Curtis McCluskey

Curtis McCluskey is a partner in Goodwin’s Technology and Life Sciences group, with over a decade of experience advising businesses on all aspects of privacy and cybersecurity. He has developed substantial expertise in European privacy matters, building on a broad background gained through prior roles. Curtis counsels clients across a wide range of industries and stages of growth, from emerging companies to global organisations, with a particular focus on the technology, life sciences, FinTech, corporate, and funds sectors.

Curtis advises companies on the design and implementation of their global privacy and cybersecurity strategies. He regularly works with private equity firms, corporate investors and acquirers on privacy and cybersecurity issues in the context of investments, mergers and acquisitions. Curtis also has extensive experience guiding businesses through security incidents – ranging from minor incidents to complex, multi-jurisdictional events – providing practical support on incident response, regulatory notifications, and stakeholder communications.

Curtis’ background includes an in-house role at the Financial Ombudsman Service and a secondment with a global pharmaceutical company. These experiences have given him a deep understanding of a variety of industry sectors, enabling him to deliver pragmatic, business-focused advice tailored to the needs of clients. His broad expertise allows him to support businesses of all sizes in embedding effective privacy and cybersecurity frameworks and risk management measures.

In addition to his client work, Curtis is a regular speaker at industry events. He has led cyber risk management workshops alongside experts from the UK National Crime Agency and the FBI and frequently delivers training and webinars on privacy and cybersecurity developments.

Curtis has been recognised by Chambers & Partners UK as Up and Coming for Data Protection & Information Law and is recommended by Legal 500 UK as a Key Lawyer for Data Protection, Privacy, and Cybersecurity.

• Guiding a global medical device manufacturer (supporting weight loss), and its connected health and fitness tracker App, on its strategy to ensure privacy compliance on a global scale. Preparing and managing a full privacy compliance programme, including preparing the App privacy policy, advising on solutions for App integrations (specifically for sharing data with clinics), cross-border data transfers to manage the company’s fast expanding business, advising on privacy by design methods, documenting security and impact assessments to identify risk gaps, and providing inhouse privacy training to high-risk business areas.
• Advising US-based clinical trial sponsors on the launch of their clinical trials in the EU, the UK and other jurisdictions globally, including drafting privacy language in patient consent forms (including navigating and guiding companies with addressing local member state requirements), leading contract negotiations with clinical research organisations, clinical sites, laboratories and other third parties who personal data is shared with and regularly providing internal training on privacy and cybersecurity related issues.
• Providing support and guidance to financial sector business on all aspects of its privacy compliance in connection with its platform and web application, including conducting a GDPR audit, managing the privacy compliance programme to address its GDPR obligations, including drafting and preparing a website privacy statement to cover its global operations, preparing template data sharing agreements with its customers, advising and navigating solutions to implement practical solutions to manage transfers of personal data from the UK, EU, Switzerland to the United States, particularly in response to EU court rulings (Schrems II) which highlight the high risk nature of transfers to the United States.
• Advising and guiding US-based medical research company on privacy compliance in connection with its collaborations with third party institutions (based in Germany, France, Italy, UK, Netherlands and Poland) on the sharing of personal data subject to EU and UK privacy laws. In particular, counselling companies on notice requirements, conditions for processing health data, as well as appropriate techniques for pseudonymising and anonymising datasets. 
• Supporting global brand development provider with supplier reviews for GDPR compliance, including preparing supplier due diligence questionnaires, guiding business on incorporating data processing terms in agreements with suppliers and negotiating contract terms.
• Coordinating data protection due diligence review in connection with the purchase of a multi-million pound portfolio company. Assessing and advising on compliance measures in connection with cross-border transfers of personal data between seller and buyer, preparing data protection and liability provisions for purchase agreements.
• Advising and supporting company on acquisition of global AdTech business (“target company”). Conducting a full strategic review of compliance position in the AdTech space; analysing consent management controls and transparency with respect to the IAB framework. Providing company with strategic advice on target company’s compliance with evolving UK and EU guidance and providing overall risk rating.
• Advising FinTech company on the collection of personal data concerning employees who could be exposed to Material Nonpublic Information. Preparing a data protection impact assessment, legitimate interests assessment and appropriate privacy notices as well as negotiating contracts with third party agents and coordinating the cross-jurisdictional privacy review.
• Advising international company on ransomware attack and requirements to notify supervisory authorities in the EU and UK. Following advice on cyber attack, preparing notifications and managing ongoing dialogue with supervisory authorities.
• Acting for a UK health and beauty retailer in connection with security incident involving access to personal data, including advising on notifications to supervisory authority and individuals affected. Also preparing pre-action responses to subsequent proposed claims brought by individuals.
• Advising worldwide financial services company on its data protection obligations in carrying out marketing activities across 15 jurisdictions, including preparing overview of local law requirements.

Curtis is an active member of the International Association of Privacy Professionals and is CIPP/E certified. He is also a member of the Society for Computers and Law.

Curtis has gained significant experience working in-house. He practiced at the Financial Ombudsman Service for a number of years, advising on the service’s information law obligations (in connection with data protection laws and freedom of information), procurement law and defending the service against challenges to jurisdiction decisions and final determinations in all areas of business; he has also defended civil claims and responded to freedom of information appeals to Tribunal.

Curtis is recognised as ‘Up and Coming’ for Data Protection & Information Law by Chambers & Partners UK and as a ‘Key Lawyer’ by The Legal 500 UK for Data protection, privacy, and cybersecurity.

Client testimonials cite:

• "Curtis is very professional, pragmatic and knowledgeable."
• "Curtis is very hands-on, very commercial and is a brilliant listener. He is very outcome driven."
• "Curtis helps our business navigate across various requirements and issues. He is proactive and tells me about changes that I need to consider. He helps us solve problems."

• Law 360: “Navigating Compliance As EU Cybersecurity Rules Evolve,” November 2025
• Law360: “Businesses Using AI Face Novel Privacy, Cybersecurity Risks,” March 2024
• PDP Journals: “GDPR series: Fining powers of the supervisory authority,” March 2017
• PDP Journals: “How will the GDPR affect FOI law?” January 2018
• Lexology: “One year of GDPR – lessons learned by the ICO,” June 2019
• Lexology: “UK High Court says no, administrators are not controllers,” May 2019
• Lexology: “Council of Europe issues recommendation on processing health-related data,” April 2019
• Lexology: “ENISA tackles AI head on,” April 2019
• Lexology: “FCA and ICO strengthen cooperation in renewed memorandum of understanding,” March 2019