Curtis McCluskey is Counsel in Goodwin’s Technology and Life Sciences group. Curtis has extensive experience advising businesses on all aspects of privacy and cybersecurity. Curtis has built on the broad experience of his previous roles and after almost a decade of experience, Curtis has substantial expertise in all matters related to privacy and cybersecurity in the UK and Europe. In particular, Curtis counsels clients across all industry sectors from emerging to global companies, including businesses with a focus in technology, life sciences, FinTech, corporate and funds.
Curtis manages and guides companies on their global privacy and cybersecurity strategies. In addition, Curtis works with private equity and corporate investors and acquirers and advises on privacy and cybersecurity related issues in the context of investments, mergers and acquisitions. Curtis has also managed and guided companies on their responses to security breaches (from minor to global incidents), including providing guidance and practical support to businesses on their handling of such incidents as well as managing any notifications to authorities and affected individuals.
Given Curtis’ previous inhouse role at the Financial Ombudsman Service and a secondment at a global pharmaceutical company, Curtis has developed a unique, in-depth understanding of the financial and life sciences industry with a particular and unique focus on clients with a core focus in these areas. Curtis’ broad and unique experience enables him to provide practical support and guidance to businesses of all sizes. He provides them with the advice and support required to implement appropriate privacy measures which are tailored to their specific requirements. In particular, Curtis’ experience inhouse means he has a pragmatic approach to solving his client’s problems.
In addition, Curtis has published articles on privacy and cybersecurity for key industry publications such as PDP Journals and Lexology which are widely recognised in this field. Curtis has been a speaker for PDP training sessions on data breach and cybersecurity management. Curtis also leads privacy and cybersecurity discussions on webinars hosted by Goodwin.
Experience
- Guiding a global medical device manufacturer (supporting weight loss), and its connected health and fitness tracker App, on its strategy to ensure privacy compliance on a global scale. Preparing and managing a full privacy compliance programme, including preparing the App privacy policy, advising on solutions for App integrations (specifically for sharing data with clinics), cross-border data transfers to manage the company’s fast expanding business, advising on privacy by design methods, documenting security and impact assessments to identify risk gaps, and providing inhouse privacy training to high-risk business areas.
- Advising US-based clinical trial sponsors on the launch of their clinical trials in the EU, the UK and other jurisdictions globally, including drafting privacy language in patient consent forms (including navigating and guiding companies with addressing local member state requirements), leading contract negotiations with clinical research organisations, clinical sites, laboratories and other third parties who personal data is shared with and regularly providing internal training on privacy and cybersecurity related issues.
- Providing support and guidance to financial sector business on all aspects of its privacy compliance in connection with its platform and web application, including conducting a GDPR audit, managing the privacy compliance programme to address its GDPR obligations, including drafting and preparing a website privacy statement to cover its global operations, preparing template data sharing agreements with its customers, advising and navigating solutions to implement practical solutions to manage transfers of personal data from the UK, EU, Switzerland to the United States, particularly in response to EU court rulings (Schrems II) which highlight the high risk nature of transfers to the United States.
- Advising and guiding US-based medical research company on privacy compliance in connection with its collaborations with third party institutions (based in Germany, France, Italy, UK, Netherlands and Poland) on the sharing of personal data subject to EU and UK privacy laws. In particular, counselling companies on notice requirements, conditions for processing health data, as well as appropriate techniques for pseudonymising and anonymising datasets.
- Supporting global brand development provider with supplier reviews for GDPR compliance, including preparing supplier due diligence questionnaires, guiding business on incorporating data processing terms in agreements with suppliers and negotiating contract terms.
- Coordinating data protection due diligence review in connection with the purchase of a multi-million pound portfolio company. Assessing and advising on compliance measures in connection with cross-border transfers of personal data between seller and buyer, preparing data protection and liability provisions for purchase agreements.
- Advising and supporting company on acquisition of global AdTech business (“target company”). Conducting a full strategic review of compliance position in the AdTech space; analysing consent management controls and transparency with respect to the IAB framework. Providing company with strategic advice on target company’s compliance with evolving UK and EU guidance and providing overall risk rating.
- Advising FinTech company on the collection of personal data concerning employees who could be exposed to Material Nonpublic Information. Preparing a data protection impact assessment, legitimate interests assessment and appropriate privacy notices as well as negotiating contracts with third party agents and coordinating the cross-jurisdictional privacy review.
- Advising international company on ransomware attack and requirements to notify supervisory authorities in the EU and UK. Following advice on cyber attack, preparing notifications and managing ongoing dialogue with supervisory authorities.
- Acting for a UK health and beauty retailer in connection with security incident involving access to personal data, including advising on notifications to supervisory authority and individuals affected. Also preparing pre-action responses to subsequent proposed claims brought by individuals.
- Advising worldwide financial services company on its data protection obligations in carrying out marketing activities across 15 jurisdictions, including preparing overview of local law requirements.
Professional Activities
Curtis is an active member of the International Association of Privacy Professionals and is CIPP/E certified. He is also a member of the Society for Computers and Law.
Professional Experience
Curtis has gained significant experience working in-house. He practiced at the Financial Ombudsman Service for a number of years, advising on the service’s information law obligations (in connection with data protection laws and freedom of information), procurement law and defending the service against challenges to jurisdiction decisions and final determinations in all areas of business; he has also defended civil claims and responded to freedom of information appeals to Tribunal.
Credentials
Education
QLTT
BPP Professional Education
London
Bar Vocational Course
BPP Law School
Admissions
Bars
- England and Wales
Recognition & Awards
In testimonials published in the Legal 500 2022, clients stated that:
- “Curtis McCluskey is very client oriented and provides clear input and advice”
- “I have had the pleasure of working with Curtis McCluskey over the past 18 months as my primary GDPR and data privacy advisor. I have come to rely upon his counsel and partnership for all data privacy matters.”
- “Curtis McCluskey is personable, friendly and helpful. I value his opinion and also really enjoy interacting with him as there is mutual respect and an openness to learn and adapt.”
Publications
- PDP Journals: “GDPR series: Fining powers of the supervisory authority,” March 2017
- PDP Journals: “How will the GDPR affect FOI law?” January 2018
- Lexology: “One year of GDPR – lessons learned by the ICO,” June 2019
- Lexology: “UK High Court says no, administrators are not controllers,” May 2019
- Lexology: “Council of Europe issues recommendation on processing health-related data,” April 2019
- Lexology: “ENISA tackles AI head on,” April 2019
- Lexology: “FCA and ICO strengthen cooperation in renewed memorandum of understanding,” March 2019