Geraldine Scali

Geraldine Scali
  1. People /

Geraldine Scali

Geraldine Scali

Partner


London
Geraldine Scali
  1. People /

Geraldine Scali

Geraldine Scali

Partner


London

Geraldine Scali

Partner

London

Partner and EMEA Lead of Data Privacy and Security

T: +44 (0) 20 3400 4483

LinkedInLinkedIn
VcardVcard
Download PDFDownload PDF
Print
Share

Biography

Geraldine Scali is the EMEA lead of data privacy and security, and has a focus on data protection and cybersecurity, with a specific emphasis on the financial services, life sciences and retail sectors.

She is a dual-qualified lawyer, admitted as a Solicitor in England and Wales, and as a French lawyer admitted to the Paris Bar, which together with her experience gained at US and International law firms over a period of nearly 20 years, makes her uniquely placed to give the best possible service to her global client base in the UK, Europe and the US.

She advises on all aspects of data privacy and security, with an emphasis on advising clients on the emerging laws that impact the development and implementation of AI solutions including the EU AI Act as well as the implementation of global data protection compliance programmes including UK/EU GDPR. cross-border data transfers, preparedness and management of personal data breaches and reporting. She also regularly advises on data protection issues in the context of complex cross-border investigations and litigation, corporate deals, and Inclusion & Diversity Programmes.

Geraldine Scali is a great partner. She is enthusiastic, very adept at finding creative paths forward… We love Geraldine and are so glad she’s in our corner.

Legal 500 UK 2024

Geraldine is a regular contributor to the firms “Privacy Speaks” series which focuses on data protection and security and writes for several journals including “Data Protection Leader Magazine” and “Data Guidance.” She is a contributing author to Financial Regulation: Emerging Themes in 2021 – an extensive collection of articles around the themes of Brexit; Regulatory Change; Regulatory and Litigation Risk; Technology; Governance; and Sustainability and People.

Geraldine Scali is recommended for her “masterful" knowledge of regulatory matters and authorities.

Legal 500 UK 2024

She also regularly speaks on data protection and security at IAPP’s conferences and at other industry conferences, and regularly gives in-house training to companies and financial institutions.

Geraldine is an active member as a mentor in the mentoring programme of the W@Privacy platform, which aims at bringing together privacy experts and enthusiasts to share, connect and engage on data protection and privacy topics.

Geraldine Scali at BCLP receives effusive praise for her longstanding practice which encompasses security breach responses, data protection litigation and GDPR compliance advice.

Who’s Who Legal: UK Global Elite

Professional Affiliations

  • Women in Privacy®, an international networking group for women data protection and privacy professionals. Geraldine was one of the inaugural members who helped establish the organisation.
  • IAPP (International Association of Privacy Professionals)
  • W@Privacy, a platform for women privacy professionals

Directory Recognition

  • Who’s Who Legal: UK Global Elite- Data Privacy & Protection, and in Data Security, as a leading individual (2018-) and as a thought leader (2020-)
  • Legal 500 2024 in Data Protection, Privacy and Cybersecurity

Admissions

  • Paris
  • England and Wales

Related Practice Areas

  • Data Privacy, Telecommunications & Collections

  • General Data Protection Regulation

  • BCLP Data Breach Hotline

  • AdTech

  • Marketing & Advertising

  • Healthcare & Life Sciences

  • Data Privacy & Security

  • Corporate

  • Finance

  • Investigations

  • Regulation, Compliance & Advisory

Experience

Geraldine’s experience includes advising:

  • Numerous international companies in the financial services, life sciences and retail on compliance with the UK/EU GDPR including on cross-border data transfers;
  • Various organisations on dealing with personal data breaches including ransomware attacks;
  • Various international banks in the context of a cross-border investigations in the context of whistleblowing procedure or on the data protection implications of the mirroring of mobile devices;
  • An investment management firm on employee monitoring and the rollout of monitoring software;
  • Multiple clients in relation to the design and launch of diversity and inclusivity initiatives including multi-jurisdictional employee surveys; and
  • Multiple clients in relation to updating their intra-group data transfer agreements to take into account the rollout of the new EU Standard Contractual Clauses and UK International Data Transfer Agreement and Addendum.

Related Insights

Insights
Jan 14, 2025

EMEA- Data Privacy, Digital and AI Round Up 2024/2025

As expected in the data privacy and digital space, 2024 shaped up to be a year full of guidance, consultations, regulatory focus areas and legislative updates. Artificial Intelligence (AI) remained a hot topic with advertising technology (AdTech) closely following its heels. With the blizzard of global data protection developments continuing unabated in 2024 with no doubt more to come in 2025, it is a good moment to look back at what 2024 held for businesses as well as to consider what 2025 may hold in the EMEA region.
Insights
Dec 23, 2024

European Data Protection Board's Opinion on AI Models

On 17 December 2024, the European Data Protection Board (EDPB) adopted its opinion on certain data protection aspects related to the processing of personal data in the context of AI models (Opinion). The Opinion comes as a response to the Irish supervisory authority’s (Irish SA) request. The Irish SA’s request made to the EDPB was prompted due to the current lack of harmonisation amongst supervisory authorities when it comes to assessing AI models and addresses key components of an AI model such as training, updating, developing and the operation of AI models where personal data is part of the dataset. The Irish SA posed four specific questions as part of the request which covers: Anonymity in AI models where personal data has been used to train the model; The appropriateness of relying on legitimate interest as a lawful basis and how this can be demonstrated; and The continued use of an AI where unlawfully processed data sets have been used to create, update or develop an AI model. We cover each of these themes in turn below.
Insights
Dec 19, 2024

Out with the old and in with the new- The Data (Use and Access) Bill

On 23 October 2024, the Data (Use and Access) Bill (the “DUAB”) was introduced to Parliament. The DUAB is the Labour government’s answer to the perceived shortfalls of the since-abandoned Data Protection and Digital Information Bill (the “DPDI” Bill). We unpack below the elements from the DPDI Bill that were abandoned, those retained, and the newly added ones introduced by the DUAB.
Insights
Dec 10, 2024

AI in HR - what you need to know

BCLP recently hosted a seminar on AI in HR. In this thought-provoking session, we considered how AI is used in HR and its regulation in the EU and the UK, and then engaged in some discussions around two theoretical scenarios. For those who were not able to attend, we have put together a summary of the key takeaways. 
Insights
Dec 06, 2024

Data and Cybersecurity - European Union Legislation and Proposals

The pace of new EU law continues unabated, with IoT, cyber security and digital services being key areas of activity. The BCLP Data Privacy & Security team is tracking EU law developments relevant to data and cyber security. In our tracker we (1) provide a snapshot, (2) explain who is impacted and (3) confirm the status and timeline for each of: the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Data Act, the NIS2 Directive, the Cybersecurity Act and the Cybersecurity Resilience Act.
Insights
Dec 06, 2024

What is the impact of the EU's new Network and Information Systems Directive for Businesses?

Forming part of the EU’s broader digital and cyber security strategy, the new Network and Information Systems Directive 2022/2555 (NIS2) came into effect on 18 October 2024 (this being the deadline by which the directive is required to be implemented into national law, although this process is not yet complete).  It replaces NIS Directive 2016/1148 and complements the EU’s Cyber Resilience Act (discussed in a recent BCLP insight).  The revised directive is intended to cast a wider net and bring more industries and sectors directly within its regulatory remit.  In-scope businesses will therefore need to ensure appropriate risk-management procedures are embedded across their organisations.  Senior management also need to understand the oversight which they are required to exercise, given the personal liability for cybersecurity failings which NIS2 now mandates.   
Insights
Dec 04, 2024

AI Tools in Recruitment – Key Takeaways from the ICO Report

On 6 November 2024, the ICO published an outcomes report on AI tools in recruitment (the “Report”). This Report follows consensual audit engagements carried out by the ICO with developers and providers of AI tools to be used in recruitment between August 2023 and May 2024 and is part of the ICO’s ongoing upstream monitoring of the wider AI ecosystem to ensure compliance with UK data protection law.

Related Insights

Insights
Jan 14, 2025
EMEA- Data Privacy, Digital and AI Round Up 2024/2025
As expected in the data privacy and digital space, 2024 shaped up to be a year full of guidance, consultations, regulatory focus areas and legislative updates. Artificial Intelligence (AI) remained a hot topic with advertising technology (AdTech) closely following its heels. With the blizzard of global data protection developments continuing unabated in 2024 with no doubt more to come in 2025, it is a good moment to look back at what 2024 held for businesses as well as to consider what 2025 may hold in the EMEA region.
Insights
Dec 23, 2024
European Data Protection Board's Opinion on AI Models
On 17 December 2024, the European Data Protection Board (EDPB) adopted its opinion on certain data protection aspects related to the processing of personal data in the context of AI models (Opinion). The Opinion comes as a response to the Irish supervisory authority’s (Irish SA) request. The Irish SA’s request made to the EDPB was prompted due to the current lack of harmonisation amongst supervisory authorities when it comes to assessing AI models and addresses key components of an AI model such as training, updating, developing and the operation of AI models where personal data is part of the dataset. The Irish SA posed four specific questions as part of the request which covers: Anonymity in AI models where personal data has been used to train the model; The appropriateness of relying on legitimate interest as a lawful basis and how this can be demonstrated; and The continued use of an AI where unlawfully processed data sets have been used to create, update or develop an AI model. We cover each of these themes in turn below.
Insights
Dec 19, 2024
Out with the old and in with the new- The Data (Use and Access) Bill
On 23 October 2024, the Data (Use and Access) Bill (the “DUAB”) was introduced to Parliament. The DUAB is the Labour government’s answer to the perceived shortfalls of the since-abandoned Data Protection and Digital Information Bill (the “DPDI” Bill). We unpack below the elements from the DPDI Bill that were abandoned, those retained, and the newly added ones introduced by the DUAB.
News
Dec 12, 2024
BCLP advises BGC Group with the sale of Rates Compression business Capitalab
Insights
Dec 10, 2024
AI in HR - what you need to know
BCLP recently hosted a seminar on AI in HR. In this thought-provoking session, we considered how AI is used in HR and its regulation in the EU and the UK, and then engaged in some discussions around two theoretical scenarios. For those who were not able to attend, we have put together a summary of the key takeaways. 
Insights
Dec 06, 2024
Data and Cybersecurity - European Union Legislation and Proposals
The pace of new EU law continues unabated, with IoT, cyber security and digital services being key areas of activity. The BCLP Data Privacy & Security team is tracking EU law developments relevant to data and cyber security. In our tracker we (1) provide a snapshot, (2) explain who is impacted and (3) confirm the status and timeline for each of: the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Data Act, the NIS2 Directive, the Cybersecurity Act and the Cybersecurity Resilience Act.
Insights
Dec 06, 2024
What is the impact of the EU's new Network and Information Systems Directive for Businesses?
Forming part of the EU’s broader digital and cyber security strategy, the new Network and Information Systems Directive 2022/2555 (NIS2) came into effect on 18 October 2024 (this being the deadline by which the directive is required to be implemented into national law, although this process is not yet complete).  It replaces NIS Directive 2016/1148 and complements the EU’s Cyber Resilience Act (discussed in a recent BCLP insight).  The revised directive is intended to cast a wider net and bring more industries and sectors directly within its regulatory remit.  In-scope businesses will therefore need to ensure appropriate risk-management procedures are embedded across their organisations.  Senior management also need to understand the oversight which they are required to exercise, given the personal liability for cybersecurity failings which NIS2 now mandates.   
Insights
Dec 04, 2024
AI Tools in Recruitment – Key Takeaways from the ICO Report
On 6 November 2024, the ICO published an outcomes report on AI tools in recruitment (the “Report”). This Report follows consensual audit engagements carried out by the ICO with developers and providers of AI tools to be used in recruitment between August 2023 and May 2024 and is part of the ICO’s ongoing upstream monitoring of the wider AI ecosystem to ensure compliance with UK data protection law.
Insights
Sep 20, 2024
The EU’s Digital Operational Resilience Act 2022/2554 (DORA)