Legal Guidance and Research / Experts / Charlotte Clayson
Charlotte Clayson#908
LinkedIn

Charlotte Clayson

Trowers & Hamlins LLP
Charlotte is a Partner in Trowers & Hamlins' Dispute Resolution and Litigation team, focusing on complex and high value commercial and public law disputes. Charlotte is also a specialist in Information Law, focusing on contentious data issues, cyber attacks and Freedom of Information issues.
 
Charlotte's commercial litigation experience includes the full range of contractual and commercial disputes and urgent injunctive relief, shareholder disputes, warranty and indemnity claims and sensitive investigatory work.
 
Charlotte has significant experience dealing with disputes in the public sector, including judicial review, planning appeals, contentious procurement, and claims for breach of statutory duties such as the Equality Act 2010 and the Care Act 2014).
 
Charlotte's expertise in Information Law includes preparing for data privacy breaches and cyber attacks, advising on crisis response, risk mitigation and breach investigation, notifications to and liaison with regulators, customers and stakeholders, and subsequent litigation. Charlotte also regularly advises clients on a range of complex Freedom of Information and Environmental Information issues, including making representations to the regulator and providing representation at Tribunal stage.
 

Practice Areas

Panels

  • Case Analysis Panel
  • Contributing Author

Qualified Year

  • 2009

Membership

  • Commercial Litigation Association
  • London Solicitors Litigation Association
  • Procurement Lawyers Association
  • Administrative Law Bar Association

Education

  • University of Manchester (LLB Hons, English Law and French Law)

2 Contributions by Charlotte Clayson

EU cybersecurity duties and breach notification: key regimes (GDPR, NIS 2, CER, ePrivacy, EECC, PSD2, DORA, CRA, AI Act)—scope, reporting deadlines, sanctions and practical response guidance
PRACTICE NOTES
EU cybersecurity duties and breach notification: key regimes (GDPR, NIS 2, CER, ePrivacy, EECC, PSD2, DORA, CRA, AI Act)—scope, reporting deadlines, sanctions and practical response guidance
STOP PRESS This Practice Note sets out the law as it currently stands in legislative terms, but note that certain elements will be materially affected by the Digital Omnibus proposals issued on 19 November 2025 under the Commission’s ‘simplification’ programme. For further information and updates, see Practice Note: EU Digital Omnibus—tracker. It offers, by way of summary, a concise, high-level survey of EU cybersecurity legislation and regulation at EU level, with particular emphasis on: Regulation (EU) 2016/679, the EU General Data Protection Regulation (EU GDPR) Directive (EU) 2022/2555, the EU’s second Network and Information Systems Directive (NIS 2 Directive), which superseded and replaced Directive (EU) 2016/1148, the NIS Directive Directive (EU) 2022/2557, the EU Critical Entities Resilience Directive (CER Directive) Directive 2002/58/EC, the EU ePrivacy Directive Directive (EU) 2018/1972, the European Electronic Communications Code (EECC) Financial legislation, including Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), and Directive (EU) 2015/2366, the second EU Payment Services Directive (PSD2) Regulation (EU) 2024/2847, the EU Cyber Resilience Act (CRA) Regulation (EU) 2024/1689, the EU AI Act These measures are explored in the context of: the entities that are required to comply with such rules within the EU...
EU Law
UK cybersecurity: security obligations, breach reporting and enforcement under UK GDPR, NIS, PECR, FSMA and PSTIA, with practical incident response guidance and forthcoming reforms
PRACTICE NOTES
UK cybersecurity: security obligations, breach reporting and enforcement under UK GDPR, NIS, PECR, FSMA and PSTIA, with practical incident response guidance and forthcoming reforms
FORTHCOMING CHANGE: On 12 November 2025, the Cyber Security and Resilience (Network and Information Systems) Bill (CSRB) was laid before the House of Commons. The CSRB provides for amendments to the Network and Information Systems Regulations 2018 (SI 2018/506), notably widening their scope to cover data centres, managed service providers and large load controllers, and allowing regulators to identify ‘critical suppliers’. It overhauls incident reporting by creating a two‑stage process—an initial alert within 24 hours followed by a comprehensive report within 72 hours—and enlarges the definition of reportable incidents to capture a wider set of security compromises. The Secretary of State is also granted powers to make regulations concerning the security and resilience of network and information systems, to set a statement of strategic priorities for regulatory authorities, and to publish a code of practice. In addition, the CSRB confers powers to issue directions to regulated persons and regulatory authorities where threats present a risk to national security. To monitor the CSRB’s legislative progress, see Practice Note: The UK NIS Regulations—timeline. This Practice Note outlines the legal framework for cybersecurity—considering the entities that must adhere to those rules, their...
Information Law
Expert page AD
If you expected to see yourself on this page, click here.