Data protection, privacy and cybersecurity in London
Bird & Bird LLP's dedicated data protection group takes a sector-specific approach to data with notable expertise in the advertising, financial services, pharmaceuticals and health, luxury goods, technology and communications sectors. The practice handles matters at a national and international level; it recently advised Domino's Pizza on its GDPR and European privacy work and assisted Nespresso with its compliance work in over 30 countries. The team also has substantial cybersecurity knowledge, providing advice on all issues from compliance with data security breach requirements to data protection audits. Ruth Boardman and James Mullock jointly lead the department; other key names include Guadalupe Sampedro, who has notable expertise in EU data protection law and financial services and payment matters, and Gabriel Voisin, who has experience in adtech and online advertising privacy issues and cybersecurity mandates. Legal director Elizabeth Upton advises clients in the technology and communications sector.
Ruth Boardman; James Mullock
‘Ruth Boardman is genuinely amazing and a standout practitioner.’
The Football Association
- Assisting Eurostar with its GDPR compliance programme and Brexit planning issues.
- Designing and delivering an international GDPR compliance programme for Tempur Seally.
- Assisting eBay with various data protection issues across the UK, Spain, Luxembourg, Asia Pacific and Latin America including updating, amending and restructuring the company’s binding corporate rules and advising on the data aspects of the launch of its new payments business.
- Handling the drafting, approval and implementation of controller and processor binding corporate rules for Colt Telecom.
2018 saw Bristows LLP build on its already well-established position in the data protection field with the recruitment of the 'outstanding' Marc Dautlich from Pinsent Masons LLP; Dautlich is particularly active in the technology, financial services and fintech sectors. Practice head Mark Watts has notable expertise in advising US-based clients and regularly handles global compliance projects and regulatory litigation; Christopher Millard focuses on the technology and communications sectors; and Robert Bond has experience in compliance work, data incidents, cyber attacks and issues relating to health and children's data. As a whole, the practice excels in high-profile and international work; recent examples include Google's right to be forgotten case and British Airways' data breach. Its notable areas of expertise encompass compliance projects, regulatory litigation and product launches. Clients also single out 'excellent' senior associate Hannah Crowther.
‘Bristows is a go-to firm for privacy and data protection matters. It provides on-time, risk-based legal advice and problem-solving.‘
‘Bristows fields a first-rate privacy and data protection practice, which is knowledgeable, responsive and client focused.‘
‘Marc Dautlich is outstanding and brings a wealth of experience to Bristows’ privacy practice. He is pragmatic, insightful and time and again helps clients solve whatever privacy issue they are facing.‘
‘Marc Dautlich has encyclopedic knowledge, takes the time to really understand the client and delivers commercial and pragmatic advice.‘
Amazon Web Services
Incorporated Society of British Advertisers
- Advising Comcast NBCUniversal Group on all aspects of privacy and data protection compliance including GDPR implementation, internal governance policies, adtech compliance issues and binding corporate rules work.
- Assisting McKinsey Consulting with its global strategy for data protection compliance, particularly decisions relating to binding corporate rules.
- Handling Google’s EU-wide strategy for GDPR complaints and regulatory enforcement.
- Assisting Chelsea Football Club with its preparation and compliance with GDPR as well as adtech and marketing compliance.
- Advising Costco on the implementation of an EU-wide privacy programme alongside other data protection issues including subject rights requests, consumer complaints and the handling of data relating to criminal allegations.
Fieldfisher's privacy, security and information law group handles the full spectrum of data issues at a national and international level, including GDPR readiness programmes, data transfers, binding corporate rules, cyber and data security breaches, incident response readiness, data subject rights requests, freedom of information matters and data disputes. Hazel Grant heads up the practice and regularly acts for health, charity and public sector clients. Other noteworthy practitioners include Phil Lee, who has substantial US experience and has considerable expertise assisting cloud, social media and online advertising clients; Antonis Patrikios, who leads the firm's cybersecurity practice; Leonie Power, who focuses on advertising technologies, cross-border matters and e-marketing; and director Nuria Pastor. Compliance specialist Judy Krieg is also a name to note.
‘The Fieldfisher team provides commercially-minded, practical advice.‘
‘Clients truly appreciate the depth of subject-matter expertise that each member of the Fieldfisher team brings to the discussion. But more important is its ability to apply legal interpretation and guidance to the business circumstance. It maintains current awareness of the laws and regulations that are of interest and has always served as a true subject-matter expert.‘
‘The lawyers at Fieldfisher take the time to understand the client’s business and corresponding nuances that they then apply to the legal guidance they provide. This is extremely helpful and even provides cost efficiencies.‘
Invesco UK Limited
- Assisting Pearson with its GDPR compliance.
- Advising Just Eat on its GDPR compliance programme and ongoing privacy issues.
- Acting for Perkins Coie (Los Angeles) on the EU privacy implications arising from a proposal by an underlying client to engage in B2B marketing on a pan-European basis.
- Assisting Hasbro with its GDPR compliance including advice on employee personal data, advertising to children, connected toys, websites, apps and online games.
- Advising new client 8×8 on its GDPR readiness efforts and wider issues including cybersecurity readiness and disclosure requests.
Eduardo Ustaran heads up the practice at Hogan Lovells International LLP, which acts for a broad range of high-profile clients including technology companies and financial institutions. The team handles the full range of data protection, privacy and cybersecurity issues including compliance programmes, data transfers, data breaches and global privacy mandates; it has substantial expertise in binding corporate rules and international data transfers, and is also a key name for GDPR work. The group also benefitted from the recruitment of Nicola Fulford from Kemp Little LLP; she regularly acts for technology-rich businesses. Counsel Sian Rudgard is noted for her binding corporate rules expertise.
- Assisted Cigna with its GDPR compliance and data transfer strategy.
- Advised Walmart on its GDPR compliance programme.
- Acting for Verizon on securing approval for its set of binding corporate rules.
- Advising Salesforce on its successful controller and processor binding corporate rules applications.
Hunton Andrews Kurth LLP
Bridget Treacy and Aaron Simpson jointly lead the practice at Hunton Andrews Kurth LLP, which leverages its strength in the UK and US to handle a variety of privacy and data protection matters globally. The UK practice is particularly well regarded for its knowledge of compliance issues, cross-border data transfers, cyber incidents and data breaches, enforcement actions, governance issues, Brexit issues and binding corporate rules. Simpson, who splits his time between London and New York, is a key name for GDPR compliance work, large-scale cybersecurity incidents and cross-border data transfers, while Treacy focuses on global data protection compliance for multinational companies. Senior consultant Rosemary Jay is also recommended and has substantial expertise in freedom of information requests. In a recent highlight, Simpson led the advice to Yahoo! following a cybersecurity attack, while Treacy and Jay advised Google on multiple privacy issues.
Aaron Simpson; Bridget Treacy
Other key lawyers:
‘Bridget Treacy is absolutely amazing.‘
Syneos Health Inc. (formerly INC Research, LLC)
Silver Lake Technology Management, L.L.C.
Verisk Analytics, Inc.
Ralph Lauren Corporation
TJX Companies Inc./TK Maxx
- Representing Yahoo! on all aspects of a cybersecurity attack which compromised the data of 3.5 billion users.
- Advising Google on various elements of EU and US privacy law including its cross-border data transfer strategy, right to be forgotten work and the EU-US privacy shield.
- Assisting Syneos Health with its general privacy programme and breach readiness activities.
- Advising a British multinational alcoholic beverages company on compliance issues including the implementation of GDPR.
- Handling Silver Lake Technology Management’s global data protection, privacy and cybersecurity issues.
Under the leadership of Richard Cumbley, Linklaters LLP excels at international work alongside its experience in complex UK-focused matters. The group is also recognised for its knowledge of the fintech, digital health and technology sectors; it counts Bupa, HSBC and Experian as clients. Areas of focus for Cumbley include data security incidents, privacy litigation, regulatory matters and subject access issues. Other key individuals include Julian Cunningham-Day, who has recently been active advising on GDPR projects for global clients; senior privacy counsel Peter Church, who is a noteworthy name for technology issues; and Georgina Kon, whose recent work includes advising on GDPR implications, international data flows and the privacy aspects of big data projects and digitalisation. Managing associate Alaister Johnson is also recommended.
‘The depth of expertise of Linklaters’ UK team and the ability to leverage seasoned experts across Europe makes it stand out. The longevity of the partners in the team means there is continuity for businesses, even when the associates leave. As a large firm it can pull on extra resources when needed, which many other firms are not able to do.‘
‘Richard Cumbley, Georgina Kon and Julian Cunningham-Day are experts of many years and go-to names in the field.‘
The Royal Free London NHS Foundation Trust
Hyatt Hotels Corporation
SoftBank Investment Advisers
J Sainsbury PLC
The Walt Disney Company
Thomson Reuters / Refinitiv
Glencore International AG
Allen & Overy LLP has made substantial investments in its data protection team over recent years and also benefits from the expertise of special adviser David Smith, the former deputy information commissioner at the UK ICO. The practice handles the full spectrum of data issues including compliance work, transactional support and contentious issues. Jane Finlayson-Brown and Nigel Parker jointly lead the team; Finlayson-Brown is experienced in compliance work and Parker focuses on cybersecurity mandates. The group also draws from the wider partner pool for cybersecurity work including litigator Lawson Caisley, employment specialist Sarah Henchoz and IP litigator Mark Ridgeway.
Jane Finlayson-Brown; Nigel Parker
‘Allen & Overy has wall-to-wall competence in all areas of providing advice and practical guidance. It is responsive and practical and has the perspective of the many different multinationals that it advises, and therefore can be very strategic.‘
‘Nigel Parker is a technical expert while also being extremely strategic and forward thinking. The firm also offers strategic privacy update and advisory information services and can provide creative billing solutions to practical problems.‘
Four Seasons Hotels
The Clearing House Association
Raymond James Financial
The Royal Bank of Canada (RBC)
Lloyds Banking Group
Exponent Private Equity
Cheval Property Holdings
GardenCare (Scotts Miracle-Gro International Consumer Business)
- Assisting GlaxoSmithKline with all aspects of its data privacy work and GDPR compliance.
- Handling a GDPR project for Four Seasons Hotels including its remediation programme.
- Advising News Corp UK on the data protection aspects of its joint venture with Telegraph Media Group and Guardian News & Media to offer joint digital ad sales.
- Assisting a US-headquartered bank with its GDPR project including investigations, analysis and risk assessments on all compliance steps.
- Assisting GardenCare with its GDPR audit and readiness assessment projects.
Baker McKenzie's data protection team leverages the firm’s global network to provide international clients with multijurisdictional advice. Recent areas of expertise for the practice include substantial GDPR compliance projects, breaches and incident response assistance including investigations, notifications and regulated sector issues; and advising third-party providers on the practical implementation of data protection compliance programmes. IT and commercial partner Harry Small heads up the department and assists with contentious and non-contentious mandates including major data protection programmes and data security breaches; other key individuals include Julia Wilson , who leads the employment data protection group; David Halliday, who leads on data security breaches; and Ben Allgrove, who regularly acts for digital media clients. Dyann Heward-Mills left to set up her own DPO company.
Covington & Burling LLP
Covington & Burling LLP utilises its cross-departmental expertise to handle the full spectrum of data protection issues across a wide range of sectors including the consumer products, financial services, healthcare, internet services, pharmaceuticals and telecoms industries. The group advises on technology issues, data security, financial privacy, health and employment data and data litigation as well as cybersecurity mandates. Daniel Cooper is the key contact.
Dentons’ data protection and privacy expertise encompasses GDPR implementation mandates, governance issues and global compliance projects including privacy compliance programmes and complex international data transfer projects. The dedicated team acts for a high-profile client roster, which counts John Lewis, Royal Mail, Virgin Atlantic, Aviva and First Data as key examples; it also regularly advises digital media companies on profiling, data analytics, social media, apps and location-based services as well as e-privacy regulations. The group also has experience in cyber risk management and regularly partners with cybersecurity experts to deliver both legal and forensic advice. Newly promoted partner Simon Elliott and Nick Graham jointly lead the department; Elliott has particular expertise in GDPR implementation projects and Graham is also global chair of the firm’s privacy and cybersecurity group. Martin Fanning, Scott Singer and Glasgow-based Ross Nicol are also recommended.
Simon Elliott; Nick Graham
‘Dentons really takes its time to understand the client, its concerns and key focus and strategy.‘
‘The team has fast reaction times to queries and understands the time pressure in-house counsel can be under. It is very commercial and will not just give black letter law advice, but will ensure that it is practical for the circumstances.‘
‘Simon Elliott’s work is great, he is very flexible with his time and always available, and the advice provided is incredibly commercial and operational.‘
‘Nick Graham is a great partner and provides exceptional advice; he is very focused and mindful of the overall operational requirements of the client.‘
‘Martin Fanning and Simon Elliott are always on hand to answer queries and provide practical and user-friendly advice. They also have a good handle of what is happening in the industry.‘
Toronto Dominion Bank (TD Bank)
Worldwide Clinical Trials
Avis Budget Group
- Advising John Lewis on its GDPR implementation project.
- Assisting First Data with its data protection compliance following the approval of its binding corporate rules.
- Handling all data privacy work for Virgin Management including the implementation of its GDPR programme.
- Acting for Royal Mail on its GDPR compliance programme and cybersecurity mandates.
- Assisting Intralinks across EMEA with its data protection issues including its applications for binding corporate rules, cybersecurity issues and EU-US privacy shield strategies.
At DLA Piper, Andrew Dyson and Ross McKean jointly lead the data protection, privacy and security group from Leeds and London respectively; Dyson has notable focus on the financial services, technology and consumer sectors, while McKean handles global data governance and compliance work, breach response issues and global sourcing projects. Alongside the firm’s national network, it also regularly handles international mandates utilising its global offices; in a recent highlight, Dyson acted for Reckitt Benckiser on the roll out of its global data protection compliance programme across Europe, the US and other overseas jurisdictions. Other high-profile clients include 21st Century Fox, Chubb Insurance, Aviva, the London Stock Exchange and Condé Nast International. Senior consultant Simon Persoff is also a key name for financial services clients.
Andrew Dyson; Ross McKean
Other key lawyers:
‘Ross McKean is technically excellent.‘
21st Century Fox
London Stock Exchange
Marriott Vacations Worldwide
Condé Nast International Limited
- Advising Reckitt Benckiser on the roll out of its global data protection compliance programme, initially focusing on GDPR issues and expanding to include the US and other overseas jurisdictions.
- Assisting Tata Steel Europe with the creation and implementation of its GDPR project.
- Acting for Anglo American on the design and implementation of a privacy compliance programme for GDPR.
- Advising Amdocs Development on its GDPR compliance.
- Assisting 21st Century Fox with its GDPR intiatives across the EU and acting as the contact for UK-related data protection matters.
Paula Barrett heads up the privacy and cybersecurity law team at Eversheds Sutherland (International) LLP, which sits as part of the firm’s wider international privacy and information law group. The dedicated practice assists with the full spectrum of data protection work with particularly notable expertise in freedom of information law matters and cybersecurity issues including cyber readiness work and data security breaches. Liz Fitzsimons, who is based in Cambridge, leads the firm’s freedom of information and environmental information regulation group and regularly assists with GDPR and privacy programmes including data audits, breach management issues and access requests. Birmingham-based Gayle McFarlane focuses on the retail, technology, automotive and manufacturing sectors and also handles data transactions and issues involving the interaction between data protection and technology.
‘The practice is very well organised and the level of communication between the different areas is impressive. Cross departments work is very well structured and a lead is well-identified’.
‘Liz Fitzsimons was able to think out of the box in a context of constant evolution, coming up with innovative solutions every time’.
Building Societies Association
Capital One (Europe)
- Acting for Santander on its UK GDPR compliance programme.
- Advising a global manufacturing client on cybersecurity issues following a ransomware attack, which affected its global operations.
- Assisting a post data breach services provider with the assessment of the data protection risks associated with the international roll out of new product ranges, which help protect against inappropriate social media content and provide identity theft protection services for families.
- Advising ITSO, the licence holder for the development of standards for the UK transport industry, on an internet of things project to embed the use of its secure authentication ticketing technology onto mobile devices.
- Handling a GDPR compliance project for a global retailer and retail services provider in the sporting goods sector.
With a traditional focus on non-contentious data protection work, the group at Latham & Watkins has notably expanded its contentious and regulatory investigations expertise through the experience of litigator Ian Felstead. In a notable highlight, the practice advised Facebook, a new client for the group, on its response to a late-2018 data breach including handling the regulatory investigation and defending it against related litigation. Department head Gail Crawford is also global co-chair of the firm’s technology transactions group; she recently led advice to the BT Pension Scheme, the UK’s largest corporate defined benefit pension scheme, on its GDPR compliance programme and local UK data protection law. Ernst & Young, Majestic and William Hill are also noteworthy clients. Fiona Maclean was recently promoted to the partnership; she has substantial expertise in outsourcing issues, technology transformation projects and cloud computing mandates.
Other key lawyers:
Ian Felsetad; Fiona Maclean
‘The team is always available. It has a good understanding of its client’s business and approach and accommodates that in its service. However, it does have strong conviction when providing advice. It works incredibly hard and offers a gold-plated service, and also follows up and provides a high level of documentation and response.‘
‘Gail Crawford has good oversight yet allows the team to develop the client relationship. Danielle van der Merwe is proactive and up to date with guidance and approach. Mihail Krepchev is always helpful and has good knowledge. The team provides a top-notch service, is almost always available on short notice and work around schedules well. It comes prepared and will provide positive challenges to ideas backed with good logic. It is involved and works in partnership on major issues that have arisen. Very reliable and dependable.‘
‘The group has a strong understanding of the global data protection landscape aligned with a pragmatic and reasonable position on compliance guidance.‘
‘Gail Crawford is outstanding in her ability to understand the problem, assess risk and provide appropriate guidance. She always makes herself available and has an unrivalled command of the data-protection landscape.‘
BT Pension Scheme
The Endurance International Group, Inc.
Ernst & Young
William Hill plc.
- Acting as lead global counsel for Facebook following a data breach in September 2018. The team is handling the investigation and regulatory submissions, and the defence of litigation.
- Advising BT Pensions Scheme on its national compliance programme encompassing GDPR and local UK data protection law.
- Assisting The Endurance International Group with its GDPR compliance across its entire business including domain hosting and design, and email marketing products and services.
- Assisting Majestic with multiple data protection issues including marketing, data subject access requests and intragroup documentation.
- Advising a global entertainment company on data protection issues relating to a joint venture.
PwC LLP’s data protection strategy comprises its legal team alongside risk professionals, operational specialists, consultants, strategists and cyber security experts to provide comprehensive data protection advice including compliance issues, breaches and e-privacy work. Clients include British American Tobacco, Capita, Met Office, Sainsbury’s Bank and Visa Europe are also clients. Key practitioners include James Drury-Smith, who heads up the non-contentious side of the practice, and Polly Ralph. Fedelma Good and risk professional Jane Wainwright are also noted.
‘The team’s experience in-house enables it to understand how things work in-house, plus its reach over different industries and companies means clients get more of a rounded view.’
‘The group provides expert knowledge, which is clear, concise and pragmatic, which makes it a pleasure to work with.’
‘Fedelma Good’s knowledge of the sector is unparalleled.’
‘James Drury-Smith and Jane Foord-Kelcey are very good, very personable and provide sensible advice.’
‘The team has expert knowledge, an ability to understand the client’s business and make recommendations which work commercially. James Drury-Smith is a real pleasure to work with and has very impressive knowledge of GDPR.’
Accuro Trust (Jersey) Ltd
Advanced Personnel Management Holding
Anglo American Plc
Ascot Racecourse Limited
Astorg Asset Management
Axon Enterprise, Inc.
Barratt Developments Plc
Blue Marble Holdings Limited
British Gas Trading Limited
British-American Tobacco (Holdings)
Bunnings Group Limited
C. & J. Clark International Limited
C. Hoare & Co.
Cambian Group Plc
Channel Four Television Corporation
Colour Bidco Limited
Computer Patent Annuities Limited
Crown Commercial Service
Csl Behring LLC
Dentsu Aegis Network Ltd.
Department for Digital, Culture, Me
DH Business Services LLC
Domestic & General Services Limited
Dwr Cymru Cyfyngedig (Welsh Water)
eNett International (Jersey) Ltd
Financial Ombudsman Service Limited
First Abu Dhabi Bank
General Electric Company
Go-Ahead Group Plc
Grosvenor Britain & Ireland
Inflexion Partnership Capital Fund
Inflexion Private Equity Partners L
Ins-Sure Services Limited
John Lewis Partnership Plc
Julian Hodge Bank Limited
Klockner & Co SE
London South Bank University
Merlin Entertainments Group Limited
Mimecast UK Limited
Mitchells & Butlers PLC
Moneysupermarket.com Group PLC
Monmouthshire Building Society
Montagu Private Equity LLP
Mövenpick Hotels & Resorts Management
National Australia Bank Limited
OTSUKA PHARMACEUTICAL CO.,LTD.
Party City Holdings Inc.
Prudential Services Limited
Rackspace US, Inc.
Redstone Mortgages Limited
Sage Group Plc
Sainsbury’s Bank Plc
SHARP ELECTRONICS (EUROPE) LIMITED
Six Continents Limited
Smartgames Technologies Ltd
Southern Water Services Limited
TGS NOPEC Geophysical Company ASA
The Catholic National Mutual Limited
The Foundry Topco No.2 Limited
Trend Micro (UK) Limited
Visa Europe Limited
Visa Europe Services LLC
VUE International Bidco Plc
W. R. Berkley Insurance (Europe),
Wates Construction Limited
Wessex Water Limited
- Advising Spotify on the development of its GDPR prgramme and data protection governance structures, including its appointment of a data protection officer and data subject rights.
- Acting for a UK regulatory authority in an ongoing investigation into the use of data analytics for political purposes.
- Representing an online consumer business in an ICO investigation following a personal data breach, which affected up to 5% of its global customer base.
- Assisting a global payments technology company with its GDPR programme.
Taylor Wessing LLP excels in the technology sector and has substantial regulatory and corporate expertise. The practice also leverages the firm’s global network to advise on multijurisdictional projects including international data privacy compliance programmes and enforcement actions. Department head Vinod Bange acts for clients across a range of sectors including the technology, financial services, life sciences and healthcare industries; he recently advised Callidus Software on the data privacy aspects of its $2.4bn acquisition by SAP. Litigator Paul Glass heads up the cybersecurity practice and regularly handles cyber-attacks, crisis management issues and regulatory investigations.
Other key lawyers:
‘The team is practical, pragmatic, responsive and commercial – it thinks outside the box and and is solutions focused. It has a good network of colleagues and friendly firms across the EU for a panoramic view, and is responsive and knows the client well, allowing for it to use the best format in which to deliver advice for each client.’
‘Led by Vinod Bange, the new recruits of Jo Joyce and Sally Annerau form a leading backbone to the team, which has grown in strength (both in terms of numbers and combined experience).’
‘Top quality, responsiveness, extremely knowledgeable on breach response matters for the EU.’
‘Available for queries no matter how small.’
‘Paul Glass is top notch. Knows how to handle time-sensitive breach response situations.’
‘Jean-David Behlow has been great in making something complicated easier to understand and also being around for a quick call.’
Stride Gaming plc
Bank of Jordan
Bank of East Asia
CallidusCloud (now part of SAP)
Emirates Bank Dubai
Kheiron Medical Technologies
Mitel Networks Corporation
- Advising Callidus Software on the European data privacy aspects of its $2.4bn acquisition by SAP.
- Assisting Kheiron Medical Technologies with the contractual, regulatory and data protection elements of its AI-based breast cancer screening software.
- Conducting a full GDPR audit of Mitel Network’s global business units covering customer and HR data.
- Advising Omnicom Group on a range of data protection issues including contractual negotiations and framework agreements with its clients, and the GDPR compliance of its data processors.
- Assisting iRythm with its GDPR compliance programme.
Clifford Chance focuses on cross-border work, acting for a substantial international client base including multiple FTSE 100 and Fortune 500 listed companies. It is noted for its expertise in data ethics and AI issues; recent work includes assisting clients with creating ethical frameworks for the use of data, AI and data science. Jonathan Kewley leads the UK team, which sits as part of the firm’s global practice and also leverages the strength of other departments including the corporate, employment, antitrust and litigation teams. Kewley’s recent mandates include advising a global bank on ethical issues regarding the use of data and technology, and assisting a global financial institution with its global cyber incident response plan. Luke Tolaini is recommended for cross-border crisis management and investigations involving financial crime.
Other key lawyers:
‘The team is proactive, energetic and works closely with the client’s internal teams. It quickly integrates into the client’s activities so it can effectively provide services to the business as a single-aligned legal function.‘
‘Mark Comber has terrific communication skills, is innovative in his advice, and can seamlessly adapt to the needs of his clients.‘
- Advising a global bank on ethical issues regarding the use of data and technology including financial regulatory, data protection, data privacy and antitrust enforcement risks.
- Acting for a global financial institution on its global cyber incident response plan and cyber breach issues.
- Assisting an international sports organising entity with its global GDPR compliance project.
- Advising a large supplier of medical services on its GDPR implementation project.
- Handling the global implementation of GDPR for a FTSE 100 multinational consumer goods company.
Emma Burnett heads the data protection practice at CMS following Elle Todd’s departure to Reed Smith LLP in 2019; Burnett is a partner in the technology team and regularly handles cross-border privacy projects, international binding corporate rules and cyber breaches. The practice also benefits from the firm’s areas of sector strength with a client base encompassing corporates in the financial services, technology, media, consumer products and life sciences sectors, among others; key examples include Honeywell, Unilever and B&CE. The team also works closely with other departments in the wider firm and has a group of experts across the technology and advertising practices, which focus on the adtech market. Litigator Dan Tench is a key name for privacy and data protection claims, Sam De Silva also advises on IT and telecoms projects, Ian Stevens focuses on regulated data-heavy sectors, and Loretta Pugh was promoted to the partnership.
‘The size and spread of the CMS team means it offers a broad commercial perspective, a real value-add to the legal advice provided. Several team members have spent time on secondment in client organisations. This gives them a real understanding of the risks and challenges faced by in-house teams which flows through into pragmatic, risk-based, commercial advice and solutions. Clients particularly value the technological innovation CMS brings to the table to help deliver solutions to often complex, large scale data-protection related requests in a cost-effective way. In particular, partnering with tech suppliers to offer one stop-shop solutions to deal with large scale data subject access requests.‘
‘Emma Burnett is a valued, trusted counsel. Always pragmatic, commercial and calm in her advice, Emma brings a wealth of experience and data protection knowledge to the team. Having spent significant periods of time on secondment in client organisations, Emma also brings a real understanding of in-house legal to her practice.‘
‘The CMS data protection team responds to instructions with commercial considerations paramount. It provides practical solutions to complex problems.‘
The B&CE Group
H Young Group Plc
- Advising Honeywell on its GDPR compliance programme.
- Assisting Unilever with its GDPR compliance efforts including amending its tier one supplier agreements.
- Advising B&CE Group on the data protection implications of its development of an occupational health platform.
- Handling H Young Group’s group-wide GDPR compliance programme.
Harbottle & Lewis LLP has notable expertise in the technology, media and entertainment sectors acting for a client roster, which includes The Pokémon Company International, Comic Relief, the Harry Potter Theatrical Production and Virgin. The team handles contentious and non-contentious mandates and takes a cross-departmental approach utilising the commercial, employment and litigation teams. Sacha Wilson also enhances the firm’s strength in the data privacy aspects of marketing, adtech and digital media. Daniel Tozer leads the technology and data practice and focuses on commercial data protection. Senior partner Gerrard Tyrrell leads the group’s contentious work and John Kelly regularly acts for private individuals.
‘The excellent team provides superb legal support and impresses with its professionalism, technical knowledge and can-do attitude, and works seamlessly with the in-house team. It does an exemplary job both strategically and in the depths of the detail.‘
‘Daniel Tozer provides targeted and robust advice on the risks, practical implications and possible solutions.‘
‘Alex Hardy is technically and tactically great, and handles negotiations in a skillful and targeted manner.‘
Virgin (Virgin Atlantic Airways and Virgin Holidays)
The Pokémon Company International
The Publisher’s Association
Flatshare Limited t/a Spareroom.co.uk
Harry Potter Theatrical Production
- Advising Virgin Atlantic Airways and Virgin Holidays on a full GDPR readiness project.
- Assisting Roots Corporation with its GDPR compliance programme including amending its privacy notice and advising on international personal data transfer methods.
- Advising Comic Relief on the documentation used for filming a portfolio of appeal films for projects funded by the charity including the data protection aspects of filming crowds.
- Advising O’Reilly Media on its GDPR implementation project.
- Assisting Aviva with the digital marketing and adtech aspects of its GDPR compliance programme.
Herbert Smith Freehills LLP fields distinct data protection and cybersecurity practices led by Miriam Everett and Andrew Moir respectively; Everett was promoted to the partnership in 2019. Nick Pantlin is general head of the TMT and data practice and has recently been active advising clients on data protection and cyber security issues related to the use of new sourcing delivery models, data analytics and the commercialisation of big data; and Christine Young heads up the employment-related data protection and data subject rights practice. The data protection group’s expertise includes GDPR compliance advice, data transfers, data subject access requests and binding corporate rules and also benefits from the firm’s global network to assist with cross-border mandates; it recently advised Hays on its data protection practices across Europe including a full review as part of its GDPR compliance project. Marcus Turle is also recommended.
Miriam Everett; Andrew Moir; Christine Young; Nick Pantlin
Other key lawyers:
‘The firm has the ability to quickly take an holistic approach and assemble a team of true subject matter experts to deal with complex data issues.‘
‘It provides very pragmatic and commercial advice, and is efficient, professional and flexible in supporting matters large and small.‘
‘The team combines strengths across disciplines and jurisdictions, blending them seamlessly to create outstanding legal advice on cybersecurity issues.‘
‘HSF provides a bespoke data protection service that looks at the client’s specific needs and tailors its advice accordingly.‘
‘The group is always prepared either to give a view or, as necessary, to take the time to reflect further or dig deeper to understand fully the parameters within which any problems should be considered. Both Marcus Turle and Duc Tran are outstanding.‘
‘Miriam Everett carefully listens to the client’s objectives and challenges, and provides pragmatic advice in a timely manner.‘
‘Miriam Everett combines excellent data protection knowledge with a real pragmatism that is helpful for driving matters forward. She is willing to take a view on complex areas of emerging law, and maintains excellent oversight of work carried out by her team.‘
‘Andrew Moir is an exceptional partner with technical expertise that commands the respect of industry experts and a first-rate legal mind. His advice is commercial and astute. He responds rapidly to queries and is always able to make progress and offer insight even with intractable legal issues. He is absolutely the lawyer you want at your side if you suffer a cyber attack.‘
‘Andrew Moir is always calm and confident when advising on complex privacy issues, ensuring the strategies consider other regulatory frameworks‘.
British American Tobacco
Asian video games developer and publisher
Global investment manager
- Advising Hays on its European data practice including handling a full review of its procedures and documentation as part of its GDPR compliance project.
- Assisting British American Tobacco with privacy compliance issues.
- Advising an Asian video game developer and publisher on its GDPR compliance.
- Handling Line Corporation’s GDPR compliance activities.
- Advising a global investment manager on its acquisition of a UK financial services software provider and related advice on its PaaS customer and supplier relationships and data licensing arrangements.
Marcus Evans leads the group at Norton Rose Fulbright, which regularly assists with export solutions, data audits, data product advice, regulatory issues, data breaches and data subject access requests. Evans and newly promoted partner Lara White are the key contacts for non-contentious matters, while Ffion Flockhart handles contentious data work; IP practice head Mike Knapper also contributes to the practice. The department has notable expertise in the financial services, healthcare, life sciences, telecoms and technology sectors; key clients include PayPal, Deliveroo, BMW and the Bank of Montreal. Recent highlights include Evans, Ball and Flockhart advised AIG on its global data breach response service; and Evans assisting Mitsubishi Electric with multiple global personal data export projects.
‘Every law firm will say they will add value and look at things from the client’s perspective – very few do. With Norton Rose, clients have a partner on their side that can be trusted, and that is a rare thing in business.‘
‘It fields a team of true subject-matter experts, while still being able to take a pragmatic risk-based approach.‘
‘Marcus Evans is phenomenal; a leading expert among leading experts. He truly adds value in the tangible sense, commercially, practically and from a legal perspective; he gets the bigger picture and is great to work with.‘
‘Lara White is simply awesome with excellent expertise, commercial acumen and a practical approach, making her easy to work with.‘
Bank of Montreal
Chicago Metal Exchange
- Advising AIG on its global data breach response service.
- Assisting with a series of global projects for Mitsubishi Electric Corporation relating to the exportation of personal data internationally.
- Establishing a standard form GDPR compliant privacy notice for Lloyds Market Association.
- Reviewing and amending Avoka’s master services agreement and also handling its GDPR compliance project.
- Advising a technology client on the data privacy aspects of a blockchain platform.
Osborne Clarke LLP
Osborne Clarke LLP covers all aspects of contentious and non-contentious data protection work including cybersecurity issues, data breach responses, GDPR advisory work, big data matters and AI-related work. Key areas of expertise include contentious data protection work, e-privacy and cookies law, new technologies and GDPR compliance, and the group has notable knowledge of the technology, digital business, financial services, retail and energy sectors. Mark Taylor heads up the department and, alongside expertise in the financial services and digital business sectors, advises clients on fintech matters, digital payments, encryption and electronic signatures. Other key practitioners include litigators Ashley Hurst and Charlie Wedin, who lead the contentious data practice.
‘Osborne Clarke stands out for the commerciality of the advice it gives. It understands the complex nature of some of the technical aspects and data flows and is able to give easy to understand and commercial advice without too much “law” in it.‘
‘The team has two unique attributes. First, a constant understanding of its clients’ business needs, and not to lose sight of this in responding to legal issues. Secondly, it focuses on the client regardless of size – all clients are important.‘
‘Ashley Hurst is amazing in his desire to service clients – he brings cyber experience with a sensitivity to modern businesses.‘
Western Power Distribution (WPD)
OATH (previously Yahoo! EMEA)
- Advising the divisions of Oath (Yahoo, AOL, HuffPost, TechCrunch) on data protection and privacy issues relating to the use of information and personal data across its platforms.
- Assisting Wirecard Group with a variety of data protection issues relating to its transaction and payment processing delivery models.
- Handling a range of contentious and non-contentious matters for TripAdvisor including GDPR implementation matters and subject access requests.
- Advising Vodafone on its internet of things consumer products offerings including creating and negotiating data sharing agreements with suppliers.
- Advising an international publisher on the interplay between GDPR and ePrivacy Directive as it relates to cookies, online behavioural advertising and legitimate interests.
Paul Hastings LLP’s EMEA privacy and cybersecurity practice is led by Sarah Pearce following her recruitment from Cooley (UK) LLP in 2018; Pearce’s expertise encompasses privacy impact assessments, risk management, international data transfers and privacy notices. The practice is particularly active in the financial services sector; American Express is a key client and Pearce recently advised it on the data protection issues related to certain additional payment services it is looking to offer. The group also regularly handles international compliance issues with a notable focus on GDPR mandates, and works alongside the firm’s global litigation team to manage international investigations and disputes.
‘Led by Sarah Pearce, the team is thoroughly knowledgeable, practical and easy to deal with. Clients are in the hands of experts.‘
‘The privacy and cybersecurity practice of Paul Hastings has proven itself to be driven and efficient. It has a genuine understanding of the client’s core business along with a sense of commercial awareness.‘
‘Sarah Pearce is the stand-out partner – she is a true professional and excellent in all respects. Clients cannot praise her highly enough.‘
‘Sarah Pearce offers outstanding judgment and reasoning along with excellent project management abilities. She is not intimated by the challenges or complex tasks at hand. Her leadership is evidenced with the work product of every member of her team at Paul Hastings, who are also positive and friendly.‘
- Acting for American Express on all its data privacy matters including large-scale projects.
At Pinsent Masons LLP, Claire Edwards, David Barker and Ian Birdsey lead the practice, focusing on advisory work, litigation and cyber issues respectively. On the advisory side, the group is noted for its expertise in the financial services and technology sectors. The firm’s litigation strength also extends to the technology sector with Barker recently acting for Google in the High Court in two right to be forgotten cases and defending the same client in a landmark data protection class action relating to iPhone cookies. The cyber team regularly handles cross-border breaches and has developed separate US and EU/GDPR desks. Cerys Wyn Davies leads the information law practice in Birmingham. Former global practice head Marc Dautlich joined Bristows LLP.
Claire Edwards; David Barker; Ian Birdsey
Other key lawyers:
‘The firm has built up a fantastic team in this new and extremely important area. It demonstrates real knowledge not only of the law but the technical side as well.‘
‘It is an innovative, forward-leaning team that is keenly watching the cyber security market and ensuring that its expertise keeps pace with the developments in cyber. It has a particular expertise in cyber regulation and niche technology. Compared to other firms, it is curious and prepared to take business risks to stay on top of technology. There is much to be admired about this firm – it is really going places.‘
‘Ian Birdsey and David Barker are extremely knowledgeable on both legal and technical matters, and very easy to work with.‘
‘David McIlwaine is a superb cyber security partner. He is user friendly, bright and well informed. He is genuinely committed to understanding the issue and is ferociously hardworking. He is a real pleasure to work with. He always goes out of his way to ensure the client is happy.‘
- Acting for Google in the first two right to be forgotten cases to be heard in the High Court.
- Defending Google in a data protection class action relating to cookie settings on Apple’s iPhone safari browser.
- Advising Hanson on its audit, review and remediation activities to ensure its compliance with new data protection laws.
- Assisting Petras with multiple data protection and privacy issues relating to internet of things and data observatories including the development of data trusts.
- Advising the Edinburgh International Conference Centre on a Freedom of Information (Scotland) Act request to disclose the settlement sum and legal expenses in a settled unfair dismissal case.
Reed Smith LLP
Reed Smith LLP's expertise encompasses data compliance work, regulatory projects, cross-border data transfers, data disputes and issues connecting data and new technologies including social media, data analytics, cloud issues, third party work and cybersecurity matters. The group also leverages the firm's global network to handle matters at a national and international level. Cynthia O’Donoghue leads the team, which also includes Philip Thomas, who advises on global and European data law; Howard Womersley Smith, who focuses on the financial services sector; and newly promoted counsel Katalina Bateman, who has notable compliance expertise.
The practice at RPC is jointly led by Jon Bartley, Nicola Cain and Richard Breavington specialising in non-contentious issues, contentious data and enforcement matters and cyber breach responses respectively. The team handles the full spectrum of data issues for a client roster spanning the technology, media, professional services, retail and food and drink sectors; noteworthy examples include Associated Newspapers, McArthurGlen Group and Shiseido Group. In a recent non-contentious highlight, Oliver Bray advised Paddy Power Betfair on its GDPR project; contentious work included defending the author of the ‘Trump dossier’ in a High Court data protection claim brought by three Russian oligarchs, and acting for Refinitiv in multiple data protection claims relating to the inclusion of individuals in its ‘Know Your Customer’ database. Keith Mathieson is also highly regarded in the space and is active in issues involving privacy and the misuse of personal data.
Jon Bartley; Nicola Cain; Richard Breavington
‘The team has a wide range of experience, many of whom have worked in-house themselves. This means the advice is not only legally correct but the team is an excellent sounding board for offering practical solutions to the business.‘
‘RPC is among the strongest firms in the media space, with unrivalled experience.‘
‘RPC has excellent knowledge of and a top-class profile in the field of data protection and privacy. It is justifiably trusted particularly among defendant publishers facing data protection and privacy claims. Its work is efficient, speedy and high quality.‘
‘Richard Breavington is an excellent leader and communicator with flexibility and a strategic approach.‘
‘Nicola Cain is exceptional at offering clear, commercial and creative legal advice on what can be a technically demanding and ‘grey’ area of law.‘
‘Nicola Cain is a star. She knows the media/data protection area better than anyone.‘
‘Keith Mathieson and Nicola Cain are stand-out individuals within RPC. Keith has decades-long experience in the media field, including data and privacy claims. He exudes calm, has superb strategic judgement and is highly responsive to his clients’ needs. Nicola has almost unrivalled knowledge of data protection law, and was heavily involved in recent consultations on what became the Data Protection Act 2018. Having worked for many years at the BBC, she is well attuned to media publishers’ needs and objectives.‘
Orbis Business Intelligence Limited
Refinitiv Ltd (formerly the financial and risk business of Thomson Reuters)
Associated Newspapers Ltd
Paddy Power Betfair
Michael Page International Recruitment Limited
- Defending a director of Orbis Business Intelligence as the author of the so-called ‘Trump dossier’ in a High Court data protection claim brought by three Russian oligarchs relating to their inclusion in the dossier.
- Acting for Refinitiv in multiple data protection claims relating to the inclusion of individuals in its World-Check ‘Know Your Customer’ database, and advising on related compliance issues.
- Defending Associated Newspapers in data protection proceedings in the Court of Appeal and representing the client in the Court of Justice of the European Union in a case relating to the compatibility of UK data protection legislation with the EU Data Protection Directive.
- Assisting Paddy Power Betfair with its GDPR project.
- Advising Shiseido Group on its GDPR compliance programme including consumer marketing issues.
Simmons & Simmons’ sector-focused approach to data protection spans the financial services, TMT, healthcare and life sciences sectors with HSBC, O2 and Monzo Bank as notable example clients. The cross-departmental group is led by TMT partner Alexander Brown and includes individuals from the ICT, employment and dispute resolution practices; key names include Lawrence Brown, who focuses on data protection compliance for financial institutions; and litigator Robert Allen, who handles contentious subject access requests, right-to-be-forgotten issues, breach responses and data incident notifications. The practice also leverages the firm’s international reach to handle cross-border mandates. George Morris was also recently promoted to the partnership.
‘The team supports clients throughout the GDPR process and provides a business-focused and pragmatic approach.‘
‘Alex Brown provides a high-quality service, is always available and able to provide pragmatic and solution-based advice. The team supporting Alex provides accurate and timely documentation.‘
‘Robert Allen provides practical, concise and clear advice on GDPR issues. He’s also a pleasure to work with.‘
University of Oxford
- Advising DXC Technology on its GDPR implementation.
- Assisting O2 with all aspects of data protection compliance including its GDPR compliance programme. The role also covered compliance advice for giffgaff and Tesco Mobile.
- Acting for HSBC on data protection and digital matters including the data protection elements of new product roll-outs, contractual terms for data processing arrangements and data transfers.
- Assisting Pacific Investment Management Company (PIMCO) on its GDPR implementation and compliance projects.
- Advising Wellington Investment Management on its implementation and ongoing compliance with data protection legislation.
Travers Smith LLP handles a range of complex data protection issues including data protection audit and policy work, data collection and consent issues, e-marketing work, security breaches and international data transfers. The group also has substantial GDPR expertise; it recently advised Caffé Nero, Muzinich & Co, Fortress Investment Group and Office Retail on their GDPR compliance programmes. Group head Dan Reavill regularly assists on data protection, information security and confidentiality issues and Louisa Chambers focuses on the retail, pensions, leisure and financial services sectors. James Longster was promoted to the partnership in 2019; he has significant expertise advising on the data protection aspects of IT and outsourcing transactions, cross-border deals and the exploitation of data obtained by consumer-facing businesses.
‘Travers Smith has in-depth knowledge of data protection law, provides practical and business-friendly advice, and is always able to respond at short notice and attend calls when asked.‘
‘The group is very commercial and pragmatic in its approach, and great at identifying solutions to problems. It also has outstanding GDPR and data protection knowledge.‘
‘The team is a tight knit, experienced, pragmatic team. It supports clients from a variety of sectors, which enables them to offer advice and solutions which have worked for different clients and which might not have been considered in other sectors. Response rate is excellent.‘
‘The team gives very clear, concise advice. The area of law is new and requires interpretation – the team is always able to give its view on how best to apply the law. It is able to draw on experience from other clients in similar sectors to advise on best industry practice.‘
‘Both James Longster and Dan Reavill are very accessible and go out of their way to make themselves available at short notice. They are very dependable and aware of commercial challenges.‘
‘Louisa Chambers combines her specialist expertise with excellent commercial understanding. Her advice is to the point and always adds value.‘
‘Louisa Chambers is a rising star. She is incisive, responsive and pragmatic as well as being a pleasure to work with – she bears all the hallmarks of an excellent and versatile Travers Smith lawyer.‘
‘James Longster is a young partner making his mark. Intelligent, pragmatic and responsive.‘
Unilever Pension Scheme Trustees
- Assisting Caffe Nero with its GDPR compliance and the data protection aspects of several commercial arrangements.
- Advising Office Retail on all of its data compliance matters.
- Assisting Micro Focus with its GDPR compliance programme and multiple data protection matters including the sale of its open-source enterprise software business.
- Handling Prudential’s GDPR compliance work and other data protection issues including the data implications of the separation of a large part of its business.
- Advising Euroclear UK & Ireland on its project to implement a cross-border settlement system for US dollars.
Womble Bond Dickinson (UK) LLP’s national network handles contentious and non-contentious matters for UK high-profile UK clients including Kingfisher, the Post Office, Network Rail and NHS Digital. The practice is also noted for its expertise in the retail, financial services and public sectors, and regularly handles cross-border mandates, leveraging the firm’s global network. Team head Andrew Kimble leads the data, privacy and freedom of information team and assists with outsourcing projects, data transfers and data licensing issues. Other key individuals include litigator Andrew Parsons, who focuses on disputes and investigations; Mark Gleeson, who joined from Browne Jacobson LLP in 2019 and specialises in information law; and legal director Peter Given. Jackie Gray moved in-house.
‘WBD fields a team of knowledgeable solicitors who can offer specialist support to in-house teams across vast legal areas.‘
‘The group has a depth of knowledge borne out of cross-industry insight and experience. This enables it to apply the law in a practical way always ensuring that ranges of options are well informed by associated risks, known incidents and permissible mitigations. Other firms may have similar approaches but lack the depth of “real world” experience.‘
‘Peter Given is extremely helpful and knowledgeable. He is very easy to approach and always willing to provide support. He is never condescending and he understands how to support an in-house team.‘
‘Accessibility and reliability are stand-out qualities of the practice. Clients also highlight the team’s willingness to challenge the corporate status quo making sure to stop and think and think again thereby avoiding risks of anchoring or proximity bias. Peter Given is simply outstanding and Amy Ogborne is also impressive.‘
Kingfisher Plc (including B&Q and Screwfix)
Post Office Limited
NHS Digital (previously known as the Health and Social Care Information Centre)
Ministry of Justice
Quilter (formerly Old Mutual Wealth)
Associated British Ports
London Borough of Lewisham
- Advising Quilter on various aspects of its GDPR compliance programme including its data protection clauses, intra-group data sharing and processing agreements and third-party contracts.
- Assisting a large national retail organisation with adapting personal data agreements for GDPR compliance.
- Advising the Post Office on the negotiation of its data sharing agreements between the UK Government, the Post Office, its primary service providers and a financial institution relating to the Post Office Card Account.
- Assisting the Ministry of Justice with the data compliance aspects of its Criminal Justice System Common Platform project.
With substantial expertise in the life sciences sector, Arnold & Porter’s practice includes specialists from the employment, commercial, IP, technology and regulatory practices. The group also acts for clients in other highly regulated sectors, advising on the interplay between data protection and regulatory frameworks. Richard Dickinson leads the practice and focuses on transactional mandates, Rob Bratby handles regulatory and transactional work in the telecoms, media and technology sectors; and employment partner Henry Clinton-Davis assists employers with data protection issues relating to employees and HR data transfers outside the EEA.
Orange Business Services
The Big Give
Tesla Motors Inc
- Assisting Orange Business Services with its GDPR compliance.
- Advising life sciences clients and pharmaceutical industry bodies on the impact of GDPR on the life sciences sector.
- Advising a client on the practices needed to process personal data produced by a medical device.
- Assisting a technology client with corporate due diligence from an EU privacy perspective.
Bryan Cave Leighton Paisner LLP
Bryan Cave Leighton Paisner LLP’s recent expertise spans GDPR advice and other compliance and due diligence work, data breach issues, Brexit-related work, e-privacy mandates and international data issues; the group benefits from the firm’s recent merger and expanded US presence. The group acts for multiple Fortune 500 and FTSE 100 companies and also counts BlackRock, National Grid and WeBuyAnyCar as key clients. Kate Brimsted leads the practice and focuses on complex data privacy projects; key names for contentious work include Oran Gelb and senior associate Sarah McAtominey.
‘Kate Brimsted understands the complexities that in-house lawyers face, and understands to look at the business as a whole and not confine the advice to only addressing the specific question that has been asked. Kate does not work in the narrow constrained way most private practice lawyers do and gives an holistic view and pragmatic advice, which is a breath of fresh air.‘
Arup Group Limited
Heathrow Airport Limited
ingage IR Ltd
National Grid plc
- Advising an infrastructure client on its response to a complex data subject access request relating to a planning approval process for a major development.
- Assisting a UK retail bank with the replacement of several service providers engaged to provide processing services for ATMs.
- Handling GDPR preparations, updating various customer-facing terms and conditions, and conducting a review of internal data flows for a global business process outsourcer.
- Advising SintoKogio on the data elements of its acquisition of the majority of the issued shares of Omega Foundry Machinery.
- Assisting a furniture retailer with its preparations for the implementation of GDPR and its impact on ePrivacy rules.
DAC Beachcroft LLP’s sector-focused approach primarily focuses on the insurance and health sectors with additional expertise in the cyber and technology spaces. The information law group handles contentious and non-contentious mandates under the leadership of Rhiannon Webster; Webster is noted for her experience in data protection compliance work, cross-border personal data transfers and data breaches and ICO complaints. The firm’s cyber and data risk team is headed up by Hans Allnutt, who primarily acts for insurers in claims involving financial institutions, professionals and technology companies. Newly promoted partner Jade Kowalski, Anne Crofts and Alistair Robertson also contribute to the team.
Rhiannon Webster; Hans Allnutt
Information Commissioner’s Office (ICO)
Lloyds Market Association
Association of British Insurers
North London Partners in Health and Care
Insure The Box
- Advising the ICO on the Google DeepMind arrangement with the Royal Free Hospitals NHS Foundation Trust relating to the launch of the Streams app, which aims to support clinicians to diagnose and support patients with acute kidney injury.
- Assisting the ICO with its information sharing agreements with a range of regulatory and public bodies in the UK, US, Canada and New Zealand.
- Defending Hiscox in a criminal prosecution brought by the ICO relating to an alleged breach of the Data Protection Act 1998 in which Hiscox allegedly required policyholders to make a subject access request in respect of criminal convictions.
- Acting for the Association of British Insurers and Lloyd’s Market Association in discussions with the Government relating to the processing of special categories of personal data.
- Advising North London Partners on its information sharing project including drafting the data sharing agreement and data processing agreement.
Building on the firm’s national strength, Farrer & Co’s international client base has increased thanks to Ian De Freitas’ expertise; he also has notable experience in ICO investigations and data breaches as well as GDPR compliance work. Henry Sainty leads the data protection and freedom of information department, which is active in GDPR and e-privacy matters; other areas of knowledge include information sharing issues, breach management and litigation. The group is also particularly noted for its safeguarding expertise, regularly advising schools, universities, sports governing bodies and religious organisations on information sharing and child data; and also assists public authorities with freedom of information issues, public sector information and environmental information regulations.
Other key lawyers:
Lawn Tennis Association
esure Group plc
J.P. Boden & Co.
PGA European Tour
Associated Board of the Royal Schools of Music (ABRSM)
Various Canadian clients (referred by Cassels Brock)
- Advising the Lawn Tennis Association on an organisation-wide data protection audit for the implementation of GDPR.
- Assisting esure Group with its GDPR preparations.
- Assisting J.P. Boden & Co with its GDPR compliance programme.
- Advising the PGA European Tour on data protection issues relating to how personal data is processed and transferred internationally, which arose following a review of the commercial and data sections of the Members Handbook for the PGA Tour players.
Newly promoted partner Anita Bapat leads the practice at Kemp Little LLP following Nicola Fulford’s departure to Hogan Lovells International LLP; Bapat is particularly noted for her data protection compliance expertise and also handles employee and customer data issues, marketing work, data breaches and ecommerce mandates. The group’s client base encompasses clients from the advertising, financial services, fashion and property sectors; key examples include Knight Frank, Lloyd’s of London and Dentsu Aegis Network. The team also utilises other departments in the firm including commercial technology partners and the employment group.
‘The key difference Kemp Little brings to the table is a firmly pragmatic and solution-focused view and a young vibrant outlook. Kemp Little lawyers are typically more approachable than their contemporaries, and more engaging, which really helps when sticking them in front of key business stakeholders.‘
‘Anita Bapat has a very approachable and engaging manner. She has an extensive knowledge of data protection issues and is able to bring that to bear in providing thoroughly pragmatic, practical advice. Clients go to Anita when they have a problem no one else can fix. Her knowledge of wider areas of law is excellent, as is her ability to tailor her advice to the client’s risk appetite.‘
Dentsu Aegis Network
Lloyd’s of London
- Advising Dentsu on privacy and data-related matters including GDPR and e-privacy law compliance, data processor obligations and data-transfer strategies.
- Assisting Knight Frank LLP with a variety of data protection matters including drafting and updating privacy notices, a GDPR project plan and readiness assessment, and data processing agreements.
- Acting for Farfetch on its global data protection compliance.
- Advising Lloyd’s of London on multiple complex data subject access requests.
- Assisting Princess Yachts with its GDPR compliance project.
Lewis Silkin LLP’s specialist areas of expertise include the data aspects of employment law, consumer and commercial law, defamation issues and advertising regulations. The group also has particular sector focuses including advertising, technology, sports, media, professional services, retail and hospitality sectors; clients include Viacom, Lush, Fulham Football Club, Cineworld Cinemas and Omnicom Group. Practice head Ellen Temperton is also a member of the employment group; other practitioners include Nathalie Moreno, who has experience in global data protection audits and compliance implementation programmes, and employment specialist Alexander Milner-Smith. Former practice head Nick Walker departed and Simon Morrisey joined Eversheds Sutherland (International) LLP.
‘The Lewis Silkin team is brilliant in putting forward well-informed, thought-through and practical solutions to GDPR-related technical questions. Clients rate it very highly with respect to its knowledge of the law, the practicality of its advice and attention to client needs.‘
‘Ellen Temperton is deeply knowledgeable and a huge pleasure to work with. She brings experience and enormous aptitude to everything she does.‘
‘Alexander Milner-Smith is uniquely positioned to advise on the privacy compliance aspects of GDPR projects while also being aware of the employment law sensitivities such as the need to inform and consult with works councils and trade unions about the new notices. The ability to advise on GDPR compliance and employment law matters means Milner-Smith’s advice is particularly commercial and practical.‘
‘In this niche area, the firm has significant experience and a highly capable team. One of the leading firms in data protection and its interface with partnership and professional firms.‘
Millennium Copthorne PLC
Fulham Football Club
PPHE Hotel Group
Centaur Media Plc
Clear Channel International
Cineworld Cinemas Ltd
Arts Alliance Media Ltd
- Advising a multinational software company on the implementation of its GDPR compliance programme.
- Assisting a multinational technology company with its GDPR implementation.
- Acting for Viacom on its data protection audit across EMEA focusing on workplace data protection issues.
- Conducting a global data protection audit for the Omnicom Group.
- Advising a premiership football club on its GDPR compliance programme including workplace and spectator privacy notices, marketing and cookies advice and other compliance issues.
Mishcon de Reya LLP counts both private individuals and corporates as clients and regularly handles GDPR compliance work, litigation and data transfers and other transactional matters. For private clients it has noteworthy expertise in subject access requests and also regularly acts for individuals in litigation; in a recent highlight the team represented Richard Lloyd as the representative claimant in a data protection claim against Google relating to the alleged secret tracking and collation of the personal data of iPhone users. Adam Rose heads the department, which also fields non-lawyer cyber security specialists. The department was also recently bolstered by the arrival of data protection advisor Jon Baines; he was previously at National Rail and is also the chair of the National Association of Data Protection and Information Law Officers.
Other key lawyers:
‘The go-to team for individuals facing difficult privacy and data protection challenges.‘
‘Adam Rose is a genuine expert in data protection matters, with an excellent feel for the practicalities and human aspects of cases too.‘
‘Jon Baines is an amazing asset, with some of the best expertise and insight in the sector.‘
‘Adam Rose is an excellent technical lawyer and a delight to work with.‘
Richard Lloyd (Class Representative)
Human Rights at Sea
Siilo Holdings B.V.
- Acting for Richard Lloyd as the representative claimant in a high-value claim against Google for alleged breaches of the Data Protection Act 1998 relating to its secret tracking and collation of the personal data of iPhone users.
- Advising a global recruitment company on its global data protection strategy.
- Advising a fund manager on a substantial data project following a hostile move against certain board members of a listed company.
- Conducting data audits for a variety of clients from a range of sectors in preparation for GDPR.
- Assisting Human Rights at Sea with the application of data protection and privacy laws and its interaction with international maritime laws.
The practice at Orrick, Herrington & Sutcliffe (Europe) LLP stands out for its technology sector focus and high-profile technology clients; key clients include Microsoft, Fujifilm and Go Pro. The group also has a track record in high-profile investigations including advising on privacy investigations by the ICO, the UK Federal Trade Commission and the French CNIL. Keily Blair and James Lloyd joined as partners from PwC LLP in early 2020 to launch a cyber and data privacy litigation & regulatory enforcement practice in London; managing associate Colin Hinds also has experience in online profiling issues, cookies and marketing work, and international data transfers.
‘The Orrick team has a deep knowledge, depth of experience and practical solutions to address all the intertwined factors that need to be considered in cybersecurity and privacy solutions.’
‘The Orrick team not only offers top-notch legal expertise, it also brings a practical business perspective to the table. In addition, its network of third-party service providers is an invaluable asset to help navigate a variety of issues.’
‘The group is very responsive, diligent and knowledgeable. It thinks outside the box and provides sound and business-friendly advice.’
W.W. Grainger Inc.
Carnival Corporation & PLC
- Advising Zoosk on the data issues relating to its operations and users in the EU including GDPR compliance.
Pritchetts Law is a specialist data protection firm, founded byStephanie Pritchett in 2009. She advises clients including FTSE 100 and FTSE 250 businesses on issues including GDPR, freedom of information and data privacy, working alongside partner Ben Wootton, who draws on in-house experience at Heathrow Airport and Air New Zealand. The firm, which operates across Bristol and London, has recently advised a range of clients in the financial services, education, tech and travel sectors on GDPR compliance and privacy policies.
Stephanie Pritchett; Ben Wootton
UPP Group Limited and numerous UPP group companies
Northumbrian Water Limited
DFS Furniture Limited
Westfield Europe Limited
The University of Melbourne
PDP Companies Limited
Newcastle Building Society
Link Maker Systems Limited
Top 100 law firm
NAMCO UK Limited
LaunchPad Recruits Limited
Newcastle Strategic Solutions Limited
Newcastle Systems Management Limited
- Advised UPP on GDPR compliance and contract arrangements
- Advised Unison on issues of GDPR compliance, in particular around communication to members
- Advised The University of Melbourne on risks related to compliance with the GDPR and the proposed E-Privacy Regulation.
- Provided strategic advice to Newcastle Building Society in relation to GDPR compliance.
Ropes & Gray LLP focuses its efforts on US-related data protection mandates with expertise advising clients in the private equity, asset management, education, healthcare and life sciences sectors. The team has been particularly active in compliance and advisory work and also handles data breaches, crisis response work and regulatory investigations, regularly working with the firm’s risk, investigations and regulatory enforcement partners. The firm’s US strength also makes it well placed to advise on the California Consumer Privacy Act and international data transfers. Rohan Massey heads up the practice and advises on data protection, data security, brand protection, e-commerce and IT matters. Counsel Clare Sellars is also a key name to note.
Other key lawyers:
With substantial expertise in the media and entertainment sectors, Sheridans' data team regularly acts for technology-focused businesses including cybersecurity firms, digital agencies and adtech companies, and assists with issues surrounding facial recognition and biometric data, location-based services, game development, digital marketing, profiling and adtech. Philip James and Eitan Jankelewitz jointly lead the practice; James regularly handles regulatory issues and Jankelewitz focuses on the online advertising and adtech industries. Key clients include Cifas and Sport England; the group advised the latter on its GDPR transformation project including privacy impact assessments, data strategies and facial recognition issues.
Philip James; Eitan Jankelewitz
‘The team is approachable, articulate and has impeccable commercial awareness. For a comparatively small team, it has a diverse and extensive range of expertise.‘
‘Sheridans’ service is exceptional. By being both incredibly knowledgeable in the legal fields that are relevant to clients and informed on the industry itself, it always manages to provide advice that is legally accurate whilst also remaining commercially relevant. It exceeds clients’ expectations of receiving sound regulatory advice with elements of strategic and commercial value. What truly stands out is its experience in data privacy.‘
‘The individuals are willing to discuss how to prioritise and manage legal issues with a genuine intent on helping you build your business rather than helping themselves rack up fees.‘
‘Eitan Jankelewitz is an excellent lawyer. He understands the client’s business and technologies (and business and technology in general) to an extent where he is able to provide advice without requiring much further context on what it is clients aim to achieve. He breaks down complex legal issues into simple terms and can deliver this to all levels of an organisation with the exact amount of information needed in any instance. He has a way of communicating that is accurate and credible without being too detailed and overly complicated.‘
Awin AG and all subsidiaries
Sumo Group Plc
Rank Group Plc
- Advising Sport England on its GDPR transformation project.
- Assisting the Internet Advertising Bureau with its codes of practice.
- Advising Awin and its subsidiaries on all elements of its privacy and digital marketing work including new product features, regulatory advice and GDPR compliance.
- Assisting Cifas with its GDPR transformation and handling privacy impact assessments.
- Advising Rank Group’s data protection officer on the company’s GDPR compliance.
Jonathan Kirsop leads the data protection and information team at Stephenson Harwood, which handles the full spectrum of data protection issues including GDPR compliance, data breaches, subject access requests and international data transfers. The team advises a client roster spanning the financial services, retail, life sciences, shipping, charity, aviation, rail and professional services sectors; notable examples include BTG, The Movember Foundation and Deloitte. Barclays Bank is also a key client, which Kirsop recently advised on its GDPR compliance. Litigator Ben Sigler is the main contact for contentious data protection issues, particularly subject access requests.
Other key lawyers:
‘Stephenson Harwood is very professional, practical, commercial and willing to assist (with a sense of humour).‘
‘The team’s advice is very commercially pragmatic and it genuinely tries to understand the client’s risk appetite so the advice is fit for purpose and practical.‘
‘Jonathan Kirsop is an understatedly solid expert in the area of data protection law – consistently delivering practical and commercial advice, at pace.‘
‘Jonathan Kirsop has a vast wealth of knowledge and experience. He is professional and really willing to get to know the client’s business in great detail in order to provide thoughtful and practical advice.‘
‘Jonathan Kirsop and Katie Hewson are extremely amenable, professional, expert in their subject and a great aid in meeting deadlines.‘
Barclays Bank PLC
Smith & Williamson
The Movember Foundation
Mizuho Bank Limited
- Advising Barclays Bank on its GDPR project including advice on privacy notices.
- Assisting Smith & Williamson with its GDPR compliance.
- Assisting the Movember Foundation with its GDPR compliance project and other data issues including direct marketing practices and third-party contracts.
- Advising Mizuho Bank on its GDPR compliance project and advising on other international data protection issues.
White & Case LLP’s data, privacy and cybersecurity group handles a variety of data protection advisory work, corporate and transactional support issues, and litigation. The team leverages the firm’s global network to assist with international data matters; it represents Facebook in any disputes outside the US and advised Nestlé on global compliance issues. Deutsche Bank, Boeing and Oasis Fashion Holdings are also clients. Tim Hickman heads up the London practice and advises on all aspects of UK and EU privacy and data protection law; counsel Deborah Lincoln is also recommended for data issues arising from corporate transactions.
Other key lawyers:
‘Tim Hickman’s data protection team has excellent legal skills and knowledge. Tim is always available to assist with queries, and understands the need for a quick turnaround.‘
‘The data protection team is outstanding in terms of speed and expertise.‘
‘Tim Hickman’s knowledge of data protection law is second to none. He is also personable and easy to work with.‘
‘Tim Hickman always provides outstanding support that is value-added and timely. Clients appreciate the examples he provides, making the advice more tangible.‘
Deutsche Bank AG (London Branch)
Oasis Fashion Holdings
The Association of Executive Search and Leadership Consultants (the “AESC”)
- Acting for Facebook in any disputes outside the US relating to social network activities.
- Advising Nestlé on its compliance with data protection legislation.
- Assisting Deutsche Bank with its GDPR compliance, including contractual issues.
- Advised Oasis and Warehouse on its data protection legislation compliance.
- Handling various data compliance projects for Boeing.
Wiggin LLP acts for a high-profile client roster of media and technology clients, with notable examples including Netflix, HBO, Disney, Marvel and Virgin Media. The group has recently been active advising on personal data matters; it assisted Netflix and HBO with the processing of cast and crew data and GDPR issues. Other areas of expertise for the practice include contentious data protection work, cybersecurity breaches, regulatory investigations and cross-border projects. David Naylor and Alexander Ross jointly lead the department; Naylor focuses on transactional and advisory work and Ross has notable expertise in digital rights. Caroline Kean is the key contact for contentious matters.
David Naylor; Alexander Ross
Other key lawyers:
‘There is strong depth and breadth of expertise in the team, and it is used efficiently and effectively. Clients appreciate that the main contacts talk to them in their own language and take the time to understand their unique business.‘
‘David Naylor continues to provide exceptional support. He ensures that clients have timely access to expert advice as needed. He always provides a clear and considered response to queries and provides the necessary guidance through challenging situations. David sets realistic expectations and manages the right level of communication.‘
‘Patrick O’Connell is thorough and his depth of knowledge is outstanding. He is really approachable and a delight to work with.‘
National Online Self-Exclusion Scheme / GAMSTOP
DataCore Software Corporation
Audience Trading Platform
- Advising Netflix on the data protection implications of processing the personal data of cast and crew and other GDPR issues.
- Assisting HBO with its GDPR compliance including updating its suite of production agreements and policies, and advice on the processing of cast and crew data.
- Advising Lionsgate on its processing of personal data including drafting policies for staff on data subject rights requests and reporting data breaches.
- Assisting the National Online Self-Exclusion Scheme with its data protection compliance.
- Advising bet365 on data subject rights and the changes to existing rights brought in by GDPR.