Home / People / Dr. Loretta Pugh
Portrait of Loretta Pugh

Dr. Loretta Pugh


CMS Cameron McKenna Nabarro Olswang LLP
Cannon Place
78 Cannon Street
United Kingdom
Languages English

Loretta is a specialist data protection and cyber security partner with a background in IT.  Advice ranges from general compliance to highly strategic and business critical matters.  These may be domestic or involve the coordination of international advice.  Loretta is known for her strong technical ability coupled with application to her clients’ specific business scenarios in a pragmatic manner. Loretta has a particular interest in the exploitation of data and the use of new technologies, including AI and other data analytic solutions. In the sphere of cyber, her work includes incident response planning, assessment of cyber solutions, and advising following a data breach.  She has been involved in several high profile ICO investigations.

Loretta has spoken on data protection and cyber and produced a number of articles, including in relation to the GDPR and the NIS Regulations.

Loretta is a member of the United Nations Legal Task Team on Privacy Preserving Techniques, the techUK Data Protection Working Group and International Association of Privacy Professionals (IAPP).  Loretta is recognised as a ‘Next Generation Partner’ and ‘Key Lawyer’ in Legal 500 for data protection, privacy and cyber security.  

more less

"Next Generation Partner."

Legal 500

"Loretta Pugh is knowledgeable in the field of new technologies, including AI."

Legal 500

Relevant experience

  • A major technology company on its planned roll out of mobile app based COVID vaccination passes in 24 jurisdictions.  Advice was first provided for the UK and coordinated for the other jurisdictions.
  • An insurance company in relation to international data transfers in the context of a reinsurance with a US counterparty.  Advice included advising on changes to the international transfers regimes in the EU and UK, performing transfer risk assessments and accommodating future changes to transfer rules.
  • A global health brand on its online marketing operations, including in relation to AdTech and cookies.
  • A real estate company in relation to an ICO investigation on the use of facial recognition technology in public places.
  • A pharmaceutical company in the context of an investigation by the Competition and Markets Authority.
  • A high street fashion chain on data breach planning and approaches to mitigate compliance risks in relation to breach incidents.
  • A global tech company following a cyber-attack impacting 395,000 individuals in 73 jurisdictions.  Advice included from shortly after the breach had been discovered (including coordinating the various impacted jurisdictions), regulator and data subject notifications, and subsequent regulator investigations.   
  • A FTSE 100 company on its data protection policies and procedures; and the development of a data governance framework. 
  • Numerous companies following the exercise of data subject requests, including data subject access requests in the context of litigation and employee disputes.
  • An energy company in relation to requests under the Freedom of Information Act 2000 and Environmental Information Regulations 2004.
more less

Memberships & Roles

  • United Nations Legal Task Team on Privacy Preserving Techniques
  • techUK Data Protection Working Group
  • International Association of Privacy Professionals (IAPP)
more less


  • Implications of the General Data Protection Regulation (GDPR) for Detecting Infringement of Artificial Intelligence (AI) Patents; EPI Information (Publication of the European Patent Institute); Sep 2018
  • Network and Information Systems Regulations—contractual implications; LexisPSL; Aug 2018
  • GDPR and AI Patents; CIPA Journal (Journal of the Chartered Institute of Patent Attorneys), Volume 47, No. 7-8; Jul 2018
  • GDPR: Implications for Real Estate; Property Law Journal; May 2018
  • Network and Information Systems Regulations and the cloud; LexisPSL; May 2018
  • Data protection under the draft Brexit withdrawal agreement; LexisPSL; Apr 2018
  • The UK Government responds to the NDG and CQC recommendations; Digital Health Legal; Sep 2017
  • International Data Flows and the New EU-US Privacy Shield; National Outsourcing Association Yearbook 2016; Jan 2016
more less


  • Postgraduate Diploma in Intellectual Property Law and Practice, University of Oxford
  • Legal Practice Course (Distinction), BPP Law School
  • Graduate Diploma in Law (Distinction), Anglia Law School
  • Ph.D. (Optoelectronics), University of Cambridge
more less


In­ter­na­tion­al trans­fers of per­son­al data: ICO up­date on UK Bind­ing Cor­por­ate...
In late Ju­ly 2022, the of­fice of the UK data pro­tec­tion reg­u­lat­or, the In­form­a­tion Com­mis­sion­er’s Of­fice (ICO), is­sued new guid­ance on ap­ply­ing for and re­ceiv­ing ap­prov­al for UK Bind­ing Cor­por­ate Rules...
Data pro­tec­tion and cy­ber­se­cur­ity laws in the United King­dom
Data pro­tec­tion 1. Loc­al data pro­tec­tion laws and scope The Data Pro­tec­tion Act 2018 (“DPA”) cov­ers gen­er­al pro­cessing of per­son­al data in the UK.The DPA sup­ple­men­ted the EU Gen­er­al Data Pro­tec­tion...
ICO con­sulta­tion on in­ter­na­tion­al data trans­fer guid­ance and tools
On 11 Au­gust, the ICO launched a con­sulta­tion on in­ter­na­tion­al data trans­fers and pub­lished a draft ‘In­ter­na­tion­al Trans­fer Risk As­sess­ment and Tool’, and a draft ‘In­ter­na­tion­al Data Trans­fer Agree­ment’...
GDPR 3 years on – The greatest hits (and misses)
More than three years have passed since the GDPR ap­plied and a lot has happened in the world of data pro­tec­tion dur­ing that time – fines, class ac­tions, court chal­lenges and more. We give our “playl­ist”...
Data pro­tec­tion up­date: latest de­vel­op­ments on EU and UK trans­fers
Back­ground On 28 June 2021, the European Com­mis­sion is­sued two EU ad­equacy de­cisions fi­nally bring­ing to an end the un­cer­tainty over wheth­er trans­fers of per­son­al data from the EU to the UK could con­tin­ue...
New EU Stand­ard Con­trac­tu­al Clauses: 10 things to know and im­plic­a­tions...
Last month, the EU Com­mis­sion pub­lished the new stand­ard con­trac­tu­al clauses for the trans­fer of per­son­al data from the EU (the “New EU SCCs”). The New EU SCCs will re­place the pre­vi­ous stand­ard con­trac­tu­al...
Real Es­tate Re­bound: a tech-ac­cel­er­ated re­cov­ery
We in­vite you to join our vir­tu­al pan­el de­bate on Wed­nes­day 14 Ju­ly, where we will ex­plore the key themes iden­ti­fied in our ninth an­nu­al thought lead­er­ship re­port: Real Es­tate Re­bound: a tech-ac­cel­er­ated...
Man­aging in­vest­ig­a­tions: plan­ning pres­sures and pit­falls video series
With more in­tern­al re­port­ing of con­cerns with­in busi­nesses thanks to im­proved train­ing and con­trols, and with com­plex reg­u­lat­ory, crim­in­al and HR in­vest­ig­a­tions be­com­ing more com­mon­place, cor­por­ates need...
Pro­gress to­wards ad­equacy: European Com­mis­sion pub­lishes draft ad­equacy...
Back­ground On Fri­day 19 Feb­ru­ary, the European Com­mis­sion an­nounced that it had form­ally launched the pro­ced­ure to ad­opt two ad­equacy de­cisions for data trans­fers to the UK. While the de­cisions have not...
Life Sci­ences Quarterly Up­date - Brexit Im­plic­a­tions for the MedTech Sec­tor
We are de­lighted to in­vite you to our life sci­ences quarterly up­date we­bin­ar, ‘in view’. Our CMS team will be eval­u­at­ing the wide ran­ging im­pacts of Brexit for those op­er­at­ing in the MedTech sec­tor...
How will in­valid­ity of the Pri­vacy Shield and new rules for Stand­ard Con­trac­tu­al...
In a re­cent rul­ing, the EU Court of Justice struck down the EU-US Pri­vacy Shield and, though it ruled that stand­ard con­trac­tu­al clauses re­main val­id for trans­fers of per­son­al data out­side the EEA, in­ter­preted...
Data Pro­tec­tion Of­ficers – Avoid­ing a Con­flict of In­terest
On 28 April 2020, the Lit­ig­a­tion Cham­ber of the Bel­gian data pro­tec­tion au­thor­ity (the “APD”) im­posed a €50,000 fine on a Bel­gian com­pany, for non-com­pli­ance with the re­quire­ments re­lat­ing to the...