Back to United Kingdom - Solicitors

Data protection, privacy and cybersecurity in London

Bird & Bird LLP

Bird & Bird LLP provides a broad data protection practice, in which 'everyone, from partners to junior associates know their stuff and are very practical in their approach.' Ruth Boardman co-leads the practice and advises on the data protection elements involved in new products and services; she also works on personal data breaches. Fellow co-head James Mullock assists clients with cyber risk mandates, data privacy matters and freedom of information issues; he also handles GDPR compliance and data breach incidents. Gabriel Voisin is an 'excellent' practitioner, who is able to advise under both UK and French law, and possesses expertise in adtech matters and issues relating to online advertising privacy. Legal director Elizabeth Upton is active in the financial services, retail and technology sectors.

Practice head(s):

Ruth Boardman; James Mullock

Other key lawyers:

Gabriel Voisin; Elizabeth Upton


‘We use the services of Bird & Bird Privacy Solutions (external DPO) across Europe. The advice they provide is very consistent in all EU markets which is very attractive to us. We have a relationship partner who helps us comply with the various legal requirements in each market where we operate. This saves us time. We feel safe getting Bird & Bird’s advice.’

‘We appreciate the pragmatic, hands-on approach. There are a lot of good firms but we’ve found that sometimes the quality is uneven, whilst here everyone, from partners to junior associates, not only know their stuff, but are very practical in their approach.’

‘Experts in commercial and technology matters who deliver clear, digestible legal advice and act as an extension of the in-house legal team. Consistently technically able and commercially minded, and able to deliver within expectations.’

‘Our relationship partner is Gabriel Voisin. In addition to being an excellent data privacy practitioner (he can advise under UK and French law and has a great knowledge of data privacy in other EU markets), he is also commercially minded and understands our sector. It is extremely refreshing to work with a solicitor who is able to have conversations with our tech team and speak their language.’

‘James Mullock – impressive data protection expertise, always up-to-date with the fast changing landscape, able to translate complex issues into simple terms.’

Key clients

Mozilla Foundation

Daily Mail Group

Just Eat


The Football Association

The British Horseracing Authority

Colt Telecom

Work highlights

  • Provided support to Mozilla Foundation on all legal aspects relevant to running a convention on the future of the internet, including privacy matters.
  • Advising Colt Telecom on the drafting, approval and implementation of controller and processor BCRs.
  • Assisted WeWork’s US and EMEA legal teams with law enforcement requests, individuals’ access and right to be forgotten requests, privacy by design guidelines and cloud computing issues.

Bristows LLP

Bristows LLP's practice advises on an array of matters in the data protection space including regulatory issues, data breaches, compliance projects and product launches. Mark Watts is the head of team and 'is at the top of the sector' for regulatory and technology matters. He is supported by a strong bench of practitioners, which includes Marc Dautlich, who is active in financial technology matters and the relating data protection issues, and Robert Bond, who is noted for his extensive experience in information security regulatory matters; Bond has also advised on data incidents and cyber attacks in relation to special categories of data. Associate Hannah Crowther has acted on complex issues relating to  biometrics, connected devices and healthtech, and Alex Keenlyside is known for his data protection litigation expertise.

Practice head(s):

Mark Watts


‘Very capable and knowledgeable team with excellent leadership. Due to size managing case load may be challenging at times but this has never been an issue because the quality of the deliverables has consistently been very high. Good at maintaining position as a trusted adviser. I enjoy working with Bristows.’

‘Unparalleled breadth and quality of expertise in the field with an ability to address both data protection compliance issues and contentious privacy litigation.’

‘Bristows’ data protection practice is the best data privacy practice out there — bar none. They are extremely experienced, thoughtful, pragmatic and measured. They have deep professional relationships with a wide swath of organisations in every industry as well as with regulators.’

‘Mark Watts is at the top of the sector for regulatory data protection and tech work.’

‘Marc Dautlich – Marc is always approachable, at the top of his game technically and tailors advice and level of detail so that it can speak directly to the business. We’ve worked with Marc for a number of years now and simply can’t fault the advice and guidance he has provided during that time.’

‘Hannah Crowther is wonderful.’

‘Alex Keenlyside is a new partner and has a stellar reputation for contentious privacy and data protection work. He is at the forefront of the new generation of privacy lawyers and has experience way beyond his years qualification. He is immensely well-liked and trusted by clients, is fully across the relevant law and offers tactically and commercially astute advice.’

Key clients

British Airways




Ascott Hotels




Work highlights

  • Defending British Airways against an enforcement action by the ICO, as a result of a widely reported cyber-hack of its system network.
  • Acting for Google in its appeal to the French Council of State in respect of the CNIL’s fine of €50m.
  • Assisting Twitter with an EU enforcement action brought by the Irish Data Protection Commissioner.


Dentons fields a 'very proactive, thoughtful' team, which is 'sensitive to business needs.' Team head Nick Graham is recognised for his expertise in adtech matters, data protection issues resulting from Brexit. and rights requests and the related litigation. Simon Elliott has advised on international data transfers and contentious data privacy matters. The practice recently gained Antonis Patrikios from Fieldfisher in late 2019; his expertise lies in cybersecurity breaches, contentious data subject requests and adtech mandates. Patrikios has also advised clients on regulatory investigations. Martin Fanning, who is a key contact for privacy law, assists global companies with their data requirements.

Practice head(s):

Nick Graham


‘Good, pragmatic business focus, good knowledge of our business.’

‘Very proactive, thoughtful. Advice is sensitive to business needs as well as legal requirements.’

‘All are very knowledgeable and very well connected to the privacy community.’

‘Nick Graham has been a trusted adviser to us for years. He knows our business well and he and his team always give us reliable, risk-based, pragmatic advice.’

Key clients

John Lewis Partnership

Avis Budget Group

Virgin Management


Essential Living


Worldwide Clinical Trials


Virgin Atlantic

Work highlights

  • Advised John Lewis on strategic data privacy projects and supported its operationalised implementation of GDPR.
  • Acted for Avis Budget Group as a one-stop-shop for all data privacy issues on a global basis including GDPR, CCPA and matters in Australia and other emerging privacy laws.
  • Acted as GDPR adviser for a number of companies within the Virgin family, including Virgin Management (the Virgin TopCo), Virgin Atlantic, Virgin Voyages, Virgin Galactic and Virgin Hotels.


Fieldfisher's team advises multinationals, start-ups, companies and government departments on a broad array of data protection and privacy matters. Hazel Grant leads the team and advises clients in the health and charities sectors; she has also advised the UK government. Grant's practice encompasses handling data compliance work, international data transfers and data retention matters. Phil Lee focuses on data privacy issues and disruptive technologies, assisting clients with data transfer and information governance mandates. Also of note is associate Nuria Pastor, who has experience acting on data breach management issues and advising on GDPR compliance. Cyber security expert Antonis Patrikios left the firm for Dentons in mid-2019.

Practice head(s):

Hazel Grant; Phil Lee

Other key lawyers:

Nuria Pastor; Rehman Noormohamed


‘Rem Noormohamed is a recognised industry leader, and brings his deep understand and prior experience of consultancy delivery together with legal services.’

Key clients


The Publishers Association

Align Technology

IAB Europe




Trend Micro


Hasbro Inc/WOTC

Work highlights

  • Advised Hasbro Inc (and its subsidiaries, including Wizards of the Coast) on GDPR compliance issues and also acting as external, outsourced DPO.
  • Advising dunnhumby on its EU privacy needs, most notably in the area of international transfers, international registrations, product privacy impact assessments, data protection impact assessments and ad tech issues.
  • Advising Upfield on privacy issues following its €7bn separation from Unilever.

Hunton Andrews Kurth LLP

Hunton Andrews Kurth LLP acts on a variety of issues in the data protection, privacy and cybersecurity space including advising on the compatibility of AI and data analytics with data protection laws as well as cybersecurity incidents. The team is jointly led by Bridget Treacy and Aaron Simpson. Treacy is noted for her expertise in advising on cross-border data transfer matters, especially for US clients, while Simpson has advised on GDPR compliance matters and has experience in both the US and EU. Also of note is Rosemary Jay, who assists her clients with privacy issues and matters of confidentiality.

Practice head(s):

Bridget Treacy; Aaron Simpson

Other key lawyers:

Rosemary Jay

Key clients


Google Inc.


TJX Companies, Inc./ TK Maxx

Masergy Communications, Inc.




Work highlights

  • Advised Yahoo! Inc. on all aspects of a cybersecurity attack that compromised approximately 3.5 billion user accounts, including liaising with the ICO.
  • Advised Google Inc. on numerous aspects of EU and U.S. privacy law including matters relating to cutting-edge technologies and associated privacy issues, such as compliance with new and existing EU rulings, corporate restructurings, monitoring work and mobile issues.
  • Advised Verisk Analytics Inc. on its compliance with the GDPR, certification to the EU-U.S. Privacy Shield, registration with various data protection authorities, and other privacy and data security matters, including with respect to data localisation laws, data transfer restrictions and data security requirements as well as breach response efforts.

Linklaters LLP

Linklaters LLP provides a wide range of advice in its practice spanning adtech and AI matters, data investigations, litigation and cyber breaches. Richard Cumbley heads up the team and has acted in data security incidents, privacy litigation and subject access requests. Georgina Kon and Alaister Johnson are also recommended.

Practice head(s):

Richard Cumbley

Other key lawyers:

Georgina Kon; Alaister Johnson


‘The data protection and privacy team is excellent; they’re big enough to deal with major matters and still pitch team members at the right level. As you would expect, they are able to draw upon wider expertise within the firm.’

‘Team members are knowledgeable experts but also down-to-earth and practical. We enjoy working with them a lot.’

‘Georgie Kon and the team are responsive, expert and proactive. I know that I can rely on them to provide expert advice and support, with a pragmatic perspective. I have had excellent recommendations for partner firms as well.’

‘Ben Hagyard and Olivia Grimshaw are very able associates and provide an excellent level of support.’

‘Richard Cumbley is an excellent partner and has given us loads of personal attention (as the work has demanded); he gives calm reassurance at plc board meetings and helps keep on top of things in daily stand-ups between internal and externals when we’ve need to run them for short periods. Richard is flexible and pragmatic and keen to challenge counsel too.’

‘Georgie Kon and Tanguy van Overstraeten are experts in their field who are able to apply their knowledge to different circumstances and help navigate the increasingly complex area of evolving privacy laws and requirements. I feel in safe hands with Georgie and Tanguy, and can rely on their advice and experience to help navigate complex and challenging issues.’

Allen & Overy LLP

Allen & Overy LLP's practice is led by Jane Finlayson-Brown and Nigel Parker, who are both well regarded in the data protection and privacy space. Finlayson-Brown is 'an expert in data privacy law', while Parker is able to combine 'outstanding technical knowledge with great commercial and common sense.' The team advises clients on a wide range of key issues including data protection compliance matters, data ethics, big data work and adtech mandates. The firm is notably active in the retail, hospitality, financial services and life sciences sectors.


‘The team is very knowledgeable about data privacy matters. The advice provided is very practical and business friendly.’

‘The team have strength in depth, and are responsive to queries and requests to instruct. They have worked with us for many years so have in depth understanding of our operations, which is enormously helpful.’

‘I work a lot with Jane Finlayson-Brown. Jane is an expert in data privacy law and I really appreciate her guidance. She is extremely service oriented.’

‘Nigel Parker combines outstanding technical knowledge with great commercial and common sense. He provides pragmatic and commercial advice and is always available when you need him.’

‘We work particularly closely with Jane Finlayson Brown. Jane is helpful and responsive and understands our business.’

Key clients

Co-operative Group

Four Seasons Hotels


News UK




Bank of Ireland

Royal Mail

Axis Bank

Bank of America

Work highlights

  • Advising a global pharma company on all aspects of data privacy.
  • Advising Four Seasons Hotels on a range of data privacy matters globally, including on aspects of its remediation programme to comply with the General Data Protection Regulation, updates to its cookies policy, updates to policies, procedures and contract templates, and adtech advice.

Baker McKenzie

Baker McKenzie acts on cybersecurity issues, GDPR compliance work, new tech matters and data protection mandates. Harry Small is praised for his work advising clients on the multijurisdictional analyses of data protection responsibilities. He is active on the contentious and non-contentious side of data protection issues, and assists clients with the fallout of data security breaches. Julia Wilson is of note for data protection issues arising out of employment matters. In October 2020, Paul Glass joined from Taylor Wessing LLP  to head up the firm's London data protection and cyber practice.

Practice head(s):

Harry Small

Other key lawyers:

Julia Wilson

Covington & Burling LLP

Covington & Burling LLP's team undertakes work across multiple data protection and privacy issues including financial and health security mandates, data transactions and EU data matters. Industry expertise spans the life sciences, media and financial services sectors. Daniel Cooper is a key practitioner, advising clients on e-commerce and technology regulatory issues.

Practice head(s):

Daniel Cooper

DLA Piper

DLA Piper's data protection, privacy and cybersecurity practice is headed up by the 'technically brilliant' Ross McKean and Andrew Dyson. The team provides a domestic and international offering, working with multinational companies on global compliance matters. McKean has broad expertise encompassing security breaches, data governance issues and information security matters; contentious data work is also part of his practice. Dyson, alongside his work on data privacy issues, acts on cybersecurity and e-commerce projects for major international clients.

Practice head(s):

Ross McKean; Andrew Dyson


‘Ross McKean is technically brilliant and understands the value of privacy as a business enabler.’

Key clients

Reckitt Benckiser

Intercontinental Hotels Group






Work highlights

  • Advising Incyte on a global basis on a range of data protection issues, including the implementation of a global whistleblowing hotline and data protection compliance in the context of clinical trials conducted across Europe and Asia.
  • Supported Reckitt Benckiser on the roll out of its global data protection compliance programme, initially focusing on GDPR compliance in the EU, and expanding the programme to cover the US and other overseas jurisdictions.
  • Advising Intercontinental Hotels Group on all aspects of its data protection and e-privacy compliance, including processes and contractual arrangements for engaging vendors, management of personal data breaches, management of data subject rights requests, international data transfers, data protection impact assessments, and strategies for compliance with rules relating to online marketing.

Eversheds Sutherland (International) LLP

The team at Eversheds Sutherland (International) LLP has a 'very good knowledge of what’s going on in industry' and is led by the 'extremely knowledgeable' Paula Barrett, who advises clients domestically and internationally on cybersecurity, record retention and privacy matters. Barrett is supported by Liz Fitzsimons, who goes the 'extra mile for clients' and assists with the contentious and non-contentious aspects of the data arena including providing information regulation and freedom of information advice.

Practice head(s):

Paula Barrett

Other key lawyers:

Liz Fitzsimons


‘In addition to exceptional subject matter expertise, the team has taken the time to develop an excellent in-depth knowledge of our structure. I would also highlight their pragmatic problem solving approach, this translates in the high standard of their work. The team also has very good knowledge of what’s going on in industry, which is really helpful.’

‘I worked mainly with Liz Fitzsimons. She is very professional but also very approachable. She invests the time to understand our queries and make sure that we have all the details surrounding the queries, which is key for data protection matters. She has a pragmatic approach and provides solutions in light of the specific circumstances of the queries. She will absolutely go the extra mile for their clients.’

‘Paula Barrett is extremely knowledgeable and has good connections with the regulators. She provides a very balanced and measured view of any challenge, and stays firm when required regardless of the level of pressure exerted. She’s a brilliant support to have in one’s corner.’

Key clients




Thames Water

Shelby Finance


DWR Cymru Welsh Water


Lineage Logistics



Capital One (Europe)

Kering Group


National Grid

Work highlights

  • Advised one of the world’s largest technology and consumer sector businesses on undertaking a survey of international regulations impacting the client’s operations to enable a better understanding of the risks and remediation that may be required.
  • Supporting Thames Water as its sole data protection and EIR adviser.
  • Assisted Specsavers with its GDPR compliance and have continued to advise on GDPR and e-privacy compliance, including in relation to customer onboarding processes and providing strategic advice on direct marketing.

Hogan Lovells International LLP

Hogan Lovells International LLP acts on a broad range of matters in the data space including handling AI, data breach and online behavioural advertising mandates. Eduardo Ustaran is at the helm of the practice and has been active in the life sciences, retail and financial services sectors. Further expertise for the group lies in advising on global compliance programs and issues relating to connected cars. Nicola Fulford assists clients with international data transfers.

Practice head(s):

Eduardo Ustaran

Other key lawyers:

Nicola Fulford

Latham & Watkins

Latham & Watkins advises its roster of international clients on GDPR compliance, data security and adtech matters. Gail Crawford heads up the team and has notable expertise in cross-border data compliance issues as well as data breaches. She is supported by Fiona Maclean, who acts on GDPR compliance matters and handles cloud migration deals. On the contentious side, Ian Felstead has experience in data protection and privacy actions, acting for both defendants and claimants.

Practice head(s):

Gail Crawford

Other key lawyers:

Fiona Maclean; Ian Felstead

Key clients

Facebook, Inc.

BT Pension Scheme

Ernst & Young

Naked Wines

Daiichi Sankyo


Cain International

Work highlights

  • Representing Facebook globally in a number of regulatory investigations and inquiries into alleged data breaches and alleged instances of non-compliance with relevant data protection laws, and associated civil litigation.
  • Advising BTPS in relation to its national compliance program with the GDPR and local UK data protection law.
  • Advising EY Global Services on global data privacy issues.


PwC LLP's practice acts on a wide range of data protection and privacy matters. Fedelma Good handles a range of matters including regulation and data management work as well as governance issues. As co-head of the non contentious practice, Polly Ralph acts on the full range of matters and heads up the firm's presence in Europe, the Middle East and East Asia. Jane Wainwright is also noted for her depth of experience, advising major clients on data protection and cybersecurity matters.

Taylor Wessing LLP

Taylor Wessing LLP fields 'experts in the field' and is active in the technology, pharmaceuticals, healthcare and financial services sectors. The practice group provides advice on GDPR compliance programs, cyber breach responses and regulatory investigations. Vinod Bange co-leads the team and acts on cyber security strategies and has advised on the data protection and privacy implications of Brexit. Graham Hann also leads the group alongside Chris Jeffery, who is noted for assisting US clients with EU data obligations.


‘They are experts in their field and any question asked is regarded professionally. No problem is too small.’

Key clients

River Island

Babylon Healthcare Services

iRhythm Technologies Inc

Davita International limited

Emirates National Bank of Dubai


Burger King UK Limited


The Office Group


Work highlights

  • Advised River Island on the data protection and marketing-related aspects of the launch of its new brand, Harpenne.
  • Advising Babylon Health on the data protection aspects of its $550m investment.
  • Advised iRhythm Technologies Inc on preparing and submitting its Privacy Shield certification application to the US Department of Commerce.

Clifford Chance LLP

Clifford Chance LLP's practice is led by Jonathan Kewley, who has a specialism in acting for businesses with a focus on the technology, data and IP sectors; Kewley has also advised companies and governmental organisations on data protection and cybersecurity issues. Samantha Ward acts on the contentious side handling regulatory investigations, enforcement matters and cyber incident response programs; her clients include corporations and financial institutions. Kate Scott is noted for advising on data scraping issues, AI exposures and facial recognition technology.

Practice head(s):

Jonathan Kewley

Other key lawyers:

Samantha Ward; Kate Scott

Key clients

News Group Newspapers


Work highlights

  • Acting for News Group Newspapers (NGN) in civil litigation defending hundreds of claims for misuse of private information (largely personal data) relating to voicemail interception and other unlawful information gathering at the News of the World and The Sun.
  • Advising a major airline on claims, quantum and strategy relating to the unauthorised data-scraping of its website by certain online travel agents located in England and Europe.
  • Advising a multinational venture capital firm on its global data framework and implementation programme.


CMS has a 'deep understanding of all relevant data protection laws' and provides advice regarding ICO investigations, compliance work and breach responses. Emma Burnett and Stephen Tester jointly head up the practice; Burnett has the 'ability to make complex concepts clear' and assists with data protection, cyber and adtech issues, while Tester's primarily focuses on cybersecurity matters, acting across multiple jurisdictions on system failures and undertaking breach responses for major clients.

Practice head(s):

Emma Burnett; Stephen Tester


‘They know their law, they know the market, they have the ability to provide solutions not just give advice.’

‘Having been one of the early firms to create a global incident response service, that service is now one of the best we use. It operates seamlessly to provide global advice in short time frames and without incurring massive costs. The team has built up masses of experience and is excellent at using that experience to develop new talent; much needed in this growth space.’

‘The Data Privacy team at CMS has a deep understanding of all relevant Data Protection laws and are able to find commercially appropriate advice for all situations.’

‘Emma Burnett – real ability to make complex concepts clear and patience to ensure you understand and can apply the law accurately and develop internal policies and procedures confidently.’

Key clients

The British Computer Society

Work highlights

  • Advised The British Computer Society (BCS) on the GDPR issues related to the assessors who undertake certification of BCS members.

Harbottle & Lewis LLP

Harbottle & Lewis LLP advises clients in the entertainment and consumer sectors, assists with adtech matters and handles contentious data subject access requests. Gerrard Tyrrell advises domestic and international clients on the protection, exploitation and security of information, while John Kelly acts for clients in the entertainment and sports sectors on data removal matters.

Other key lawyers:

Gerrard Tyrrell; John Kelly

Key clients

Virgin (Virgin Atlantic Airways and Virgin Holidays)

The Pokémon Company International

Diageo Plc

Comic Relief

O’Reilly Media

The Publishers Association

De Beers Group



Harry Potter Theatrical Production

The Ozone Project

Work highlights

  • Advise the Ozone Project, a digital advertising platform owned by major news publishers including the Guardian, News UK and the Telegraph, on data privacy matters and vendor contracts.
  • Advising O’Reilly on the full range of its GDPR compliance obligations.
  • Advising Havas on data privacy issues for its portfolio of UK agencies (including CAKE, Havas London, Havas Media, Arena Media, Havas Helia, Field Day, Superhero and Targetmedia).

Herbert Smith Freehills LLP

Herbert Smith Freehills LLP fields a 'superb practice' which offers 'fantastic attention to detail and substantive legal know-how.' Miriam Everett co-leads the team and works with domestic and international clients in the automotive and media sectors, advising on a variety of issues including global compliance work, disaster recovery efforts, data retention issues and data breaches. Andrew Moir acts as head of cybersecurity and has a background in electronics and software engineering; he assists with all aspects of data security mandates. Nick Pantlin heads up the firm's TMT and data group, and Christine Young works on cross-border data protection issues.


‘Great depth of knowledge in data privacy matters, particularly in relation to data subject access requests arising in the context of employment disputes. Superb joined-up thinking between employment and data protection/cybersecurity experts.’

‘Fantastic attention to detail and substantive legal know-how. A superb practice.’

‘Andrew Moir – amazing IT technical knowledge that complements his legal practice.’

Key clients

Hays plc


Bank Hapoalim


Royal Mail

The Big Exchange




ITOCHU (Kwik-Fit)

Work highlights

  • Advised ClearBank on the data protection arrangements arising out of its partnership with Tide, a digital challenger bank to develop a banking services platform aimed at the SME market.
  • Advised Block.One in Hong Kong on the data, cyber and privacy implications of its newly launched EOSIO Testnet, a next generation, open source blockchain protocol.
  • Advising The Big Exchange on data compliance and exploitation issues arising out of the establishment of a high-profile customer-facing platform which included a blockchain-based ethical investment function.

Norton Rose Fulbright

Norton Rose Fulbright fields a broad practice, which handles data breaches, data subject requests, export solutions and data storage mandates. Marcus Evans heads up the team and displays expertise in cross-border data matters including compliance and regulatory issues. In addition, he advises on software licensing and e-commerce work. Evans is supported in the practice by Lara White, who acts on media and retail-related data protection and privacy matters. The team gained data protection specialist Janine Regan from Bristows LLP in late 2019 .

Practice head(s):

Marcus Evans

Other key lawyers:

Lara White; Janine Regan

Key clients


Bank of Montreal


Cathay Pacific

Chicago Metal Exchange

CNA Hardy


Guy Carpenter




Legal Utopia

Lucozade Ribena Suntory

Marsh McLennan

Mitsubishi Electric





Qantas Airways


T Rowe Price


Work highlights

  • Advised Carlsberg UK on the ePrivacy and direct marketing law implications of Carlsberg UK’s high-profile 2019 advertising campaign.
  • Provided multijurisdictional advice on Newegg’s global expansion project.
  • Advising Mitsubishi Electric Corporation (MELCO) and Mitsubishi Electric Europe (MEU) on global exports of personal data within various EEA jurisdictions.

Orrick, Herrington & Sutcliffe (UK) LLP

Orrick, Herrington & Sutcliffe (UK) LLP has an 'outstanding' practice which 'can always be relied on to provide timely, pragmatic and commercial advice' across contentious and non-contentious data protection mandates. Keily Blair heads up the team and handles litigation matters, with expertise in pre and post-data breach investigations conducted by the ICO. The 'exceptional' James Lloyd acts on cybersecurity issues, privacy investigations and enforcement work.

Practice head(s):

Keily Blair

Other key lawyers:

James Lloyd


‘I am aware of them because James Lloyd. He is a very respected and able data protection lawyer and I understand he is building a dedicated team at Orrick.’

‘The Data Protection, Privacy & Cybersecurity team at Orrick are outstanding. The team are extremely knowledgeable and can always be relied on to provide timely, pragmatic and commercial advice. They act as strategic business partners supporting our Legal, Privacy and Executive teams on a regular basis, working collaboratively to resolve problems in a way which minimises risk whilst also supporting the business to grow sustainably in an ever increasingly complex world.’

‘Subject matter expertise and ability to understand and interact with companies’ culture and capabilities, recognising a one size fits all approach doesn’t work.’

‘We work most closely with Keily Blair and James Lloyd and find both advisers to be exceptional. They work well together, each providing their own perspective and individual skills to the work they do for us. Under Keily’s leadership they have built an excellent practice at Orrick and we look forward to continuing to work with them both in future years.’

Key clients

Microsoft Corporation

W.W. Grainger Inc.



Juniper Networks

NVIDIA Corporation

Superawesome Limited


Go Pro

Fidel Limited

Work highlights

  • Advised underwriters Morgan Stanley & Co. LLC, J.P. Morgan Securities LLC, RBC Capital Markets LLC, Allen & Co. LLC, KeyBanc Capital Markets Inc., Piper Jaffray & Cos., William Blair & Co. LLC and BTIG LLC, on the initial public offering of unicorn PagerDuty, a San Francisco-based developer of an incident management platform designed to manage digital operations for businesses.
  • Advised Michelin on its acquisition of the Masternaut Group from majority owners Summit Partners and Fleetcor Technologies.
  • Advised Fidel, a UK based company which makes transactional data accessible through a single access point so businesses can create web and mobile applications using real-time payment data, on its $18m Series A financing.

Osborne Clarke LLP

Osborne Clarke LLP handles matters involving cyber incident responses, the data aspects of marketing activities and GDPR advisory work. The firm also possesses a cross-border capability and primarily advises technology, manufacturing and energy sector clients. Mark Taylor leads the team and provides expertise in data breach matters as well as cybersecurity issues. Litigator Ashley Hurst has contentious data privacy and cybersecurity experience.

Practice head(s):

Mark Taylor

Other key lawyers:

Ashley Hurst

Key clients




Western Power Distribution (WPD)


OATH (previously Yahoo! EMEA)



Wirecard Group

Virgin Experience Days

UK Power Networks

Beiersdorf (Nivea)


Automattic (WordPress)


Work highlights

  • Advising the divisions of Oath (Yahoo, AOL, HuffPost, TechCrunch) on cutting edge data protection and privacy issues relating to the use of information and personal data across a number of platforms, including support regarding engagement with regulatory authorities.
  • Advising Wirecard Group, which provides mobile payment technologies to a variety of household-name mobile phone networks in the UK, across Europe and across Asia, on a variety of complex data protection issues relating to its transaction and payment processing delivery models.
  • Advising TripAdvisor on a range of contentious and non-contentious data privacy work, including in relation to its GDPR implementation, contentious subject access requests and discrete issues.

Paul Hastings LLP

Paul Hastings LLP has 'vast experience in the field and acts with great determination and conviction'. The practice is led by the 'impressive' Sarah Pearce, who advises start-ups and public sector organisations on a variety of data protection and cyber security issues. Recent highlights include handling data breaches and compliance issues and advising on the risks related to data collection and use.

Practice head(s):

Sarah Pearce


‘The Paul Hastings team is the equal of any data protection, privacy and cybersecurity practice I have seen.’

‘Sarah Pearce’s team appears to hold vast experience in the field and acts with great determination and conviction, and always with the client’s business in focus.’

‘Sarah Pearce is a true expert within the field. Like her team, she acts fast, effectively and is a great communicator to the benefit of both clients and cooperation partners. Her experience as well as her business acumen make her stand out.’

‘Sarah Pearce in particular is very impressive, responsive and easy to deal with.’

Key clients

American Express

Work highlights

  • Assisting a large US multinational financial services corporation with all data protection matters, including large scale projects and ad hoc queries.
  • Advising Jacobs Engineering Group on data protection issues relating to its acquisition of Wood Group’s Nuclear business in the UK, Europe, and the Far East for £250m.
  • Assisting Intel Corporation with data protection matters, notably compliance exercises in the context of acquisitions involving data-rich technology companies globally.

Pinsent Masons LLP

Pinsent Masons LLP is 'widely recognised in the industry' for its full-service data protection practice. Key partners include TMT disputes head David Barker, who has expertise in cybersecurity and data protection litigation including data breach issues and right to be forgotten litigation. Clients include major technology companies, retailers and automotive companies. Claire Edwards is global head of information law for the firm and has 20 years experience in the area.

Practice head(s):

Claire Edwards; David Barker

Other key lawyers:

Jonathan Kirsop


‘Highly experienced and knowledgeable. Good technical understanding of the sector.’

‘Hugely respected and experienced team with probably the most contentious data privacy experience of any firm around due to their work in a series of leading cases for Google. Their experience stands them is great stead and means that they are across the key legal developments in a rapidly evolving area of law.’

‘Pinsents are now widely recognised in the industry as having a leading risk advisory data protection, privacy and cybersecurity practice. David Barker has few peers for his expertise, insight and tactical acumen. You don’t get clients like his without being at the very top of your game. And he is very ably supported by an outstanding team. Indeed, the overall strength of the team is without parallel.’

‘David Barker is a well-known privacy specialist, who has deep knowledge of the area and is acting in probably the highest-profile DP case of 2019.’

‘David Barker – partner, outstanding. One of the best solicitors I have ever worked with. Always adds value.’

Key clients

Google LLC

Tesco Stores Ltd


Honda Motor Europe Ltd

Dixons Carphone plc

Open Data Institute


Liberty Mutual

Visa Europe

Post Office

Tesco Bank

JD Sports


LK Bennett

The Jockey Club

AO Limited


Work highlights

  • Advised Dixons Carphone plc. on its 2018 data security incident and various related matters including a regulatory investigation and ongoing appeal of the ICO’s Monetary Penalty Notice.
  • Acting for Google LLC in Lloyd v Google, a landmark £3bn+ case in the field of data privacy class actions.
  • Advising Honda on data protection and electronic privacy issues relating to its connected car services.

Reed Smith LLP

Reed Smith LLP's team has the 'required expertise and guidance, along with timely support' to provide 'solution-focused approach coupled with a clear commitment' to its data protection clients. The firm is present in multiple sectors including the life sciences, transport and financial services industries. The team is headed up by Cynthia O’Donoghue, who acts on the full range of data protection matters. Elle Todd is also of note, and regularly advises on data compliance and breach management issues.

Practice head(s):

Cynthia O’Donoghue

Other key lawyers:

Elle Todd


‘The Reed Smith team have become an essential part of our operation, providing a level of required expertise and guidance, along with timely support that has greatly assisted the commercial growth of our business. They understand our market, they understand our business and crucially they also understand the operations of our clients and as such can provide a practical resolutions for all issues.’

‘We have been able to develop a close working relationship with all the members of the Reed Smith team. I have been hugely impressed how they provide support for each other, which has also ensured consistency in communication with our clients. At an individual level it is clear that they are committed to the success of our business, providing practical hands on support and leading critical conversations. Their solution focused approach coupled with a clear commitment to what we do has meant the timely conclusion to important commercial discussions.’


RPC has 'excellent industry contacts' and advises on a broad range of data protection matters, fielding specialist partners across the data arena. Jon Bartley leads the data protection advisory team, advising on e-commerce regulation and consumer law. Richard Breavington manages the firm's cyber insurance and breach response team; clients claim he is 'excellent at litigation strategy'.


‘Broad team that specialise in all elements of risk management that arise from high-scale cybersecurity breaches. Excellent industry contacts with PR teams, technical IT consultants. Key capabilities include assisting with ICO investigations. Knowledgeable in matters of risk and compliance specifically cyber security issues and always on hand to assist in addressing both straightforward and complex queries – happy to accommodate client requests for meetings on short notice and readily available to chat over the telephone to discuss complex matters as well as via written communication. Aware of the client’s goal, providing sound legal advice and expertise and work with professionalism and firm approach to achieve these desired client outcome.’

‘Jon Bartley has provided assistance with all of our major data protection queries over the last few years and provides his advice in a way that sees him fit seamlessly with our in-house legal and wider commercial teams.’

‘We work with are Richard Brevington. Richard is excellent in litigation strategy.’

Key clients

McArthurGlen Group

Board Intelligence

Marketing VF Limited

Associated Newspapers Limited

News UK & Ireland Limited

Paddy Power Betfair

Work highlights

  • Advising a social media company on complex global data protection issues including negotiating high-value deals with third-party processors, drafting contract amendments in preparation for Brexit and advising on the impact of incoming ePrivacy regulation.
  • Advising a high-profile beauty retailer on various matters including the processing of sensitive customer health data to deal with adverse reactions, parental consents, collection of in-store marketing consents, intra-group data sharing and other issues.
  • Supporting a technology company in response to a ransomware data breach.

Simmons & Simmons

Simmons & Simmons is praised for its advice to major clients in the UK and internationally on a broad array of data protection matters. Team head Alexander Brown is a member of the firm's information, communications and technology team; he regularly advises on data protection matters concerning the deployment of digital technology. Lawrence Brown is also active in the team, working on cross-border data compliance matters.

Practice head(s):

Alexander Brown

Other key lawyers:

Lawrence Brown

Key clients


Telefonica UK (O2) / giffgaff





DXC Technology

Pacific Investment Management Company, LLC (PIMCO)

Roland Europe Group Limited

Check Point Software Technologies Ltd

Work highlights

  • Advising O2 on data protection compliance matters.
  • Advising Huawei’s operations in China on data protection compliance and data / cyber security requirements.
  • Assisting HSBC with establishing its global data sharing framework across approximately 70 countries including drafting its group data sharing agreement and the specific data sharing schedules which sit within that agreement.

Travers Smith LLP

Travers Smith LLP 'excels at keeping up to date with developments' and Dan Reavill focuses on data protection and cyber security issues, which includes matters relating to information security and confidentiality. Louisa Chambers is also notable in the practice, working on data protection, privacy and marketing issues, while James Longster is an expert in IP and data protection work including mandates involving cross-border data transfers.

Practice head(s):

Dan Reavill

Other key lawyers:

Louisa Chambers; James Longster


‘Up to date on latest trends and developments, pro-active, coupling deep understanding of legal side with understanding of business needs.’

‘While data privacy is a constantly moving landscape, the Travers team excel at keeping up to date with developments and market approach and delivering practical, and usable, advice to clients.’

‘Great team with agile and pragmatic lawyers that are ready to find practical and business friendly solutions. The advice is succinct and to the point, no unnecessary fluff. Good industry knowledge and incredibly responsive. They will jump on a call on very short notice and provide spot on advice.’

‘James Longster: Approachable, intellectually curious, always a fast response, genuinely interested in the business, industry and always eager to learn.’

‘Dan Reavill is our relationship partner and he stays on top of the account, not just managing the relationship but making sure he stays in the front line. Amazing response times and very aware of business needs of clients as well as the practical implementation of legal matters.’

‘Louisa Chambers – calm considerate advice given, great understanding of commercial needs of clients.’

Key clients


Micro Focus



Love Holidays

Brewin Dolphin


STA Travel

M&G Prudential

Reed & Mackay Travel Limited

Ambassador Theatre Group


Work highlights

  • Advised Love Holidays on the data protection implications of a high-value dispute with a third party data supplier.
  • Advising Selfridges on how to ensure that all aspects of its digital marketing practices remain compliant with data protection law.
  • Advising SportTech start-up Sportlight, a sports analytics business, on its GDPR compliance.

Womble Bond Dickinson (UK) LLP

Womble Bond Dickinson (UK) LLP acts for public sector clients including various London boroughs, financial services companies and retailers. The group's expertise extends to regulatory and contentious matters at a domestic and international level, including cross-border work. Andrew Kimble leads the team, serving as a key contact for several of the practice's high-profile clients; he works on data outsourcings, security breaches and international data transfer matters. Mark Gleeson is active in data privacy matters for private and public sector clients.

Practice head(s):

Andrew Kimble

Other key lawyers:

Mark Gleeson; Peter Given


‘Great data protection knowledge and expertise. I would recommend Pete Given and Andy Kimble.’

Key clients


NHS Digital

B&Q/Kingfisher plc

Work highlights

  • Instructed by a client to remediate approximately 660 agreements which concern the processing of personal data, in order to achieve compliance with the requirements of the GDPR.
  • Instructed by a global provider of digital services to advise on a number of issues relating to compliance with the Network and Information Systems Regulations 2018.
  • Advising AIG in relation to data protection advisory work.

Acuity Law

Acuity Law acts on a broad array of data protection, cyber security and freedom of information matters. Associate Lowri Morgan-Macdonald is recommended for her work on subject access requests, GDPR adherence and data protection advice related to corporate transactions.

Other key lawyers:

Lowri Morgan-Macdonald

Key clients

Progressive Technology Solutions Limited

Creditsafe Business Solutions Limited

University of Bath

Jurassic Fibre Limited

Trinity Brands UK Limited

Work highlights

  • Advising Creditsafe on its cross-border data protection compliance, particularly in relation to transferring personal data from and to the UK after Brexit.
  • Providing regular advice to Jurassic Fibre Limited in connection with its multi-million pound ultrafast full fibre-optic broadband network across Devon, Somerset and Dorset including assisting with data protection compliance.
  • Providing ongoing support and day-to-day advice on all matters relating to the business operations of Trinity including advising on data protection compliance, data sharing agreements, employee privacy statements, data protection policies, IT policies, subject access request policies and transfers of personal data outside of the UK/EEA.


Ashurst advises high-profile energy, rail and automotive clients across the UK. David Futter heads up the team and assists with data protection and technology transactions, while Hiroyuki Iwamura focuses on advising Japanese clients on their data protection and privacy needs, including cross-border data transfer issues. Counsel Gita Shivarattan is highlighted for her work on GDPR compliance programs, data breach reporting issues and data subject rights requests.

Practice head(s):

David Futter

Key clients

Virgin Trains

McLaren Automotive

Thomas Cook (in administration), KPMG and Alix Partners, Insolvency Service (as special managers to the administration)

JPI Media (Johnston Press)

General Atlantic

Commonwealth Bank of Australia


Intermediate Capital Group plc

SVS Securities plc

Oak Hill Capital Management

Conrad Energy

Asto Digital

Keolis Amey

Work highlights

  • Advised the Official Receiver and both Alix Partners and KPMG, which acted as Special Managers, in relation to a full remit of data protection advice relating to the compulsory liquidation of 26 Thomas Cook UK entities.
  • Advised Asto Digital on its white labelled partnership agreement with eBay UK, design of customer on-boarding flow for mobile app registration, advice in respect of data protection impact assessments regarding the use of biometric data and guidance on legitimate interest assessments for social media use and direct marketing.
  • Advised West Coast Trains Ltd in respect of the transfer of the franchise and operating data to the incoming provider franchisee.

Bates Wells

Bates Wells possesses an 'excellent understanding of data protection and security that it is able to translate in to practical and proportionate advice'. The team is led by Victoria Hordern, who represents public and private sector clients in the UK and globally on a host of data protection and privacy matters, with a particular focus on the charities sector. Melanie Carter is also recommended, with experience advising clients on data requests and GDPR compliance.

Practice head(s):

Victoria Hordern

Other key lawyers:

Melanie Carter


‘Victoria Hordern and her team fully understand the context in which professional regulatory and public sector bodies operate. The team are quick to respond to queries and are excellent at providing advice on short notice, when required. From a management perspective they stick to estimates in terms of costs and times and consistently meet deadlines. As a client you feel that they are very much alongside you in the handling of a matter, not just an external adviser.’

‘The BW team have an excellent understanding of data protection and security that they are able to translate in to practical and proportionate advice. Very reliable and down to earth.’

‘Data privacy laws are extensive and complex, this team is extremely well informed and willing to remain practical about the applicability of the law while ensuring that the policies are appropriately adjusted for the organisation with which they are working.’

‘They have excellent knowledge of FoIA and its application, completing a detailed analysis of an organisational structure to identify whether FoIA applied to us.’

‘Victoria Hordern, Partner, is an exceptional data protection and privacy lawyer, who consistently provides solution focused, pragmatic advice which is nuanced to the specific circumstances of the client. She is responsive, helpful, professional – a true trusted adviser and a pleasure to work with.’

‘Victorian Hordern is extremely knowledgeable of the GDPR requirements and how each measure should be applied within an global company.’

Key clients


Cruelty Free International

Stroke Association

Royal College of Veterinary Surgeons

In Kind Direct

London & Partners


Times Newspapers

National Audit Office

Medecins Sans Frontieres (MSF)

Work highlights

  • Advised Royal College of Veterinary Surgeons on its powers to make information requests which are vital to its regulatory role, and the legal basis for doing so.
  • Advised the Stroke Association on the privacy implications of communications with stroke survivors, its key stakeholder/beneficiary group.
  • Advised CiLEX on the data privacy implications of its internal group relationships, in particular in relation to current and future operations.

BCL Solicitors LLP

BCL Solicitors LLP is a 'hardworking and lateral-thinking firm' which advises on law enforcement data requests, cyber attacks and GDPR compliance. Michael Drury leads the team; his role as former Legal Director of GCHQ has given him a unique insight into the field of investigatory powers, cyber security and data protection. The 'competent, clever' Julian Hayes is also recommended for his work on data regulation matters and cross-border data transfers.

Practice head(s):

Michael Drury

Other key lawyers:

Julian Hayes


‘BCL is one of the very few firms that is able to properly advise clients in the area where data protection issues overlap with the criminal law. Most data protection specialists don’t know anything about the criminal law and most criminal lawyers don’t know anything about data protection – what they offer is therefore unique.’

‘BCL is a hardworking and lateral-thinking firm which makes good use of its contacts in other countries to provide the best possible advice to its clients with cross-border criminal / regulatory issues. Because of BCL’s connections with US law firms who act for large social media companies in the US, they have exposure to some really cutting edge data protection/GDPR work in this area.’

‘I have primarily dealt with Julian Hayes. Julian has his finger on the pulse when it comes to data law developments and is very well placed to advise in the growing area of where data law issues overlap with criminal matters. He is gentle but fiercely intelligent. I have also worked with Michael Drury. Michael is the doyenne of national security law and provides a unique angle from which to advise on data protection matters given this background.’

‘In the first place, I work with Julian Hayes, who is very competent, clever and also very nice to work with, because he is very reliable and always friendly. He has a keen interest in the area of data regulation and privacy. BCL have published quite a lot of articles about regulatory developments in this field.’

Bryan Cave Leighton Paisner LLP

Bryan Cave Leighton Paisner LLP provides 'excellent all-round coverage from practical, well-rounded individuals' including team head Kate Brimsted whose 'advice is always professional and clear' concerning contentious data privacy matters and cybersecurity issues; she also sits on various panels for data. Oran Gelb's focus is on data litigation and regulatory investigations.

Practice head(s):

Kate Brimsted

Other key lawyers:

Oran Gelb


‘Excellent all-round coverage from practical, well-rounded individuals.’

‘We primarily work with Kate Brimsted. Kate is always quick to response which we value very much specifically when we deal with sensitive issues surrounding privacy, data and clients claims which in a lot of cases require us to provide a response in very short intervals. Kate’s advice is always professional and clear. The communication is great and the advice we receive is always appreciated both in the way delivered to us as well as in substance. It is apparent that Kate is able to combine her legal knowledge with the understanding of our business.’

‘First-rate minds matched to a down to earth approach.’

Key clients

Apto Payments

Arup Group

British Association for Screen Entertainment Limited (operators of Find Any



Heathrow Airport

Ingage IR Limited

London Stock Exchange


Royal College of Midwives

Royal Mail plc

Royal United Services Institute

Singapore Press Holdings Ltd

Stifel Financial

World Gold Council (UK)


Work highlights

  • Advised Panavision, Inc on a revamp of its business and consumer-facing websites, including in relation to GDPR, ePrivacy and California Consumer Protection Act.
  • Advised a global logistics group on the legal considerations arising in the context of the design and implementation of a cybersecurity improvement programme.
  • Advised an online foreign exchange sector organisation in the online forex sector on the data privacy implications of the launch of a new service in the UK, partnering with certain brands in order to provide VAT refund services for consumers.

DAC Beachcroft LLP

DAC BEACHCROFT LLP 'provides down-to-earth, pragmatic and commercial data protection legal advice' with notable strength in the insurance and financial services sectors. The team also advises on cyber incidents and data breaches. Rhiannon Webster heads up the practice's information law group, and is 'extremely knowledgeable' on cross-border transfers of personal data and general compliance work. Hans Allnutt heads up the cyber risk and data risk group, responding to data breach incidents. Jade Kowalski advises on data sharing arrangements and big data initiatives.


At the same time as being extremely knowledgeable in their subject matter area, the team provides down-to-earth, pragmatic and commercial data protection legal advice. They are able to identify key issues quickly and explain them effectively both to hard pressed members of in-house legal departments and business stakeholders. The team understands the challenges of the in-house environment and the challenges of the in-house lawyers that they support.’

‘DAC is a diverse and technically very able City based practice.  I have engaged with two areas of their practice and both have demonstrated the same ethos, client focus and flexibility to meet client requirements. DAC is particularly strong in data protection; they are experts who can explain difficult concepts in a way that is understandable to non legal minds. Above all, they are available and committed.’

‘Excellent data protection law knowledge, detailed knowledge of particular sectors (insurance and health), pragmatic and commercial advice, very responsive and friendly.’

‘Rhiannon Webster, the lead partner in the team, is extremely knowledgeable, but keeps her advice digestible and risk-based. Very approachable, personable and effective. Other key members of the team, Jade Kowalski.’

‘Rhiannon Webster and Jade Kowalski have been hugely pivotal in support given to our organisation over the past few years. They both provide practical, real world advice and ensure that the advice they provide covers questions we haven’t yet asked.’

Key clients

Information Commissioners Office





NHS England

BMI Healthcare

Cumbria, Northumberland, Tyne and Wear NHS Foundation Trust


NHS Professionals (NHSP)

Work highlights

  • Assisting the ICO with The Sandbox project, which is currently in its beta phase, and has been running since May 2019 and involves the ICO supporting 10 organisations which are proposing to introduce innovative solutions which often involve high risk processing of personal data, whilst delivering a public benefit.
  • Advising an enforcement and collections service to UK government bodies in relation to reviewing and assisting with a major outsourcing contract with HMCTS, in particular, the complex data protection related clauses in the framework agreement.
  • Provided various ad hoc data protection advice to ICAEW including in relation to international transfers, subject access requests, data sharing clauses, privacy policies, lawful bases for processing and the application of exemptions.

Deloitte Legal

Deloitte Legal's team includes 'true specialists in the field', who work with startups, SMEs and charities on various issues including emerging technologies, compliance and cybersecurity matters. The team is jointly led by Anita Bapat and Emma Wright; Bapat acts on employee and customer data issues involving the management of employee data as well consumer data protection requests, while Wright handles cybersecurity issues arising in the transport and infrastructure sector. Marta Dunphy-Moriel is noted for her expertise in helping UK-based and international clients achieve compliance with GDPR. Please note that client names cited may refer to work undertaken by lawyers prior to the team joining Deloitte.

Practice head(s):

Anita Bapat; Emma Wright

Other key lawyers:

Marta Dunphy-Moriel


‘True specialists in the field. Regulatory knowledge coupled with practical guidance to steer a path through the differing issues. Depth of bench and nuanced expertise means every angle is covered.’

‘We are a digital business; this team have a really informed view of what we need to take into account to remain compliant. They always give examples and provide suggestions which helps us, and our clients, to make informed choices.’

‘Emma Wright – shows keenness to understand our business and how to tailor her advice to us. Has bucketloads of experience and pragmatism to get things done.’

Key clients

Dentsu Aegis Network

Knight Frank






Princess Yachts


Daily Mail

Work highlights

  • Advised DAN (Dentsu Aegis Network) on a variety of data protection issues.
  • Supported Knight Frank on Privacy and Data Protection mandates.
  • Appointed by the Department for Digital, Culture, Media & Sport (DCMS) to deliver the London Office for Rapid Cybersecurity Advancement (LORCA), a three-year innovation programme aimed at scaling the cybersecurity solutions needed most by industry.


DWF has been building its data protection credentials in recent months with the additions of the well-regarded Stewart Room, who joined as global head of data protection and cyber security in February 2020, and James Drury-Smith, who followed his former PwC LLP colleague to the firm in April to take up the post of UK national leader of privacy and cyber security. The London-based duo work with a Manchester team led by JP Buckley .

Practice head(s):

Stewart Room; JP Buckley

Other key lawyers:

James Drury-Smith; Andrew Harris

Key clients

Roofoods Ltd (Deliveroo)

Touchstone (Leeds-based charity)

Colony Capital Investment Advisors LLC

Northway Mushrooms

WM Morrison Supermarkets Plc

British Airways Plc

Work highlights

  • Assisted Deliveroo’s privacy team with matters including data subject rights requests, regulatory requests and advisory work on innovative projects.
  • Supported Touchstone with its privacy and data protection compliance programme, undertaking an adequacy audit, providing remediation advice and advising on multi-agency data sharing arrangements, and arranging for practical and engaging training to staff.
  • Assisted Colony Capital Investment Advisors by undertaking a contract remediation project which involved a GDPR update of all relevant contracts and negotiations.

Farrer & Co

Farrer & Co is singled out for its ability to 'consistently provide exceptionally high levels of service'. Henry Sainty leads the team and acts on data protection and freedom of information matters for clients in the retail, sports and education sectors. He is supported by Ian De Freitas, who possesses a 'depth of knowledge and confidence' in ICO investigations and data breach work. Senior associate Owen O’Rorke is 'unequivocally recommended' for his expertise in contentious and non-contentious data protection work including ICO investigations and subject access requests.

Practice head(s):

Henry Sainty

Other key lawyers:

Ian De Freitas; Owen O’Rorke


‘Farrer & Co consistently provide exceptionally high levels of service and account management at all times. All members of the team that we work with are knowledgeable, efficient and provide consistently high quality work. The firm also provides opportunities to hear about the latest developments in the sector through high quality events and bulletins.’

‘We tend to engage Farrer & Co when we hit something new: no case law; no definition; no regularly guidance, looking for a practical steer as to how to meet our obligations and practically move forward.’

‘Owen O’Rorke. The epitome of a knowledgeable, approachable, and diplomatic associate. He has supplied reliable and workable advice to the private schools sector since the inception of GDPR. Unequivocally recommended.’

‘Ian De Freitas – has the depth of knowledge and confidence to convince your senior management that GDPR is not the devil and compliance is both achievable and beneficial; no mean feat.’

Key clients

Telegraph Media Group

Japan House

Professional services providers including Vistra Group and Logicalis

J.P. Boden & Co. Limited

Lawn Tennis Association

Lonely Planet

Rhodes Trust / Schmidt Science Fellows

esure Group plc

Eton College

Mayor of London

Work highlights

  • Worked with the Telegraph Media Group on GDPR compliance issues such as programmatic advertising and the use of cookies and special category data, strategic marketing partnerships, as well as customer rights (transparency, right to be forgotten, subject access) and employment data issues.
  • Advising the Lawn Tennis Association on numerous data protection matters arising from its relationships with clubs, counties, coaches and players, in particular in an information sharing and safeguarding referral context, as well as on data protection policy matters (including cross-organisation data sharing agreements) and direct marketing compliance.
  • Advising the esure Group on its no-deal Brexit preparations in the context of GDPR and its network of suppliers in the European Union.

Lewis Silkin LLP

Lewis Silkin LLP acts across the UK and internationally, advising clients across the advertising and marketing, technology and retail sectors on a wide variety of data protection issues, including data breaches, regulatory investigations and the adoption of global privacy strategies. The team is co-led by Alexander Milner-Smith - who has particular experience of data regulatory issues in the EU and UK, data breaches and the management of data subject requests - and Bryony Long, who focuses on work in the marketing and advertising sectors, including the collection and commercial exploitation of user data.

Key clients

Omnicom Group





Harvey Nichols



Work highlights

  • Advised Deliveroo on a large-scale review of its privacy compliance and implementing a data governance framework.
  • Advising TWBA within the Omnicom Group on the re-negotiation of its DPA with one of its clients and implementing a complex intra-group data sharing arrangement across the DAS network.
  • Advised Cineworld on various data protection issues including on its intra-group data sharing arrangement, the structuring of its membership service offering to ensure compliance with direct marketing regulation and advising on profiling data subjects for marketing purposes.

Mishcon de Reya LLP

Mishcon de Reya LLP fields an 'extremely strong' practice with a 'deep talent pool in the area.' Adam Rose heads up the data protection team and acts in the gaming, technology and publishing sectors in contentious data protection matters. He is aided by 'excellent' associate Jon Baines, who specialises in data protection and FOI mandates, including making and responding to freedom of information requests. Joe Hancock is also recognised for his cybersecurity expertise, handling cyber breaches and data losses.

Practice head(s):

Adam Rose

Other key lawyers:

Jon Baines


‘Extremely strong, one of the teams with the deepest talent pool in the area, with expert non-legal assistance.’

‘Jon Baines has an unparalleled level of knowledge.’

‘Adam Rose is a sector leading partner. Jon Baines is a nationally recognised expert adviser, and was an excellent hire.’

Key clients

Jenny, The Accidental American

Project Provenance Limited

Abu Dhabi Digital Authority (ADDA)

Golfbreaks Limited




Gamesys Group plc

Work highlights

  • Acting for the claimant, a former executive director of the consumer organisation, Which?, in a representative action brought against US technology giant Google seeking damages on behalf of 4.3 million UK Apple iPhone users to compensate them for Google unlawfully collecting their internet search history so as to target them with advertising.
  • Advised Project Provenance Limited on the licensing of various types of data and wording to be inserted into the software agreement which outlined each party’s obligations in respect of different types of data and any intellectual property rights in such data.
  • Advised Golfbreaks on the data sharing arrangements of valuable customer data between the parties and the documentation that Golfbreaks Limited needed to put in place to ensure that data is collected transparently and in compliance with data protection legislation.

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP acts as the 'go-to for all data protection activity' for many clients in the technology sector. Rafi Azim-Khan heads up the practice and is noted for his 'superb' data protection and privacy advice; he works on a range of matters including global compliance issues as well as cybersecurity incidents. He is supported by Steven Farmer, who is active in the financial services, technology and manufacturing sectors, advising on multijurisdictional data processing matters.

Practice head(s):

Rafi Azim-Khan

Other key lawyers:

Steven Farmer


‘Quick, expert – our go to for all data protection activity.’

‘Rafi is extraordinarily well-connected to the decision makers and policy writers concerning data privacy.’

‘Steven Farmer has steered our firm expertly through the changes brought on by GPDR and our move into bringing digital products to market which have required a complete overhaul in our approach to data protection and information security.’

‘Rafi understands the need for actionable advice that even small, in-house departments can implement. Its rare to find a partner at a large firm that can see your team and customise their guidance based on that.’

‘Rafi is superb for technology and data privacy advice. He has worked with the business for a number of years, in particular advising on a range of cybersecurity, data subject response, data privacy and e-commerce matters. He brings rare depth of experience in data, e-commerce, web platforms, marketing etc. to his advice.’

Key clients

Victaulic Company

Sinclair Broadcast

CSC (Corporation Service Company)

Upland Software, Inc.



Decision Logic

State Street Corporation

HM Electronics, Inc.

SpyCloud, Inc

Work highlights

  • Advised on Victaulic’s global data protection compliance project, working with Victaulic’s legal team and data protection specialists globally to roll out global policies and processes.
  • Advising on Sinclair’s entire GDPR compliance effort.
  • Advising CSC on a wide range of important data protection and cybersecurity issues.

Pritchetts Law

Pritchetts Law's specialist legal practice carries out work in the data protection and privacy area, advising global multinationals, micro-businesses and SMEs, charities and not-for-profit bodies. Stephanie Pritchett and Ben Wootton jointly lead the team; the 'excellent' Pritchett advises clients on freedom of information and privacy matters, while Wootton provides advice on cloud services, data-processing arrangements and data protection compliance audits.


‘Stephanie and her team bring genuine expertise to this extremely important and highly complex area of business operations that helps us perform successfully. They explain issues in a straightforward way, and provide clear solutions.’

‘Pritchetts Law LLP has always been incredibly reactive, professional and very helpful. Interactions have consistently been extremely well handled, professional, measured and on point. The service provided has always helped us solve issues we were having and they thoroughly answer any question we bring to them. When dealing with Pritchetts Law LLP we get a very personalised service with great professionalism.’

‘Stephanie Pritchett – Stephanie’s legal knowledge regarding data protection is as good as it comes amongst solicitors. She is excellent at quickly identifying the commercial issues for the client, focusing her legal skills on achieving the best outcome, and avoiding distractions.’

Key clients

The UPP group of companies

DFS Trading Limited

Unison (trade union)

The Ceuta group of companies

RAC Motoring Services Limited

Northumbrian Water Limited

Link Maker Systems Limited

Audacious Mobile Limited

The National Foundation for Educational Research

Newcastle Building Society

Rimilia Holdings Limited

Work highlights

  • Advising UPP on a substantial GDPR compliance programme across its complex corporate group structure.
  • Advising one of the UK’s largest trade unions on ensuring GDPR compliance across the organisation.
  • Advising a leading global, consumer brand services business on its contractual arrangements with numerous business partners as well as in relation to data protection compliance across its entire group of companies.

Ropes & Gray LLP

Ropes & Gray LLP acts on the full gamut of data protection work including the compliance, advisory, enforcement and litigation aspects of data collection, storage and processing. The team is led by Rohan Massey, who advises on cybersecurity issues, the international transfer of data and global compliance programs; his clients are in the retail, life sciences and sports sectors. Clare Sellars stands out for her work on outsourcing and technology service agreements.

Practice head(s):

Rohan Massey

Other key lawyers:

Clare Sellars

Key clients

The Carlyle Group L.P.

Work highlights

  • Crafted a Global Privacy Program for The Carlyle Group, which included developing Carlyle’s GDPR and CCPA compliance programs.


Sheridans' practice has an 'impressive understanding of the law but also an in-depth understanding of the technical aspects of modern technology'. The team is headed up by Eitan Jankelewitz, who advises on data protection, direct marketing, cookies and electronic communications issues for adtech clients; he also acts for technology and publishing companies. Philip James is 'good at thinking beyond the problem in front of him' and is recognised for his cybersecurity expertise.

Practice head(s):

Eitan Jankelewitz

Other key lawyers:

Philip James


‘Teams include lawyers with previous experience as IT professionals, this enables the team to demonstrate not only an impressive understanding of the law but also an in-depth understanding of the technical aspects of modern technology.’

‘Friendly and easy to work with.’

‘Phil James is especially good at thinking beyond the problem in front of him. He makes sure all aspects of a case are considered.’

Key clients

Sport England

Internet Advertising Bureau (IAB)

Awin AG


The Economist Group

SUMO Group Plc

Intel Sports

10x Psychology Limited

Rugby Football League

Cognism Limited

Work highlights

  • Provided strategic legal and regulatory data advice to The Economist in-house legal department on the lawful monetisation of its large subscriber database.
  • Provided Intel Sports with a detailed legal and regulatory analysis on the use of volumetric data relating to the creation of 360° replays derived from a ‘point cloud’ data set, which is being implemented at the City of Manchester Stadium (Manchester City FC) and the Camp Nou (FC Barcelona).
  • Acting as adviser to the IAB, and drafting the IABs codes of practice on commission by the IAB, liaising with stakeholders from the online advertising industry, in order to support industry best practice for the benefit of consumers and industry participants.

Stephenson Harwood

Stephenson Harwood's data protection and privacy practice fields 'real market experts' and advises on subject access requests, GDPR compliance issues and data breaches. Team head Naomi Leach assists clients in the life sciences sector with the interaction between GDPR and compliance with the Clinical Trials Regulations. Ben Sigler is recognised for his data protection litigation experience, and associate Katie Hewson is noted for her 'practical, commercial and tailored legal advice' to a client roster spanning retailers and life sciences companies.

Practice head(s):

Naomi Leach; Ben Sigler

Other key lawyers:

Katie Hewson


‘The SH team is very commercially pragmatic in their approach and advice. Their focus on the real/practical risks in a matter makes their advice particularly useful for in-house counsel.’

‘Stephenson Harwood’s data protection team are real market experts – always offering shrewd and practical advice for those operating in the financial services sector. The responsiveness of the team is unparalleled and most importantly, they are a friendly bunch who have an excellent ability to translate the unglamorous world of data protection into something enjoyable.’

‘We have found SH’s privacy advice to be prompt, practical, clear and commercial. Cannot ask for more.’

‘Katie Hewson is a stand-out senior associate. Katie offers practical, commercial and tailored legal advice each and every time I reach out to her. It feels like she has really tuned into the nature of my business and it’s risk appetite. Katie demonstrates all the qualities of an excellent gifted lawyer and is a real star within the SH team.’

‘The assistant standard is very high, Katie Hewson takes pains to build a great working relationship, is always available to help and gives great commercial and legal advice.’

‘We have worked most closely with senior associate Katie Hewson, who is most amenable and both direct and clear in her thinking and explanations of a fluid subject.’

Key clients

Barclays Bank PLC

Mizuho Bank Limited

Deloitte LLP

The Movember Foundation

S&P Global Inc.

Neuberger Berman Europe Limited

Moet Hennessy Europe

DNB Bank

Trenitalia c2c

Secret Escapes

Work highlights

  • Advised Deloitte LLP on the data privacy implications of Brexit including reviewing and updating standard terms to take account of the UK leaving the EEA.
  • Advised Mizuho Bank Ltd (London branch) on issues including the territorial scope of the GDPR in relation to the bank’s Tokyo headquarters and on the effect of Japan’s adequacy decision on the bank’s international data transfers.
  • Advised Gilead Sciences Europe Ltd on data protection in connection with the development of a healthcare app, in particular around compliance, notices and contractual provisions.

White & Case LLP

White & Case LLP has 'an excellent team of data privacy experts especially with regards to new technologies such as AI or blockchain.' The team is led by the highly regarded Tim Hickman, who has 'great expertise' in the field of data protection and acts on the full range of matters; he is also dual qualified in England and Wales and the Republic of Ireland.

Practice head(s):

Tim Hickman


‘Tim Hickman’s excellent knowledge, fantastic for a global business.’

‘White & Case LLP London has proven to be an excellent team of data privacy experts especially with regards to new technologies such as AI or blockchain. They deliver first-class work in a timely fashion.’

‘White & Case is always responsive to any question we have during the time we are preparing the data protection training for our colleagues, they keep us informed, understand what we need and deliver us a great data protection training!’

‘Tim Hickman: great expertise but pragmatic, able to give guidance which is feasible and practicable.’

‘Tim Hickman of White & Case is always responsive to any question we have during the time we are preparing the data protection training for our colleagues, he keeps us informed, understands what we need and delivers great data protection training.’

Key clients



Deutsche Bank AG (London Branch)

Oasis and Warehouse



Argus Media


The Association of Executive Search and Leadership Consultants

Centerbridge Partners

LINE Corporation

Piper Jaffray

Softbank Vision Fund

Inflexion Private Equity


Work highlights

  • Representing Facebook in international litigation matters and class actions regarding privacy and data protection matters.
  • Advising Nestlé on a global scale, including on specific GDPR compliance, e-Privacy compliance, and related regulatory matters and in direct interactions with EU Data Protection Authorities.
  • Providing Deutsche Bank AG (London Branch) with legal support to ensure that data protection compliance priorities can be addressed with minimal business disruption.

Wiggin LLP

Wiggin LLP's data protection and privacy practice provides 'quick and commercial advice'. David Naylor leads the team and acts on media and technology matters in relation to transactional and regulatory data protection issues for European and US clients. Alexander Ross is active in the online and mobile sectors on issues relating to digital rights; he also acts on data compliance issues for clients in the publishing industry. Caroline Kean is recognised for her contentious data expertise.

Practice head(s):

David Naylor

Other key lawyers:

Alexander Ross; Caroline Kean


‘Quick and commercial advice anchored in the context of the client’s specific business.’

Key clients



Disney / Marvel

The Motion Picture Association

Virgin Media

William Hill

Halma plc

Endemol Shine


National Online Self-Exclusion Scheme / GAMSTOP

Racing UK



DataCore Software Corporation

Milky Tea




Work highlights

  • Providing HBO with data protection advice across all aspects of its content production businesses and activities.
  • Providing William Hill with advice across all aspects of its UK and international GDPR and other data protection compliance activities.
  • Providing the full range of data protection advisory, regulatory and transactional services to GAMSTOP.