John Timmons

Partner, London



John advises on all aspects of UK and EU privacy, data protection and cybersecurity law. Key elements of his role include advising clients on general data protection compliance and providing specific advice on international data transfer solutions, compliance with local privacy and cyber security laws, information governance, e-privacy and direct marketing issues and online behavioural / targeted advertising strategies. John has a detailed knowledge of the EU's General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and associated privacy and cyber security legislation.

As a key member of the Firm's Global Data, Privacy and Cybersecurity practice, John focuses on providing practical and commercially attractive solutions for clients, taking account of the wider business and commercial context. He outlines risk positions and risk profiles to assist clients when making key decisions.

John has significant experience working with a wide range of clients in the EU, the US and Asia. John has experience of advising businesses from within, having been seconded to a national media company and a leading global technology business. John has presented to a leading cyber security forum and financial institutions on data protection and privacy matters.

Bars and Courts
Postgraduate Diploma in Legal Practice
University of Glasgow and Strathclyde
University of Glasgow


Advised a number of international organisations on data protection compliance matters globally, including in relation to the EU General Data Protection Regulation.

Advised a leading global technology business on the application of, and compliance with, the European directive on security of network and information systems and the UK Network and Information Systems Regulations 2018.

Advised numerous clients on the likely impact of the EU General Data Protection Regulation (including the fines of up to the greater of €20 million, or 4% of worldwide turnover).

Conducted data protection assessment for numerous clients to identify non-compliance risk areas. These assessments involved issuing bespoke questions to the business and meeting with the key personnel. The output being a risk report containing specific advice and recommendations.

Advised an international events company on compliance with data protection and privacy laws across multiple jurisdictions, including drafting intra-group data transfer agreements.

Advised a leading global technology business on strategic approach to global compliance with applicable cybersecurity laws.

Advised a leading global technology business on regulatory engagement following a cybersecurity incident and the subsequent regulatory inquiry.

Advised an international media company on the privacy and data protection implications of its social media and online marketing strategy.

Advised an international financial services organisation in connection with its Binding Corporate Rules application.

Advised numerous clients on issues relating to legacy marketing databases in light of the requirements of the EU General Data Protection Regulation and the e-Privacy Regulations.

Advised a leading global technology business on its response to a regulatory inquiry into an alleged personal data breach.

Advised a major US-based financial services organisation on the applicable compliance obligations arising under EU data protection law, including international data transfers from its operations in the EU to its headquarters in the US.

Advised an international data analytics organisation on data protection compliance across its global operations. 
Advised and supported a global non-profit through a CEO fraud incident, including engagement of technical experts and communications to personnel.

Assisted a middle eastern-based financial institution with its data protection compliance programme, including drafting a suite of policies and supporting the creation of a data map.

Advised an international organisation on the creation of a data protection manual for use by personnel handling personal data.

Advised numerous clients on responding to the data subject rights under the EU General Data Protection Regulation and historic data protection laws.

Supported clients in transactional context to identify cybersecurity issues and worked with technical experts to identify and implement mitigations.

Advised numerous clients on the data protection implications of IT outsourcing including the use of cloud-based data hosting and data analytics services.

Advised numerous organisations on responding to data breaches affecting personal data, including liaising with regulators and communicating with affected individuals.

Advised a financial services business on the implementation of a holistic breach response procedure (and policy), including the process for engaging technical and forensic experts and outside counsel support.

Provided advice to an international events company regarding the use of 'internet of things' devices worn by participants at sporting events and the risks associated with sharing the data collected and profiling individuals based on the data captured.

Provided guidance on the impact of significant recent data protection cases, including the CJEU decisions in Costeja v Google Spain, Weltimmo v Nemzeti, and Schrems v Facebook.

Advised numerous clients on the compliance requirements arising in relation to employee monitoring, network scanning, and the use of CCTV, in a range of European jurisdictions.

Supported a leading global technology business on undertaking an effectiveness assessment of technical and organisational security measures to ensure compliance with applicable cybersecurity and data protection laws.

Negotiated a number of agreements between retailers and payment services providers.

Assisted a major retailer with a data protection project including the establishment of a privacy function in the business and the creation of associated operating procedures and policies.

Advised a number of clients on the requirement to appoint a data protection officer ('DPO') under the EU General Data Protection Regulation and the remit of the office of the DPO.

Advised DPOs on their responsibilities under the EU General Data Protection Regulation and assisted DPOs in the exercise of their role.

Advised an international organisation on the data protection implications of processing personal data collected through an app available in multiple jurisdictions. Also advising on the use of apps to collect and process personal data of children.

Advised an international events company on the data protection and privacy implications arising from recording sporting events and the responses of audience members to on-field action.

Provided guidance on the risks associated with the collection and further processing of personal data in the context of employment and recruitment.

Advised a broad range of clients on the use of data protection warranties and disclosures in M&A transactions.

Assisted numerous clients in conducting legitimate interest assessments in order to identify and explain the legitimate interests relied on as a basis for processing personal data.

Assisted a wide range of clients with the preparation of data retention policies, covering all forms of personal data.

Drafted a position paper for an international logistics company in response to European Commission's proposal for a Regulation on Privacy and Electronic Communications.

Drafted website privacy policies and 'cookie' notices to comply with the requirements of the EU General Data Protection Regulation.

Awards and Recognition

Awarded Legal Skills Prize for Advocacy (2010) (University of Glasgow and Strathclyde)