Josephine Jay

Josephine Jay is an associate in Goodwin’s Technology and Life Sciences group. Based in the London office, her practice focuses on privacy, data protection, and cybersecurity. She has considerable experience advising on a wide range of privacy compliance matters for clients at all stages of their development and across numerous sectors, including technology, life sciences, media and entertainment, funds and financial services.

Josephine has advised on all aspects of European data protection law, including international data transfers, online advertising strategies, cookies, use of sensitive and vulnerable data subject data, data sharing arrangements, internal and external policy creation and oversight, training and education programs, privacy-related certifications, and overseeing security incidents and breach notification procedures.

• Advising a US clinical trials sponsor in connection with EU and UK clinical trials, including advising on the differing legal bases for each jurisdiction, drafting patient consent forms and notices, negotiating contracts with medical device suppliers, and negotiating contract terms with participating sites* 
• Advising the US provider of a health app on GDPR compliance, including the legal basis for processing special category data, drafting privacy policies, and advising on compliant contracting*
• Leading the GDPR compliance project for an Asian tech company, including: conducting data mapping across all products, establishing an internal privacy management and reporting structure, offering internal training, preparing customer facing privacy policies and advising on changes to user interfaces, and drafting internal policies and establishing internal processes to establish ongoing compliance*
• Leading the GDPR compliance project for a European mobile gaming company*
• Coordinating local counsel advice as part of a multi-jurisdictional review of privacy laws applicable to a global travel company*
• Advising the provider of online services targeting the EU and US markets on its use of children’s data, including advising on the use of ad tech, creating a privacy by design checklist, putting in place DPIAs and implementing privacy policy and user interface changes*
• Advising an online service provider on a multi-jurisdictional privacy investigation, including drafting and aligning regulatory responses*
• Guiding an international online service provider through a security incident, including advising on EU notification requirements, coordinating forensic investigations and advising on the maintenance of privilege, and implementing changes to the company’s incident response policies and procedures*
• Advising a global financial services company on privacy and wider cyber-security implications of web scraping as part of its acquisition of a US based intelligence company*
• Advising a provider of risk management products on employee/employer data protection considerations, including data subject requests, background checks and employee monitoring*
• Advising a US based pharma company on its implementation of a whistleblowing hotline in the UK and Europe, and coordinated a review for its launch in APAC*

*Denotes experience prior to joining Goodwin.

Josephine has extensive in-house experience. Most recently, she served as a European data protection officer at a web and mobile gaming company, where she implemented and managed its GDPR compliance program and advised on other privacy matters, including data protection considerations around strategic acquisitions. Previously, Josephine worked at a China-based technology company in Hong Kong, advising the organization primarily on privacy-related matters, including GDPR compliance, as well as broader tech legal issues and licensing in the cloud and fintech sectors.

Aside from her in-house roles, Josephine developed her privacy practice at the London offices of two other US law firms.

Josephine is an active member of the International Association of Privacy Professionals (the IAPP), and is currently Co-Chair of the London IAPP KnowledgeNet chapter.

Co-Author, “An Update on Compensation Claimes Under the EU GDPR,” Privacy laws & Business, December 7, 2022