BCLP logo

Geraldine Scali

Geraldine Scali

Partner

London

Partner and EMEA Lead of Data Privacy and Security

T: +44 (0) 20 3400 4483

LinkedInLinkedIn
VcardVcard
Download PDFDownload PDF
Print
Share

Biography

Geraldine Scali is the EMEA lead of data privacy and security, and has a focus on data protection, cybersecurity and Artificial Intelligence, with a specific emphasis on the financial services, life sciences and retail sectors.

She is a dual-qualified lawyer, admitted as a Solicitor in England and Wales, and as a French lawyer admitted to the Paris Bar, which together with her experience gained at US and International law firms over a period of nearly 20 years, makes her uniquely placed to give the best possible service to her global client base in the UK, Europe and the US.

She advises on all aspects of data privacy and security, with an emphasis on advising clients on the emerging laws that impact the development and implementation of AI solutions including the EU AI Act as well as the implementation of global data protection compliance programmes including UK/EU GDPR. cross-border data transfers, preparedness and management of personal data breaches and reporting. She also regularly advises on data protection issues in the context of complex cross-border investigations and litigation, corporate deals, and Inclusion & Diversity Programmes.

Geraldine Scali is a great partner. She is enthusiastic, very adept at finding creative paths forward… We love Geraldine and are so glad she’s in our corner.

Legal 500 UK

Geraldine is a regular contributor to the firms “Privacy Speaks” series which focuses on data protection and security and writes for several journals including “Data Protection Leader Magazine” and “Data Guidance.” She is a contributing author to Financial Regulation: Emerging Themes in 2021 – an extensive collection of articles around the themes of Brexit; Regulatory Change; Regulatory and Litigation Risk; Technology; Governance; and Sustainability and People.

Geraldine Scali is recommended for her “masterful" knowledge of regulatory matters and authorities.

Legal 500 UK

She also regularly speaks on data protection and security at IAPP’s conferences and at other industry conferences, and regularly gives in-house training to companies and financial institutions.

Geraldine is an active member as a mentor in the mentoring programme of the W@Privacy platform, which aims at bringing together privacy experts and enthusiasts to share, connect and engage on data protection and privacy topics.

Geraldine Scali at BCLP receives effusive praise for her longstanding practice which encompasses security breach responses, data protection litigation and GDPR compliance advice.

Lexology Index (UK)

Professional Affiliations

  • Women in Privacy®, an international networking group for women data protection and privacy professionals. Geraldine was one of the inaugural members who helped establish the organisation.
  • IAPP (International Association of Privacy Professionals)
  • W@Privacy, a platform for women privacy professionals

Directory Recognition

  • Lexology Index (UK) - Data Privacy & Protection, Data Security, Data (Information Technology) and in Artificial Intelligence, as a Leading Individual (2018-) and as a Thought Leader (2020-).
  • Legal 500 UK (2024-) Recommended Lawyer in Data Protection, Privacy and Cybersecurity

Emerging Themes 2025

Emerging Themes 2025

Creating Connections

2025 marks the 15th edition of Emerging Themes in Financial Regulation & Disputes. This year, our overarching theme is Creating Connections, examining three main pillars: Technology, Transparency, and Trust.

Find out more Find out more

Admissions

  • Paris
  • England and Wales

Related Capabilities

  • Data Privacy, Telecommunications & Collections

  • General Data Protection Regulation

  • AdTech

  • Marketing & Advertising

  • Healthcare & Life Sciences

  • Data Privacy & Security

  • Corporate

  • Finance

  • Investigations

  • Regulation, Compliance & Advisory

Experience

Geraldine’s experience includes advising:

  • McWin-backed L’Osteria, a Germany-based casual dining restaurant group specialising in Italian cuisine, on its acquisition of Pizza Pilgrims from its founders, James and Thomas Elliot, along with several other shareholders;

  • Numerous international companies in the financial services, life sciences and retail on compliance with the UK/EU GDPR including on cross-border data transfers;
  • Various organisations on dealing with personal data breaches including ransomware attacks;
  • Various international banks in the context of a cross-border investigations in the context of whistleblowing procedure or on the data protection implications of the mirroring of mobile devices;
  • An investment management firm on employee monitoring and the rollout of monitoring software;
  • Multiple clients in relation to the design and launch of diversity and inclusivity initiatives including multi-jurisdictional employee surveys; and
  • Multiple clients in relation to updating their intra-group data transfer agreements to take into account the rollout of the new EU Standard Contractual Clauses and UK International Data Transfer Agreement and Addendum.

Related Insights

View All Related InsightsIcon: arrow

Insights
Apr 07, 2026

Cyber Resilience in Financial Services: Navigating Rising Risks and the 2026 Regulatory Shift

UK regulators have not yet fully exercised the breadth of their powers to address shortcomings in organisational cyber‑security measures—but that restraint is unlikely to continue. The policy statements published on 18 March 2026 by the FCA, PRA and Bank of England, introducing a new single regime for operational incident and third‑party reporting, signal the direction of travel. The framework—under which firms must report serious cyber and operational incidents through a unified portal and provide structured information on their critical third party (CTP) dependencies—reflects the UK regulators’ sharpened focus on digital risk, system resilience, and their recognition of the vulnerabilities inherent in  complex technological supply chains. This shift sits alongside the UK government’s broader agenda. As the Cyber Security and Resilience (Network and Information Systems) Bill (NIS Bill) progresses and HM Treasury (HMT) prepares to designate major technology providers as CTPs using its FSMA powers, firms can expect a step‑change in supervisory expectations. Cyber‑security, data protection and operational resilience disciplines must now operate as a single, evidence‑based ecosystem capable of withstanding assertive regulatory challenge. The coming year will require firms not only to demonstrate alignment on paper, but to evidence—consistently and credibly—that controls work in practice. This article is the first in our three part Emerging Themes in Financial Regulation & Disputes 2026 series. We examine the evolving regulatory and risk landscape shaping cyber and operational resilience expectations for the year ahead—and set out practical priorities for financial services firms seeking to respond proactively. Our accompanying articles will examine (i) the evolving cyber litigation risks facing financial services firms and (ii) operational resilience and the growing influence of CTP designations.
Insights
Dec 18, 2025

EMEA- Data Privacy, Digital and AI Round Up 2025/2026

As anticipated in our 2024 privacy round up, 2025 has proven to be a defining year for data privacy and the broader digital landscape. Significant developments in AI regulation and cybersecurity have emerged, with legislative updates and regulatory activity accelerating as expected. Geopolitical dynamics continue to influence the adoption of new technologies, and questions remain over whether the EU will advance its tech regulation agenda, particularly following steps to delay certain implementation phases (most notably in AI) through its Digital Omnibus. With global data protection developments continuing at pace and further changes expected in 2026, now is an opportune moment to reflect on what 2025 delivered for businesses and to consider what 2026 may hold for the EMEA region.

Related Insights

Insights
Apr 07, 2026
Cyber Resilience in Financial Services: Navigating Rising Risks and the 2026 Regulatory Shift
UK regulators have not yet fully exercised the breadth of their powers to address shortcomings in organisational cyber‑security measures—but that restraint is unlikely to continue. The policy statements published on 18 March 2026 by the FCA, PRA and Bank of England, introducing a new single regime for operational incident and third‑party reporting, signal the direction of travel. The framework—under which firms must report serious cyber and operational incidents through a unified portal and provide structured information on their critical third party (CTP) dependencies—reflects the UK regulators’ sharpened focus on digital risk, system resilience, and their recognition of the vulnerabilities inherent in  complex technological supply chains. This shift sits alongside the UK government’s broader agenda. As the Cyber Security and Resilience (Network and Information Systems) Bill (NIS Bill) progresses and HM Treasury (HMT) prepares to designate major technology providers as CTPs using its FSMA powers, firms can expect a step‑change in supervisory expectations. Cyber‑security, data protection and operational resilience disciplines must now operate as a single, evidence‑based ecosystem capable of withstanding assertive regulatory challenge. The coming year will require firms not only to demonstrate alignment on paper, but to evidence—consistently and credibly—that controls work in practice. This article is the first in our three part Emerging Themes in Financial Regulation & Disputes 2026 series. We examine the evolving regulatory and risk landscape shaping cyber and operational resilience expectations for the year ahead—and set out practical priorities for financial services firms seeking to respond proactively. Our accompanying articles will examine (i) the evolving cyber litigation risks facing financial services firms and (ii) operational resilience and the growing influence of CTP designations.
Insights
Feb 24, 2026
Structuring the next generation of data centre tenant agreements
Insights
Dec 18, 2025
EMEA- Data Privacy, Digital and AI Round Up 2025/2026
As anticipated in our 2024 privacy round up, 2025 has proven to be a defining year for data privacy and the broader digital landscape. Significant developments in AI regulation and cybersecurity have emerged, with legislative updates and regulatory activity accelerating as expected. Geopolitical dynamics continue to influence the adoption of new technologies, and questions remain over whether the EU will advance its tech regulation agenda, particularly following steps to delay certain implementation phases (most notably in AI) through its Digital Omnibus. With global data protection developments continuing at pace and further changes expected in 2026, now is an opportune moment to reflect on what 2025 delivered for businesses and to consider what 2026 may hold for the EMEA region.
Insights
Nov 13, 2025
Meeting the cyber security challenge
News
Nov 10, 2025
BCLP advises McWin-backed L’Osteria on Pizza Pilgrims acquisition
Insights
Nov 03, 2025
GDPR Meets DMA: EU Guidance for Seamless Compliance
Insights
Oct 09, 2025
Guest Checkout Wins: EDPB’s Draft Guidance on Mandatory E-Commerce Accounts
Insights
Oct 01, 2025
The EU Digital Services Act through a GDPR lens: the EDPB's new draft guidelines
News
Sep 25, 2025
BCLP Advises STRABAG:Equitix Consortium on first of a kind £2.9bn Haweswater Aqueduct Resilience Programme