top of page
Rocio de la Cruz.jpg

Rocio de la Cruz


Rocio de la Cruz is a highly experienced, passionate, and creative dual-qualified UK and Spanish data protection lawyer with broad experience in Data Protection, e-Commerce, and Information Law. After successfully running a boutique law firm and working in-house for Birmingham City Council, she led the privacy team at Gowling WLG UK, advising clients on global data protection projects, complex ad-hoc queries, and M&A.

  • 4093-200
  • LinkedIn

More about Rocio

She has been admitted to the panel of experts supporting the Council of Europe Data Protection Unit, and to the pool of experts that will support the European Data Protection Board investigatory actions.

She advises central and local government bodies, associations, institutions, SMEs, start-ups, and international groups from diverse sectors (tech, healthcare, financial, automotive, retail, media, and education, amongst others) on all ranges of information and data protection-related matters.


Rocio is an excellent and inspirational speaker, who develops lectures and trains officers’ teams and Boards of Directors on data protection and information law matters. She regularly publishes articles on platforms such as Business Reporter, PDP, and Data Guidance, including publishing an academic chapter of post-doctoral nature on privacy applied to Blockchain in 2019 which is still considered globally by academics.

Recent Work

  • International transfers of data: carrying out Transfers Risks Assessments and putting in place mechanisms for the data to be transferred to third countries such as India, UAE, Singapore, US, or Saudi Arabia.

  • Cookies: carrying out cookies audits and advising on the use of cookies such as google analytics.

  • Reuse of data: auditing the reuse of personal data for secondary purposes, including in the context of healthcare UK National Data Opt-Out scheme.

  • Data breaches, complaints, and claims: advising on claims for compensation and complaints to the ICO or EU Data Protection Authorities. Carrying out international breach notifications procedures.

  • M&A: producing audit due diligence reports, negotiating warranties and indemnities, and advising in relation to transitional services.

  • Global compliance: implementing effective and easy-to-follow global privacy plans and procedures for businesses operating globally.

  • Cyber insurance: advising on cybersecurity and data protection insurance certificates.

  • FOIA: implementing Freedom of Information and Environmental Information Regulations procedures.

bottom of page