📋 Data Protection

Background in
Data Protection.

Twenty-plus years of experience across clinical trials, law firms, retail, and private family support. Contracts, policies, DPIAs, LIAs, and technical assessments of data systems. This page is a record of what I know — not a shop window.

What this page is. A summary of my background and skills in data protection. Useful if you’re a community group, charity, small research team, or similar who might one day want an informal conversation about a practical problem.

What this page is not. A consultancy services catalogue. I’m not available for commercial engagements, paid contracts, retainers, or fee-earning work of any kind. I do not give legal advice — I’m not a solicitor, and nothing here creates a client relationship. For legal advice, instruct a qualified data protection lawyer.

How I work. Pro bono, by written email only, at my own pace, when health and capacity allow. I may not respond quickly. I may not respond at all. That’s not rudeness — it’s honesty about capacity.

Experience

Where I’ve worked on data protection.

Historic roles and engagements. Listed for context, not as offers of future service.

Clinical Trials & Research

Data protection assessments of clinical trial systems, data flows, lawful bases for research, consent architecture, pseudonymisation, and data sharing agreements. Technical analysis of how clinical data actually moves through sponsors, sites, CROs, and vendors.

Law Firms

Internal data protection work for legal practices: client data handling, retention, client confidentiality vs. GDPR obligations, professional conduct interactions, technical controls. Always operating as practitioner, never providing legal advice.

Retail

DPIAs, LIAs, customer data programmes, loyalty schemes, CCTV, marketing consent, cookie compliance, transfer impact assessments for international data flows. Practical implementation rather than theoretical policy.

Private Family Support

Helping families manage sensitive personal data in legal, medical, or financial contexts — subject access requests, understanding what data organisations hold, practical steps when things have gone wrong. Always pro bono.

Knowledge Areas

What I know about in practice.

Skills developed over 20+ years of implementation work. Plain-English, not academic.

DPIAs
Data Protection Impact Assessments for new systems, changes to processing, high-risk activities. Scoping, stakeholder interviews, risk analysis, mitigation design, residual risk documentation, and sign-off. Particular experience with clinical research and large retail datasets.
LIAs
Legitimate Interest Assessments — the balancing test under Article 6(1)(f) UK GDPR. Getting the three-part test (purpose, necessity, balancing) documented properly. Extended under the Data (Use and Access) Act 2025 with the new “recognised legitimate interests” provisions.
Technical Assessments
Analysis of how data actually moves through systems — databases, APIs, cloud services, backups, logging, third-party processors. Understanding the gap between what the privacy notice says and what the system actually does. Especially with clinical data systems.
Contracts
Data Processing Agreements, joint controller arrangements, international data transfer mechanisms (SCCs, UK IDTAs, TIAs), intra-group agreements, vendor due diligence. Practical implementation, not legal drafting — I write the technical schedules, not the legal clauses.
Policies
Privacy notices, internal data protection policies, retention schedules, ROPAs (Records of Processing Activities), data breach response procedures, subject rights handling. Written to be actually readable and usable, not lawyer-boilerplate.
Knowledge Transfer
Training, workshops, 1:1 skills transfer for in-house teams. Getting people to the point where they don’t need me any more. This is the opposite of a consultancy retainer model — it’s deliberately designed to make me redundant.
Credentials

Qualifications.

Professional certifications held.

CIPP/E C-GDPR-P CiSMP (Distinction) GIAC GSEC ISO 27001 (Implementation)

CIPP/E — Certified Information Privacy Professional / Europe. Issued by the International Association of Privacy Professionals.

C-GDPR-P — Certified GDPR Practitioner.

CiSMP — Certificate in Information Security Management Principles (BCS). Distinction.

GIAC GSEC — Security Essentials Certification.

I am not a Lead Auditor and I do not hold the ISO 27001 LA qualification. Experience with ISO 27001 is implementation, pre-audit preparation, audit support, and post-certification management — not leading audits.

How I Work

Boundaries, honestly.

Pro bono only. No paid engagements, no retainers, no fees, no day-rates. I’m not available for commercial consultancy work. I help community groups, charities, small research teams, or individuals where the help would genuinely matter — time and capacity permitting.

Written email only. No phone calls, no video calls, no real-time chat. Async communication, at my pace. I’m neurodivergent (ADHD, autism, RSD) and this isn’t a preference — it’s how I can actually engage usefully.

Not legal advice. I am not a solicitor. Nothing I share constitutes legal advice or creates a client relationship. For legal advice, instruct a qualified data protection lawyer. What I do is practical, technical, and implementation-focused.

No commitments. I may not respond. I may respond slowly. I may start to help and then stop because my health or energy has changed. That’s the deal. If that won’t work for you, please engage a professional adviser instead.

Get in Touch

If it fits the brief above.

Community groups, charities, small research teams, or individuals with a genuine data protection question — written enquiries welcome.

Please read the “How I Work” section above before getting in touch. If your query is commercial, urgent, or requires legal advice, I’m not the right person and I won’t respond.

If it’s a genuine pro bono question from a community, charity, research, or family context — email me.

stuartpaulthomas@gmail.com

Disclaimer. This content is provided for general information purposes only and does not constitute legal, financial, or professional advice. No liability is accepted for any loss or damage arising from reliance on information contained herein. You should seek independent professional advice before taking any action based on this content. Nothing here creates a duty of care, a client relationship, or any obligation under English law. While every effort is made to ensure accuracy, no warranty is given that the information is current, complete, or free from error. Regulatory positions change — verify all details independently before relying on them.

This site uses no cookies or tracking. Server logs only. Privacy Notice