Legal Guidance and Research / Experts / Anna Rawlinson
Anna Rawlinson#9825
LinkedIn

Anna Rawlinson

Fieldfisher
Anna is a Senior Associate in Fieldfisher's Privacy, Outsourcing and Technology team. She advises on a wide range of data protection issues in various commercial context, including comprehensive data protection compliance, data processing and data sharing arrangements, cross-border data transfers, DPIAs, data breaches, data protection issues in corporate transactions, as well as data audits, information rights and e-marketing. She is a member and contributor of the International Association of Privacy Professionals and holds CIPP/E and CIPM certifications.
 
Anna has a broader corporate background, including roles as a corporate associate at a top tier City law firm and an in-house secondee at a major U.S. energy company. Before qualifying as a solicitor in the UK, Anna worked as a legal adviser in Poland and holds PhD in civil law.

Practice Area

Panel

  • Contributing Author

Experience

  • Fieldfisher (Nov 2021 - Present)

Qualifications

  • CIPP/M (2020)
  • CIPP/E (2018)

4 Contributions by Anna Rawlinson

Age assurance for online services: UK GDPR and Online Safety Act compliance, methods and certification, advertising and AVMS rules, enforcement, with EEA and global context
PRACTICE NOTES
Age assurance for online services: UK GDPR and Online Safety Act compliance, methods and certification, advertising and AVMS rules, enforcement, with EEA and global context
STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025), with certain elements taking effect that same day. Provisions of DUAA 2025 addressing, among other things, replies to data subject access requests and the delegation of powers to make further regulations, commenced immediately on 19 June 2025. Other measures, covering notices issued by the Information Commissioner and particular facets of law enforcement processing, began on 19 August 2025 (two months after the date of Royal Assent). The greater part of DUAA 2025’s measures still await implementing regulations, in the form of statutory instruments, before they commence. Further commencement dates will hinge on those instruments being made first. Parts 5 and 6 of DUAA 2025 revise portions of UK data protection and ePrivacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426...
Information Law
EU Data Governance Act and Data Act: scope, obligations and practical implications on data re-use, intermediation, altruism, IoT access, cloud switching, interoperability, international transfers and enforcement
PRACTICE NOTES
EU Data Governance Act and Data Act: scope, obligations and practical implications on data re-use, intermediation, altruism, IoT access, cloud switching, interoperability, international transfers and enforcement
STOP PRESS : This Practice Note reflects the law as it currently stands; however, be aware that some elements will be affected by the Digital Omnibus proposals released on 19 November 2025 under the Commission’s ‘simplification’ agenda. For more detail, see Practice Note: EU Digital Omnibus—tracker. The European Strategy for Data seeks to build a single European data market by enabling responsible access, wider sharing and re-use of personal and non-personal data, in line with EU values and existing legislation, notably on personal data protection, consumer protection and competition rules. Regulation (EU) 2022/868, the Data Governance Act (DGA), reinforces governance within the single European market and creates a framework to enable both general and sector-specific data sharing, while Regulation (EU) 2023/2854, the Data Act (DA), concerns the substantive rights to access and use data. It is estimated that data generated by public bodies, businesses and individuals will have grown by 500% between 2018 and 2025, and both acts aim to ensure that more data becomes available for use across the EU, whilst safeguarding the rights of the companies and individuals who generate it...
EU Law
EU GDPR Binding Corporate Rules: controller and processor BCRs, Schrems II, EDPB guidance, and practical steps for cross-border transfers, approval, liability and enforcement
PRACTICE NOTES
EU GDPR Binding Corporate Rules: controller and processor BCRs, Schrems II, EDPB guidance, and practical steps for cross-border transfers, approval, liability and enforcement
FORTHCOMING CHANGE: On 15 January 2026, the European Data Protection Board put out for public consultation its Recommendations 1/2026 on applications for approval and on the core elements and principles to be included in Processor Binding Corporate Rules (Article 47 GDPR). These Recommendations annul and supersede—while substantively building on—in particular Working Party Guidance WP 257 rev.01 (Working Document on BCRs for processors) and Working Party Guidance WP 265 (Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data). The consultation runs until 2 March 2026, with the text taking effect upon publication of the final version following the public consultation process. For further details, see Practice Note: EU GDPR—EDPB supranational level guidance tracker. This Practice Note addresses Binding Corporate Rules (BCRs) as one of the mechanisms that permits the transfer of personal data outside the EEA in line with Chapter V of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR). In brief, BCRs allow corporate groups to evidence suitable safeguards when making intra-group international personal data transfers. As outlined further in Practice Note: EU GDPR—transfers of personal...
EU Law
Practical guide to the EU GDPR 2021 Standard Contractual Clauses for international transfers: modules, scope, Schrems II transfer impact assessments, onward transfers, incorporation, governing law and liability
PRACTICE NOTES
Practical guide to the EU GDPR 2021 Standard Contractual Clauses for international transfers: modules, scope, Schrems II transfer impact assessments, onward transfers, incorporation, governing law and liability
This Practice Note offers detailed guidance on the European Commission’s June 2021 set of the standard contractual clauses (SCCs) for cross-border international transfers of personal data (the 2021 EU SCCs). It delivers a deeper examination of international transfers under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), than the introductory Practice Note: EU GDPR—transfers of personal data internationally and to international organisations, and proceeds on the basis that readers already understand core concepts within the EU GDPR framework and its international transfer rules. If this area is new to you, you may prefer to consult those Practice Notes first. For basic orientation and context on the EU GDPR more generally, see Practice Note: The EU’s General Data Protection Regulation (EU GDPR). In brief Within the EEA, data protection law aims to ensure information about living people (ie falling within the meaning of ‘personal data’) is handled fairly and with accountability. To secure this, the EU GDPR places extensive duties on those who undertake or determine the ‘processing’ of personal data. In essence, ‘processing’ covers doing almost anything with personal data, such as storing, sharing, deleting, using or transferring it. A principal safeguard under the EU GDPR is...
EU Law
Expert page AD
If you expected to see yourself on this page, click here.