Heather Catchpole
Heather is an associate in Bird & Bird’s London-based Privacy & Data Protection team and advises on a broad range of data protection and ePrivacy questions faced by businesses.
Heather advises on marketing rules, cookies, DPIAs, and the implementation of innovative technologies, and has experience drafting data protection provisions in commercial contracts and advising on data protection risks in an M&A context. Heather has worked with businesses in a range of sectors including sport, media & entertainment, video gaming, and retail & consumer.
Heather has a particular interest in Adtech, children’s privacy, and the intersection between UI design and data protection law. She also enjoys advising on the interaction between data protection and the new digital legislation we are seeing in the EU and UK such as the DMA, DSA, and Online Safety Bill.
Prior to joining Bird & Bird Heather spent four years in the IP/IT and data privacy team of a Magic Circle law firm.
Practice Area
Panel
- Contributing Author
Qualified Year
- 2019
Experience
- Slaughter and May (2017 - 2021)
Qualifications
- LPC (2017)
- GDL (2016)
- BA (Classics) (2015)
Education
- BPP University (2015-2017)
- University of Oxford (2011-2015)
2 Contributions by Heather Catchpole
PRACTICE NOTES
Anonymisation and pseudonymisation under the EU GDPR: legal tests, case law, WP29 three risks, techniques, PETs and Schrems II supplementary measures
FORTHCOMING CHANGE:
This Practice Note sets out the law as it presently stands, though some aspects will be affected by the Digital Omnibus proposals issued on 19 November 2025 under the EU Commission’s ‘simplification’ programme. For more detail, see Practice Note: EU Digital Omnibus—tracker. It explores legal and practical issues around anonymisation, pseudonymisation and privacy enhancing technologies (PETs). It outlines what is required for robust anonymisation and pseudonymisation and summarises core techniques available. It further introduces the family of tools referred to as PETs. The analysis is framed by the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), alongside relevant guidance.
Anonymisation and pseudonymisation
Under the EU GDPR, duties apply to the processing of ‘personal data’, meaning information about a living person who is identified or can be identified. While the EU GDPR provides no explicit definition of ‘anonymous data’, by inference it is data that is no longer personal because it no longer relates to an identified or identifiable person. Effective anonymisation therefore removes data from the scope of the EU GDPR...
EU Law
PRACTICE NOTES
UK GDPR and DPA 2018: Anonymisation, Pseudonymisation and Privacy‑Enhancing Technologies—Legal Tests, ICO Guidance and Practical Techniques
This Practice Note examines the law and practice in relation to anonymisation, pseudonymisation and privacy enhancing technologies (or PETs).
It specifically outlines what constitutes robust anonymisation and pseudonymisation and sets out core methods that can be applied. It further introduces the suite of tools referred to as PETs. It assesses the framework under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), alongside the UK Data Protection Act 2018 (DPA 2018). Where pertinent to the UK GDPR, EU case law and guidance are taken into account. For information on the position under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), see Practice Note: in the EU. On this topic, key differences exist between the UK GDPR regime and the EU GDPR. That said, at a high level the UK GDPR and EU GDPR remain closely aligned. For background on the UK GDPR and how it relates to the EU GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR)—Summary of key legislation...
Information Law
If you expected to see yourself on this page, click here.
