functions we carry out. Where those activities and functions require the processing of personal information it may include:

  • Individual details - name, address (including proof of address), other contact details (e.g. email and telephone numbers), gender, marital status, date and place of birth, nationality, employer, job title and employment history, and in some instances family details, including their relationship to you
  • Identification details - identification numbers issued by government bodies or agencies, including your national insurance number, passport number, tax identification number and driving licence number
  • Financial information - bank account or payment card details, income, expenditure, tax records, credit history, credit score and other financial information
  • Anti-fraud data – sanctions, penalties, judgments, criminal offences and other information received from various anti-fraud databases
  • Previous and current claims - information about previous and current claims, which may include data relating to your health, criminal convictions, or other special categories of personal data and in some cases, surveillance reports
  • Special categories of personal data - certain categories of personal data which have additional protection under the GDPR including data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric, or data concerning sex life or sexual orientation

Who we might share personal information with

We sometimes need to share the personal information we process with third parties outside of BLM. Below is a description of the types of third party organisations we may need to share the personal information we process with for one or more purposes:

  • claimants and their family, associates, representatives
  • clients
  • current, past or prospective employers
  • educators and examining bodies
  • healthcare professionals
  • business associates
  • trade associations and professional bodies
  • suppliers and service providers
  • social and welfare organisations
  • employment and recruitment agencies
  • ombudsman and regulatory authorities
  • financial organisation  
  • credit reference agencies
  • private investigators  
  • debt collection and tracing agencies
  • courts and tribunals
  • central government

Whenever we share personal information we take great care to ensure it is done through the most secure and appropriate means possible so that it is afforded the necessary safeguards to prevent it from accidental loss or unauthorised access.

How long we will keep your information

We implement a proactive approach to retention and disposal of personal information whereby it is retained for the minimum period necessary and only where there is a legitimate reason or lawful basis to do so. We have Records Management and Data Cleansing policies that set out the processes we follow to manage retention and disposal of personal information and the define the periods for which personal information is retained. The retention periods we apply have been determined based on a combination of legal obligations and legitimate business activities and the criteria we use to determine retention periods include:

  • for as long as is necessary to support our legitimate business activities
  • for as long as is necessary to deal with enquiries you may make to us
  • for as long as is necessary to defend legal claims that may be brought against BLM or our clients
  • for as long as is necessary to ensure we meet our legal and regulatory obligations

Lawful basis for processing

We will only ever process personal information where we have a genuine need and lawful basis to do so. The lawful processing conditions we generally rely on to process personal information are set out below

For personal data:

  • the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation
  • the processing is necessary for the purposes of BLM’s legitimate interests or those of our clients (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child)

For special categories of data:

  • the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes
  • the processing relates to personal data which are manifestly made public by the data subject
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

There may be circumstances where we rely on different lawful processing conditions to those set out above, where this is the case and where required to do so we will inform you of this in any privacy notices we provide.

How we protect personal information

We recognise and respect the importance and sensitivity of personal information and so we take great care to make sure we use and handle it responsibly and we afford it the necessary safeguards whilst it’s in our possession. To achieve this we have implemented a range of organisational and technical measures to protect and safeguard personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to make sure we meet our obligations.

Organisational measures we implement include, but are not limited to: Data Protection; Information Security; Access Control; Acceptable Use; Information Classification and Data Handling; Information Exchange and Clear Desk and Clear Screen policies and procedures. These set the requirements and standards to be adhered to and implemented by all partners and staff with regards to access, use, handling and exchange of personal data. We also provide regular information security and data protection training and awareness for all our partners and staff and undertake system monitoring, audits, risk assessments and inspections.

Technical measures we implement to ensure the security of personal data include but are not limited to: ISO27001:2013 certification; secure data exchange methods; user access controls; secure electronic data storage facilities; secure document storage and disposal; firewalls; antivirus software and regular system vulnerability and penetration testing.

International transfers

BLM’s offices are located within the UK and Ireland and the personal information we process is held in those offices or within data centres that are located within the UK.

From time to time however and in certain sectors we operate there are instances where transfer of personal information outside of the European Economic Area (EEA) is necessary. Where the need for an international transfer of personal information arises, we ensure it is done so using secure methods that offer sufficient assurances and guarantees that the information is afforded the necessary safeguards to prevent it from accidental or unlawful loss, disclosure, access, alteration or destruction. We will also ensure that where necessary our clients and the data subjects whose information is to be transferred are notified in advance and informed of the safeguards we will take to ensure the security of their information.

The transfer process itself will include establishing and ensuring that there is a legal basis for the transfer to take place and that the receiving party and country within which they reside offers an adequate level of protection for the rights and freedoms of data subjects through methods including:

  • obtaining the informed and explicit consent of the data subject for the transfer to take place
  • where the transfer is necessary for the establishment, exercise or defence of legal claims
  • using the services of third parties based within counties that have been approved by the European Commission as providing adequate safeguards, or, companies based within the US whom subscribe to the EU-US Privacy Shield scheme;
  • conducting our own adequacy assessments against the receiving party to ensure they can offer sufficient assurances, protections and legal mechanism to uphold the rights and freedoms of data subjects;
  • implementing contracts with the receiving party, within which will be defined terms and conditions (based on the model clauses), which impose upon the party obligations and responsibilities with regards to processinmg of the personal information

Your right and how to contact us

Under data protection laws individuals have a number of rights that enable them to control when and how their personal information is used, and, to allow them to hold an organisations accountable for use of their information.

If you believe BLM processes your personal information and you wish to exercise any of your rights under GDPR, such as gaining access to the information we hold about you, where you believe the information may be incorrect, inaccurate or incomplete, where you wish to restrict or object to processing, or, if you are dissatisfied with the way in which BLM has used your information in any way you can report the matter to our Data Protection Officer using the following contact details:

Data Protection Officer, BLM
Risk and Compliance Team
King's House
42 King Street West
M3 2NU


You also have the right to refer any concerns you may have regarding BLM’s use of your information to the Information Commissioners Office (ICO) - more information can be found by visiting the ICO’s website at:
Summary of data protection rights:

  • Right to be informed: this provides individuals with the right to be told about when and how their personal data is used now and in the future.
  • Right of access: this enables individuals to gain access to and be given a copy of the personal information that we hold about them. You can request access to information that may be held about you by BLM at any time, there will be no charge for this but we may need to see proof of your identification before we can provide you with access. To make a request for your personal information you can contact us using the details provided above. You may not be entitled to see all the information held about you if an exemption applies. Examples of exemptions include information that: is about another person; may prejudice our regulatory work; is subject to legal privilege. If an exemption applies we will explain the reason for it will tell you if we have removed any information from what we send you.
  • Right to erasure (aka right to be forgotten): this enables individuals to request that we erase the personal information we hold about them. We implement a proactive approach to retention and disposal of personal information whereby it is retained for the minimum period necessary and only where there is a lawful basis to do so. However, you may request that we erase any personal information we hold about you at any time, to do so you can contact us using the details provided above.
  • Right to rectification: this enables individuals to have any incorrect, inaccurate or incomplete personal information corrected, or, ‘rectified’. Our quality assurance processes aim to ensure the personal information we hold is as accurate and up to date as possible, however if you believe that any information we hold about you is incorrect or incomplete then please let us know using the contact details above and we will make every effort to rectify it.
  • Right to restrict: this enables individuals to restrict an organisation from processing their personal information for certain purposes and in certain ways. Should you have any concerns over how BLM may be using your personal information then please let us know using the contact details above. Where we are required to restrict our use of personal information as prescribed by Article 18 of GDPR we will do so at the very earliest opportunity and we’ll also inform any third parties we may have shared information with to do so too.
  • Right to object: this enables individuals to object to their personal information being processed in certain ways and in certain circumstances where the conditions set out in the regulation apply. Where we receive an objection, any processing based on the conditions shall cease unless a relevant exception applies, most relevantly where processing is necessary for the establishment, exercise or defence of legal claims.
  • Right to portability: this gives individuals a right to have their personal information transferred or ‘ported’ to another organisation in a reusable electronic format. The conditions in which the right to data portability applies as prescribed in the GDPR generally do not apply to the processing undertaken by BLM. However, where we have the functionality and capability to provide personal information in an electronic, structured and commonly used machine readable format we will endeavour to do so in the event that we receive such a request.
  • Rights related to automated decision making: we currently do not operate any practices or processes that constitute automated decision making as defined within the GDPR. Should we develop any automated decision making capabilities in the future we will ensure that they comply with the requirements of the regulation and that we implement suitable safeguards to protect the rights and freedoms of data subjects.


Measuring website usage and cookies


We use Google Analytics software to collect information about how our visitors browse and visit our site. We use the information to compile reports and to help us to improve our service. The Google Analytics cookies collect information anonymously, including the number of visitors to our site, where visitors originated from and the links they click within the site. No personal information is collected or stored (for example your name or address) so this information can’t be used to identify who you are. Click here [] for an overview of privacy from Google.

Name Purpose Expiration time
_ga Used to distinguish users, incl. number of visitors and if you’ve visited before. 2 years
_gid Used to distinguish users, incl. number of visitors and if you’ve visited before. 24 hours
_gat Used to manage the rate at which page view requests are sent to the analytics server. 10 minutes


You may see a pop-up cookies message when you first visit A cookie is used to log that you have seen this message, so that it doesn’t show again.

Name Purpose Expiration time
cookieNotification This cookie is used to hide the cookies information banner when you have seen it. No expiry set


We and our advertising partners use cookies and similar technologies on this site and around the web to select and deliver measurable personalised advertising from this site and other advertisers in NextRoll's network.

Google sets the following cookies:

Name Purpose Expiration time
gwcc Allows Google Website Call Conversions - This registers if the visitor has clicked on call within the "contact us" sub-page. This information is used for statistics and marketing purposes. 3 months
IDE Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user. 1 year
Rc::c To distinguish between bots and humans Session
Collect and r/collect Sent to Google Analytics. Tracks visitors across multiple sites based on visitor and device behaviour. Session
Test_cookie to check if the user's browser supports cookies 1 day

Facebook sets the following cookies:

Name Purpose Expiration time
_fbp Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers. 180 days

LinkedIn sets the following cookies:

Name Purpose Expiration Time
lang Identifies language and when you are on LinkedIn Session
bcookie Tracks embedded services 2 years
bscookie Tracks embedded services 2 years
Lidc Tracks embedded services 1 day
UserMatchHistory Re-targets adverts when you are on other websites 29 days


AdRoll sets the following cookies:

Name Purpose Expiration Time
Consent/hod Registers visits to multiple site to measure advisement efficiency of the adverts sent Session



BLM uses a web chat software from Olark Live Chat on our ‘Join us’ page to allow visitors to ask us questions about working at BLM.  Olark Live Chat sets the following cookies:

Name Purpose Expiration time
hblid Identifies a unique visitor between visits 2 years
olfsk Maintains message history across pages 2 years
These are session only cookies used for security purposes, session tracking, software state information and to improve the caching of the software. Session


Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit or

To opt out of being tracked by Google Analytics across all websites visit


If you have any comments about using this site, then please e-mail

Changes to this privacy statement

Technology and data privacy best practice are continuously developing. We therefore reserve the right to revise this Privacy Statement at any time. If this Privacy Statement changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it and under what circumstances we may share it with other parties.