Legal Guidance and Research / Experts / Lorna Louise Cropper
Lorna Louise Cropper#1076
LinkedIn

Lorna Louise Cropper

Fieldfisher
Lorna advises on data protection compliance and strategy across a range of sectors including technology, gaming, social media, cloud computing, retail and healthcare. She has in depth experience of working on extensive GDPR compliance projects including accountability, an area of particular expertise. As the topic of regulating children's data and children's activity online grows exponentially and with the ICO's Age Appropriate Design Code now in force, Lorna has become a go to expert in children's data.

She has an in depth knowledge of working on complicated, large scale data subject access requests (DSAR) including contentious employee DSAR as well as dealing with complaints made by data subjects to the regulator and managing subsequent regulatory investigations.

During 2019 – 2020 Lorna undertook a secondment to the Information Commissioner's Office. A keen supporter of Fieldfisher's pro bono work, Lorna is also a regular contributor to Fieldfisher's Privacy Blog. She has written the UK and EU chapter for the IAPP's book on Children's Data and holds a LLM in data protection and technology.

Practice Area

Panel

  • Contributing Author

2 Contributions by Lorna Louise Cropper

Age assurance for online services: UK GDPR and Online Safety Act compliance, methods and certification, advertising and AVMS rules, enforcement, with EEA and global context
PRACTICE NOTES
Age assurance for online services: UK GDPR and Online Safety Act compliance, methods and certification, advertising and AVMS rules, enforcement, with EEA and global context
STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025), with certain elements taking effect that same day. Provisions of DUAA 2025 addressing, among other things, replies to data subject access requests and the delegation of powers to make further regulations, commenced immediately on 19 June 2025. Other measures, covering notices issued by the Information Commissioner and particular facets of law enforcement processing, began on 19 August 2025 (two months after the date of Royal Assent). The greater part of DUAA 2025’s measures still await implementing regulations, in the form of statutory instruments, before they commence. Further commencement dates will hinge on those instruments being made first. Parts 5 and 6 of DUAA 2025 revise portions of UK data protection and ePrivacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426...
Information Law
Practical guide to the EU GDPR 2021 Standard Contractual Clauses for international transfers: modules, scope, Schrems II transfer impact assessments, onward transfers, incorporation, governing law and liability
PRACTICE NOTES
Practical guide to the EU GDPR 2021 Standard Contractual Clauses for international transfers: modules, scope, Schrems II transfer impact assessments, onward transfers, incorporation, governing law and liability
This Practice Note offers detailed guidance on the European Commission’s June 2021 set of the standard contractual clauses (SCCs) for cross-border international transfers of personal data (the 2021 EU SCCs). It delivers a deeper examination of international transfers under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), than the introductory Practice Note: EU GDPR—transfers of personal data internationally and to international organisations, and proceeds on the basis that readers already understand core concepts within the EU GDPR framework and its international transfer rules. If this area is new to you, you may prefer to consult those Practice Notes first. For basic orientation and context on the EU GDPR more generally, see Practice Note: The EU’s General Data Protection Regulation (EU GDPR). In brief Within the EEA, data protection law aims to ensure information about living people (ie falling within the meaning of ‘personal data’) is handled fairly and with accountability. To secure this, the EU GDPR places extensive duties on those who undertake or determine the ‘processing’ of personal data. In essence, ‘processing’ covers doing almost anything with personal data, such as storing, sharing, deleting, using or transferring it. A principal safeguard under the EU GDPR is...
EU Law
Expert page AD
If you expected to see yourself on this page, click here.