Home / People / Dr. Loretta Pugh
Loretta Pugh

Dr. Loretta Pugh


CMS Cameron McKenna Nabarro Olswang LLP
Cannon Place
78 Cannon Street
United Kingdom
Languages English

Loretta advises on data protection, cyber security, technology, outsourcing and commercial transactions. She is a specialist in data protection and cyber security and advises across a wide range of industry sectors, including the financial services, life sciences, real estate and TMT sectors. Advice ranges from general compliance to strategic and business critical matters. Loretta is known for her strong technical ability coupled with application to her clients’ specific business scenarios in a pragmatic manner. Loretta has a particular interest in the exploitation of data and the use of new technologies, including AI and other data analytic solutions. In the sphere of cyber, her work includes incident response planning, assessment of cyber solutions, and advising following a data breach.

Loretta has spoken on data protection and cyber and produced a number of articles, including in relation to the GDPR and the NIS Regulations.

Loretta is a member of the Law Society City GDPR Working Group and a speaker and mentor at ‘Cyber 101’, an initiative funded by the Department for Digital, Culture, Media & Sport (DCMS) and held at Digital Catapult to nurture early stage cyber companies in the UK. Loretta is also a member of the International Association of Privacy Professionals (IAPP).

more less


  • Postgraduate Diploma in Intellectual Property Law and Practice, University of Oxford
  • Legal Practice Course (Distinction), BPP Law School
  • Graduate Diploma in Law (Distinction), Anglia Law School
  • Ph.D. (Optoelectronics), University of Cambridge
  • B.Sc. (First Class Honours), Keele University
more less


Law Society City GDPR Working Group
International Association of Privacy Professionals (IAPP)

more less


  • Implications of the General Data Protection Regulation (GDPR) for Detecting Infringement of Artificial Intelligence (AI) Patents; EPI Information (Publication of the European Patent Institute); Sep 2018
  • Network and Information Systems Regulations—contractual implications; LexisPSL; Aug 2018
  • GDPR and AI Patents; CIPA Journal (Journal of the Chartered Institute of Patent Attorneys), Volume 47, No. 7-8; Jul 2018
  • GDPR: Implications for Real Estate; Property Law Journal; May 2018
  • Network and Information Systems Regulations and the cloud; LexisPSL; May 2018
  • Data protection under the draft Brexit withdrawal agreement; LexisPSL; Apr 2018
  • The UK Government responds to the NDG and CQC recommendations; Digital Health Legal; Sep 2017
  • International Data Flows and the New EU-US Privacy Shield; National Outsourcing Association Yearbook 2016; Jan 2016
more less


Show only
21 March 2019
CMS Fin­an­cial In­sti­tu­tions Op­er­a­tion­al Re­si­li­ence Re­port
Risk, Re­si­li­ence & Repu­ta­tion
Watch this (adtech) space – ICO re­port on adtech and real time bid­ding
The UK In­form­a­tion Com­mis­sion­er’s Of­fice (ICO) has is­sued an up­date re­port on adtech and real time bid­ding (RTB). The reg­u­lat­or has iden­ti­fied sev­er­al areas as need­ing im­prove­ment, and sees this as just the start of its en­gage­ment with the adtech sec­tor on.
GDPR: 12 months on, 12 Takeaways
Some com­ment­at­ors were ex­pect­ing the GDPR to be the new Y2K, and oth­ers the dawn­ing of the data apo­ca­lypse. The real­ity has been less dra­mat­ic, but has non­ethe­less brought a range of chal­lenges and les­sons learned.
Re­li­ance on the EU-U.S. Pri­vacy Shield for UK data fol­low­ing Brexit
There has been wel­come cla­ri­fic­a­tion on the scope of the EU-U. S. Pri­vacy Shield on UK data fol­low­ing the UK's ex­pec­ted de­par­ture from the EU. Guid­ance from the U. S. De­part­ment of Com­merce, which ad­min­is­ters the Pri­vacy Shield, con­firms that busi­nesses cur­rently.
Data Pro­tec­tion Act 2018 be­comes law
Less than two days be­fore the Gen­er­al Data Pro­tec­tion Reg­u­la­tion enters in­to force on 25 May 2018, the Data Pro­tec­tion Bill (the “Bill”) has passed in­to law. Since its first read­ing in the House of Lords on 13 Septem­ber 2017, the Bill has been de­bated by both.
Data pro­tec­tion un­der the draft Brexit with­draw­al agree­ment
The European Com­mis­sion pub­lished the first draft of the pro­posed Brexit with­draw­al agree­ment on 28 Feb­ru­ary 2018. It in­cludes pro­vi­sions in re­la­tion to the pro­cessing of per­son­al data dur­ing a ‘trans­ition peri­od’, and in cer­tain cir­cum­stances there­after.
What next for in­ter­na­tion­al data trans­fers?
Sum­mary The Ir­ish High Court has made a pre­lim­in­ary ref­er­ence to the Court of Justice of the European Uni­on (the “CJEU”), ask­ing wheth­er stand­ard data pro­tec­tion clauses (“stand­ard clauses”) are com­pat­ible with the leg­al rights of data sub­jects un­der EU law.