John Timmons

Associate, London



John advises on all aspects of UK and EU privacy, data protection and cybersecurity law.  Key elements of his role include advising clients on general data protection compliance and providing specific advice on international data transfer solutions, compliance with local privacy and cyber security laws, information governance, e-privacy and direct marketing issues and online behavioural / targeted advertising strategies. John has a detailed knowledge of the EU's General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and associated privacy and cyber security legislation.

As a key member of the Firm's Global Data, Privacy and Cybersecurity practice, John focuses on providing practical and commercially attractive solutions for clients, taking account of the wider business and commercial context. He outlines risk positions and risk profiles to assist clients when making key decisions.

John has significant experience working with a wide range of clients in the EU, the US and Asia. He has spent time on secondment with a national media company and has presented to a leading cyber security forum and financial institutions on data protection and privacy matters.

Bars and Courts
Postgraduate Diploma in Legal Practice
University of Glasgow and Strathclyde
University of Glasgow


Advised a number of international organisations on data protection compliance matters globally, including in relation to the EU General Data Protection Regulation.

Advised numerous clients on the likely impact of the EU General Data Protection Regulation (including the fines of up to the greater of €20 million, or 4% of worldwide turnover).

Conducted data protection assessment for numerous clients to identify non-compliance risk areas. These assessments involved issuing bespoke questions to the business and meeting with the key personnel. The output being a risk report containing specific advice and recommendations.

Advised an international events company on compliance with data protection and privacy laws across multiple jurisdictions, including drafting intra-group data transfer agreements.

Advised an international media company on the privacy and data protection implications of its social media and online marketing strategy.

Advised an international financial services organisation in connection with its Binding Corporate Rules application.

Advised numerous clients on issues relating to legacy marketing databases in light of the requirements of the EU General Data Protection Regulation and the e-Privacy Regulations.

Advised a major US-based financial services organisation on the applicable compliance obligations arising under EU data protection law, including international data transfers from its operations in the EU to its headquarters in the US.

Advised an international data analytics organisation on data protection compliance across its global operations.

Assisted a middle eastern-based financial institution with its data protection compliance programme, including drafting a suite of policies and supporting the creation of a data map.

Awards and Recognition

Awarded Legal Skills Prize for Advocacy (2010) (University of Glasgow and Strathclyde)