Personal Data Protection

I advise businesses and organisations on compliance with personal data protection laws, with a focus on practical, proportionate implementation that supports operations rather than obstructing them. My work covers both day‑to‑day GDPR compliance and more complex data‑driven activities, including technology‑enabled and cross‑border processing.

 ‍

GDPR compliance frameworks and accountability

I assist clients in establishing and maintaining GDPR‑compliant data protection frameworks, including:

• explaining and applying the core data protection principles in a business‑relevant way;
• designing appropriate internal processes and governance measures;
• supporting ongoing compliance and regulatory preparedness.

My aim is to help organisations demonstrate accountability while keeping compliance manageable and aligned with their size and risk profile.

‍

Privacy documentation and transparency

Clear and accurate documentation is a cornerstone of data protection compliance. I assist with:

• drafting and reviewing privacy notices and cookie policies;
• ensuring transparency around processing purposes, legal bases and individuals’ rights;
• aligning external privacy information with internal data practices.

This work is particularly relevant for businesses operating online or providing digital and technology‑enabled services.

‍

Data mapping, records and impact assessments

Understanding how personal data flows through an organisation is critical for compliance and risk management. I advise on:

• records of processing activities (ROPA) as structured data‑mapping exercises;
• data protection impact assessments (DPIAs) where processing is likely to pose higher risks to individuals’ rights and freedoms;
• maintaining these documents as living tools rather than one‑off formalities.

These exercises are often closely linked to broader technology, AI and process‑design decisions.

‍

International data transfers and cross‑border processing

International transfers of personal data remain a complex and evolving area of GDPR compliance. I assist clients with:

• assessing whether and when data transfers occur;
• selecting and implementing appropriate transfer mechanisms, depending on destination and risk profile;
• integrating transfer safeguards into contractual and operational frameworks.

This is particularly relevant for cloud‑based services, international groups and technology providers.

‍

External Data Protection Officer and EU Representative services

Where required or commercially desirable, I provide regulated support services, including:

• acting as an external Data Protection Officer (DPO), advising on and monitoring GDPR compliance and liaising with supervisory authorities;
• acting as an EU representative for non‑EU organisations processing personal data of individuals in the EU.

External appointments can offer flexibility and expertise without the burden of internal resourcing.

‍

‍

Recent experience:

Advised an international software and technology business on personal data protection compliance in connection with data‑driven digital services, with a particular focus on the protection of children’s personal data. The work involved analysing heightened GDPR obligations, designing appropriate safeguards and transparency measures, and addressing complex risk and accountability considerations arising from the processing of minors’ data within scalable technology platforms.

Advised a UK‑based data and advertising‑technology company on GDPR compliance in the context of complex data‑sharing and data‑supply arrangements, including structuring contractual safeguards, assessing data protection risk and aligning data‑processing practices with the commercial use of proprietary datasets.

Act as external data protection officer for a provider of an online platform offering tools to streamline client onboarding processes, regularly assisting with the preparation, review and maintenance of privacy documentation, internal policies and governance measures to ensure ongoing compliance with applicable data protection rules.

Participated in advising an international internet governance organisation on GDPR compliance and the anonymisation of publicly accessible records, including assessment of technical and organisational measures to mitigate privacy risks.

‍