Caroline Egan has been specialising in data protection and privacy for nearly 20 years, advising on all aspects of data protection law and compliance. Caroline has been and continues advising a number of clients, both UK and multinational, on full General Data Protection Regulation (GDPR)/Data Protection Act 2018 (DPA) compliance programmes, as well as discrete compliance elements for many more. She has strong experience in successfully handling significant and complex cyber and other data breaches for clients, as well as extensive experience in dealing with significant sensitive subject access requests. She has particular depth of experience in drafting and negotiating agreements involving complex transfers of data, both within and outside the EU.

    Her clients come from across the business spectrum, including logistics, hospitality and leisure, manufacturing, service industries, financial services, consumer products and retail. She has particular experience and expertise in the pensions field.

    Award Mouse thought multimedia interface book medal screen monitor
    • Developing and delivering GDPR compliance programmes for a wide range of clients, including UK and international consumer product providers, retailers, financial services providers, logistics and transport organisations, and hospitality and leisure groups. Work has included data mapping documentation, contracts with third party processors and controllers, and data sharing agreements involving transfers outside the EEA; privacy notices for employees and customers; advice on and drafting consents; drafting a range of policies and other documents, including privacy policies, data breach response plan, and data protection impact assessments; and providing training to key personnel on GDPR compliance.
    • Advising clients in the fields of hospitality and leisure, consumer products, logistics and pensions on all aspects of handling data breaches – both from cybersecurity breaches and other causes, and under the GDPR/DPA 2018, as well as under the Data Protection Act 1998, including liaising with forensic investigators, insurers and PR consultants; advising on and drafting notifications to the Information Commissioner's Office (ICO) and other regulators, along with successfully handling follow-up investigations by the ICO; advising on and drafting notifications to affected individuals; and working with litigation colleagues in advising on actions to be taken where breach is caused by third party contractors.
    • Working with pensions colleagues to develop an innovative and cost-effective set of template documents for use by pensions trustees in achieving GDPR compliance.
    • Advising trustees of substantial pensions schemes on all aspects of their GDPR compliance programmes; including advising on terms of agreements proposed by third party service providers, both processors and controllers, and negotiating agreements to completion; and drafting and negotiating data sharing agreements with principal employers.
    • Advising a broad range of clients in responding to complex and sensitive data subject access requests, and successfully advising on complaints made to the ICO.
    • Advising multinational clients in fields including retail, e-commerce, transport and logistics on data sharing arrangements, within and outside the EEA, and both intra-group and third parties, including advising on most appropriate adequacy mechanism, drafting and negotiating data sharing agreements, and advice on potential implications of Brexit.
    • Advising a variety of businesses on monitoring and interception of communications.
    • Advising a major financial services provider group on its data protection status (controller or processor) in relation to the wide-ranging products and services it provides, and in drafting GDPR compliant contracts with consumers, corporate customers, insurers, advisers and introducers.
    • Advising clients involved in B2B and B2C transactions on the options available as regards marketing, and providing relevant documentation and training materials.
    • Advising a broad range of clients on complex issues arising out of the GDPR and DPA.
    • Providing tailored GDPR compliance training to financial services organisations, pensions trustees and others.


    • College of Law, London, Law Society Finals, 1980
    • University of Oxford, M.A., 1979


    • England and Wales, 1982
    • Recommended in the 2012 edition of The Legal 500 UK

    {{}} {{insights.source}} {{insights.type}}
    Award Mouse thought multimedia interface book medal screen monitor