Josephine Jay

Josephine Jay is an associate in Goodwin’s Technology and Life Sciences group. Based in the London office, her practice focuses on privacy, data protection, and cybersecurity. She has considerable experience advising on a wide range of privacy compliance and cybersecurity matters for clients at all stages of their development and across numerous sectors, including technology, gaming, AI, life sciences, media and entertainment, funds and financial services.

Josephine advises on all aspects of European data protection law, including international data transfers, online advertising strategies, cookies, use of sensitive and vulnerable data subject data, data sharing arrangements, internal and external policy creation and oversight, training and education programs and privacy-related certifications. Josephine also advises clients on their obligations under new UK and EU data regulation and cybersecurity legislation, including NIS 2 and the Cyber Resilience Act. She also has extensive experience guiding clients through security incidents.

• Advising a US financial services firm on the application of the EU’s Cyber Resilience Act to its products
• Advising iRobot Corporation in its proposed acquisition by Amazon.com, Inc. for approximately $1.7 billion
• Advising an online identity verification company on its use of biometric data, including for machine learning
• Guiding a global client through a security incident, including notifying regulators and advising on a subsequent investigation by the company’s lead authority.
• Advising a US clinical trials sponsor in connection with EU and UK clinical trials, including advising on the differing legal bases for each jurisdiction, drafting patient consent forms and notices, negotiating contracts with medical device suppliers, and negotiating contract terms with participating sites* 
• Advising the US provider of a health app on GDPR compliance, including the legal basis for processing special category data, drafting privacy policies, and advising on compliant contracting*
• Leading the GDPR compliance project for an Asian tech company, including: conducting data mapping across all products, establishing an internal privacy management and reporting structure, offering internal training, preparing customer facing privacy policies and advising on changes to user interfaces, and drafting internal policies and establishing internal processes to establish ongoing compliance*
• Leading the GDPR compliance project for a European mobile gaming company*
• Advising the provider of online services targeting the EU and US markets on its use of children’s data, including advising on the use of ad tech, creating a privacy by design checklist, putting in place DPIAs and implementing privacy policy and user interface changes*
• Advising a social media company on a multi-jurisdictional privacy investigation, including drafting and aligning regulatory responses*
• Advising a global financial services company on privacy and wider cyber-security implications of web scraping as part of its acquisition of a US based intelligence company*
• Advising a provider of risk management products on employee/employer data protection considerations, including data subject requests, background checks and employee monitoring*
• Advising a US based pharma company on its implementation of a whistleblowing hotline in the UK and Europe, and coordinated a review for its launch in APAC*

*Denotes experience prior to joining Goodwin.

Josephine has extensive in-house experience. Most recently, she served as a European data protection officer at a web and mobile gaming company, where she implemented and managed its GDPR compliance program and advised on other privacy matters, including data protection considerations around strategic acquisitions. Previously, Josephine worked at a China-based technology company in Hong Kong, advising the organization primarily on privacy-related matters, including GDPR compliance, as well as broader tech legal issues and licensing in the cloud and fintech sectors.

Aside from her in-house roles, Josephine developed her privacy practice at the London offices of two other US law firms.

Josephine is an active member of the International Association of Privacy Professionals (the IAPP), and was Co-Chair of the London IAPP KnowledgeNet chapter from 2020 to 2022.

Josephine is a regular contributor to Goodwin’s Data, Privacy and Cybersecurity Insights series.

In addition, Josephine has co-authored: 

• “The ICO’s consultation on generative AI: Key take-aways,” Privacy Laws & Business, January 2025
• “An Update on Compensation Claims Under the EU GDPR,” Privacy laws & Business, December 2022
• “Calif. And UK Laws Reflect Global Focus On Kids' Privacy”, Law 360, November 2022

Speaking Engagements

• Panelist, “AI Governance and Privacy: Balancing Opportunity with Responsibility”, SCL Data Protection Conference, February 5, 2025 
• Chair “The Age Appropriate Design Code Crosses the Pond – Keeping Pace with Kids’ Data Regulation”, Who’s Watching Me? - Privacy Laws & Business 36th International Conference, July 3-5, 2023
• Chair “Working with European privacy laws: Views from Tencent, owner of WeChat and many more,” Winds of Chage - Privacy Laws & Business 35th International Conference, July 4-6, 2023