Home / People / Dr. Loretta Pugh
Loretta Pugh

Dr. Loretta Pugh


CMS Cameron McKenna Nabarro Olswang LLP
Cannon Place
78 Cannon Street
United Kingdom
Languages English

Loretta advises on data protection, cyber security, technology, outsourcing and commercial transactions. She is a specialist in data protection and cyber security and advises across a wide range of industry sectors, including the financial services, life sciences, real estate and TMT sectors. Advice ranges from general compliance to strategic and business critical matters. Loretta is known for her strong technical ability coupled with application to her clients’ specific business scenarios in a pragmatic manner. Loretta has a particular interest in the exploitation of data and the use of new technologies, including AI and other data analytic solutions. In the sphere of cyber, her work includes incident response planning, assessment of cyber solutions, and advising following a data breach.

Loretta has spoken on data protection and cyber and produced a number of articles, including in relation to the GDPR and the NIS Regulations.

Loretta is a member of the Law Society City GDPR Working Group and a speaker and mentor at ‘Cyber 101’, an initiative funded by the Department for Digital, Culture, Media & Sport (DCMS) and held at Digital Catapult to nurture early stage cyber companies in the UK. Loretta is also a member of the International Association of Privacy Professionals (IAPP).

more less


  • Postgraduate Diploma in Intellectual Property Law and Practice, University of Oxford
  • Legal Practice Course (Distinction), BPP Law School
  • Graduate Diploma in Law (Distinction), Anglia Law School
  • Ph.D. (Optoelectronics), University of Cambridge
  • B.Sc. (First Class Honours), Keele University
more less


  • Law Society City GDPR Working Group
  • International Association of Privacy Professionals (IAPP)
more less


  • Implications of the General Data Protection Regulation (GDPR) for Detecting Infringement of Artificial Intelligence (AI) Patents; EPI Information (Publication of the European Patent Institute); Sep 2018
  • Network and Information Systems Regulations—contractual implications; LexisPSL; Aug 2018
  • GDPR and AI Patents; CIPA Journal (Journal of the Chartered Institute of Patent Attorneys), Volume 47, No. 7-8; Jul 2018
  • GDPR: Implications for Real Estate; Property Law Journal; May 2018
  • Network and Information Systems Regulations and the cloud; LexisPSL; May 2018
  • Data protection under the draft Brexit withdrawal agreement; LexisPSL; Apr 2018
  • The UK Government responds to the NDG and CQC recommendations; Digital Health Legal; Sep 2017
  • International Data Flows and the New EU-US Privacy Shield; National Outsourcing Association Yearbook 2016; Jan 2016
more less


Show only
18 September 2020
How will in­valid­ity of the Pri­vacy Shield and new rules for Stand­ard Con­trac­tu­al...
In a re­cent rul­ing, the EU Court of Justice struck down the EU-US Pri­vacy Shield and, though it ruled that stand­ard con­trac­tu­al clauses re­main val­id for trans­fers of per­son­al data out­side the EEA, in­ter­preted...
27 July 2020
Data Pro­tec­tion Of­ficers – Avoid­ing a Con­flict of In­terest
On 28 April 2020, the Lit­ig­a­tion Cham­ber of the Bel­gian data pro­tec­tion au­thor­ity (the “APD”) im­posed a €50,000 fine on a Bel­gian com­pany, for non-com­pli­ance with the re­quire­ments re­lat­ing to the...
23 June 2020
Coronavir­us (COV­ID-19) and Pri­vacy
In the last few months, we have seen or­gan­isa­tions across Europe im­pos­ing vari­ous ob­lig­a­tions on their em­ploy­ees, vis­it­ors and cus­tom­ers to fight the spread of the COV­ID-19 vir­us. The un­der­ly­ing meas­ures...
17 February 2020
Opin­ion on stand­ard con­trac­tu­al clauses: more a com­pli­ance head­ache than...
A re­cent non-bind­ing Opin­ion of the Ad­voc­ate Gen­er­al has sig­nalled that the stand­ard con­trac­tu­al clauses can con­tin­ue to be used as a safe­guard for trans­fer­ring per­son­al data out­side the EEA. However...
15 November 2019
Brexit and data pro­tec­tion: what to do next (when you don’t know what’s...
Whilst the threat of a no-deal Brexit has been aver­ted for now, the fu­ture is by no means cer­tain. We have high­lighted some of the key is­sues for UK-based or­gan­isa­tions, and the EEA or­gan­isa­tions that...
10 July 2019
Watch this (adtech) space – ICO re­port on adtech and real time bid­ding
The UK In­form­a­tion Com­mis­sion­er’s Of­fice (ICO) has is­sued an up­date re­port on adtech and real time bid­ding (RTB). The reg­u­lat­or has iden­ti­fied sev­er­al areas as need­ing im­prove­ment, and sees this as...
06 June 2019
GDPR: 12 months on, 12 Takeaways
Some com­ment­at­ors were ex­pect­ing the GDPR to be the new Y2K, and oth­ers the dawn­ing of the data apo­ca­lypse. The real­ity has been less dra­mat­ic, but has non­ethe­less brought a range of chal­lenges and les­sons...
26 April 2019
Re­li­ance on the EU-U.S. Pri­vacy Shield for UK data fol­low­ing Brexit
There has been wel­come cla­ri­fic­a­tion on the scope of the EU-U.S. Pri­vacy Shield on UK data fol­low­ing the UK's ex­pec­ted de­par­ture from the EU. Guid­ance from the U.S. De­part­ment of Com­merce, which ad­min­is­ters...
21 March 2019
CMS Fin­an­cial In­sti­tu­tions Op­er­a­tion­al Re­si­li­ence Re­port
In Ju­ly 2018, the Bank of Eng­land, the FCA and the PRA re­leased a Dis­cus­sion Pa­per (DP 18/4): “Build­ing the UK fin­an­cial sec­tor’s op­er­a­tion­al re­si­li­ence” re­quest­ing feed­back by 5 Oc­to­ber 2018...
06 March 2019
Data Pro­tec­tion Risks and In­vest­ig­a­tions
With reg­u­lat­ors and in­di­vidu­als pay­ing in­creas­ing at­ten­tion to data pro­tec­tion and cy­ber­se­cur­ity, we un­der­stand in­ter­na­tion­al busi­nesses need an ef­fect­ive and trans­par­ent re­sponse to data com­pli­ance.CMS’...
27 November 2018
GDPR: the af­ter­math
Please join us for a half-day sem­in­ar on the af­ter­math of GDPR. Six months after the im­ple­ment­a­tion of the most chal­len­ging EU reg­u­la­tion busi­nesses have seen in years, it is time to take a step back...
29 October 2018
CMS ad­vises on Mo­tors.co.uk sale to eBay
CMS has ad­vised glob­al auto­mot­ive ser­vices pro­vider, Cox Auto­mot­ive UK, on the sale of its con­sumer-fa­cing car search busi­ness, Mo­tors.co.uk, to eBay. The com­ple­tion is sub­ject to com­pet­i­tion clear­ance...