Guadalupe Sampedro

Guadalupe heads the cyber/data/privacy practice in Cooley’s London office. She is a noted subject matter authority in all things related to privacy, cybersecurity and data. She has a particular focus on the fintech, payments, financial services, technology, life sciences and healthcare, media and communications, retail, and consumer industries – and she has deep experience advising global leaders in those sectors. Guadalupe has experience in everything from high-profile data breaches to establishing compliance processes and programs to developing data governance frameworks. She also supports her clients on all matters related to artificial intelligence (AI) and navigating the new digital regulatory framework in the UK and the European Union.

Guadalupe has significant insight into international data protection from private practice and in-house perspectives, having previously served as PayPal’s EU data protection officer and privacy director for Europe, the Middle East, Africa and Latin America. Her role at PayPal gave her a unique understanding of clients’ perspectives when facing challenging and unexpected situations, and she strives to quickly become an extension of each client’s legal team.

Guadalupe is well known and trusted for her ability to manage complex global projects that span multiple jurisdictions, including binding corporate rules (BCRs) and international data transfers. She is a proven leader in dealing with the challenges institutions face when implementing regulatory changes, and she has a keen understanding of the importance of practical legal advice in cutting-edge industries. In addition, she has built professional relationships with an extensive network of regulators in key European jurisdictions.

Guadalupe also has significant experience dealing with complex global data breaches. She has led high-profile breach projects involving 120+ jurisdictions around the world. She advises clients in all aspects of a data breach – from providing a first response just hours after a breach is discovered to assembling a team of legal and technical advisers to producing data breach notifications in all relevant jurisdictions. She also manages communication with enforcement authorities and assists clients with regulatory investigations after data breach notifications.

A woman leader in her field, Guadalupe co-launched the In Private network of women senior privacy experts, and she is a regular speaker on data protection issues at global events for groups such as the International Association of Privacy Professionals. She also has lectured for Master of Laws (LLM) programs and specialist courses.

Guadalupe’s representative experience

• Advised multinational companies through the process to apply for controller and processor BCRs – including providing guidance during implementation, offering key strategic advice, and using her first-hand experience to closely manage relationships with data protection agencies involved in the authorization process across the EU
• Guided top global payments providers on the implementation of the General Data Protection Regulation (GDPR) and the interplay with the revised Payment Services Directive (PSD2)
• Led GDPR compliance implementation projects across multiple jurisdictions in the EU, and helped with detailed gap analysis assessments, remediation and implementation
• Assisted clients on the design and implementation of global privacy programs based on GDPR standards
• Advised a global marketplace on each step in the pathway to launching a new payments business in the EU
• Assisted clients on investigations and penalty procedures following security incidents or complaints from individuals
• Advised startups in industries such as digital health and finance on data protection matters related to the launch of new products and their data protection implications
• Counseled two global marketplaces on the segregation of data related to their payments businesses from data related to their marketplaces
• Assisted clients following security incidents/data breaches by providing initial assessments of whether the incidents met the threshold to be notified to regulators, guiding them through mitigation and remediation actions, and assisting with notification of the breaches to multiple data protection agencies
• Provided advice regularly to clients regarding AI and its interplay with privacy, and developed AI governance frameworks for global organizations
• Advised clients on compliance with the EU Digital Services Act and the UK Online Safety Act