Katie Hewson

Head of data protection

Katie leads the firm’s data protection practice. She has significant experience advising clients across a variety of sectors, including retail, transport, financial services, analytics and life sciences. She holds AI Governance Professional (AIGP), Fellow of Information Privacy (FIP), Certified Information Privacy Professional Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) accreditations from the IAPP.

Recently awarded "Privacy Leader of the Year: Legal" (PICASSO Privacy Awards 2022), Katie is recognised as a Next Generation Partner for data protection, privacy and cyber security by The Legal 500 UK 2022, in which she is described as “outstanding” and it is noted that her "legal advice is always incredibly commercially minded and her understanding of the technical aspects of privacy is unparalleled" (The Legal 500 UK 2022).

Katie has extensive experience leading international GDPR compliance projects and also advises on data protection contracts, transparency issues, international personal data transfers, data sharing, cyber security and personal data breaches. She also advises a variety of clients on direct marketing, ad tech, social media and cookies issues under the e-privacy regime.

Katie has also acted for clients facing ICO enforcement action on potential data protection and freedom of information law breaches, winning successful outcomes for her clients in relation to subject access requests, breach reporting and FOIA requests. She has helped clients with the data protection impacts of Brexit and coronavirus and has also advised on the complex legal issues in facial recognition, AI and profiling.

Katie is a member of the International Network of Privacy Law Professionals, a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters.

  • Advised Exscientia, an AI drug discovery company, on a wide ranging data protection review.
  • Advised S&P Global on a wide variety of data protection issues, notably the significant data protection impacts of its merger with financial information services provider, IHS Markit.
  • Advised S&P's Platts division, which provides energy and commodities information and a source of benchmark price assessments in the physical commodity markets, on a wide-ranging data protection compliance project.
  • Advised Mizuho Bank on updating its internal data transfer agreement between its various entities and branches on a global scale to take the new SCCs and the new UK Addendum into account.
  • Advised Neuberger Berman on all aspects of its UK data protection compliance, including its data protection terms, policies and procedures, such as new requirements for international transfers of personal data from the UK and usage of cookies.
  • Advised transport company Abellio on its group-wide data protection project in which new policies and procedures are being drafted and implemented by all Abellio's operating companies. This involved drafting a full suite of bespoke policies and procedures.
  • Advised Swire Shipping on the sharing of data within its international group.
  • Advised an international bank on its GDPR compliance programme, providing a full suite of services including close involvement in the bank's data mapping exercise and gap analysis. Continues to advise as the programme matures.
  • Advised a leading wellbeing chain in response to an ICO investigation into its direct marketing practices.
  • Advised a financial institution on a data breach that resulted in hackers gaining unauthorised access to extremely sensitive personal data, which resulted in a third party being exposed to a significant financial loss. This included advising on all aspects of incident response including making relevant notifications to affected data subjects, the ICO, insurers, and the police, and potential disputes with third parties.
  • Provided data privacy advice and drafted terms for a leading pharma company's healthcare apps.
  • Advised in relation to two substantial representative actions against major technology companies arising from potential systemic breaches of data protection legislation, including in relation to children's data.
  • Helped an airline handle a high profile data subject access request that was subject to extensive publicity.
  • Advised a leading high street retailer on GDPR compliance and documentation for employee and customer personal data.
  • Advised an international transport company on its approach to direct marketing campaigns.
  • Advised a life sciences company on data protection issues relating to clinical trials, market research, ad tech and social media disease awareness campaigns.

Katie Hewson acts as an extended member of our in-house legal team. I know the advice I receive from Katie will take into account the risks and concerns of our particular business. Katie knows there is no one size fits all, and she takes time to understand the business and our risk appetite. She is an invaluable resource.

The Legal 500 UK 2023

Expertise