Victoria Hordern

Partner & Head of Data Privacy


  • She knows the subject matter and is very good at distilling the law down in a way that is practical.

    Chambers UK 2021

  • Recognised by Who’s Who Legal 2021 as a leading Data Privacy and Protection lawyer

    Who's Who Legal - Data 2021

  • Our contact with her has been very positive and she has been very quick to get back to us.

    Chambers UK 2021

  • She is skilled at advising data processors and data controllers on their GDPR requirements.

    Chambers UK 2021


I am a specialist data privacy lawyer who has practised in this area for many years helping clients across various sectors and industries.  I advise on the full range of data protection and privacy compliance matters including GDPR implementation (see our GDPR HealthCheck offering), employee privacy compliance, and privacy issues connected with the online environment and mobile apps.


As a data privacy lawyer, I’ve spent time in-house on secondments as well as a short stint in Silicon Valley helping US organisations directly with their EU operations. I also spent several years as part of the team advising the Government of Bermuda on the drafting and implementation of the Personal Information Protection Act 2016 in Bermuda.

I authored two chapters in the International Association of Privacy Professionals’ 2019 (2nd ed) European Data Protection Law and Practice on Lawful Processing Criteria and Employment Relationships. I help all types of organisations from global corporates, global non-profits/ charities to tech companies and smaller charities with their compliance with GDPR, data protection and e-privacy requirements. I head up the team of data privacy lawyers at Bates Wells.


  • I have assisted organisations with data privacy issues related to the COVID-19 emergency including the collection and sharing of (sensitive) data on employees/ workers.

    Additionally I have supported organisations with data privacy compliance issues when setting up grant arrangements to help charities and others cope with the emergency

  • I advised an online platform on an investigation into its processing by the ICO following a data security breach

    The client was a global online platform with worldwide customers who experienced a data security breach that became public. It was investigated by regulators in multiple jurisdictions including the UK. We supported the client in their dealings with the ICO including drafting responses to the ICO’s questions, advising on the strategic approach to handling the breach, and considering the report from the digital forensic investigators. The ICO confirmed in due course that it was taking no further action against the client.

  • I advised a global organisation on its approach to data transfers

    The client was a global campaigning and grant making organisation which transfers personal data about grantees and other individuals on a daily basis. Recognising the need to implement an approach to meet the requirements of the GDPR, we mapped the different importer and exporter organisations and data flows. We then drafted an intra-group data transfer agreement based on the European Commission approved contractual clauses as the mechanism for the client to rely on.

  • I advised a charity involved in carrying out undercover investigations

    The charity was a campaigning and advocacy organisation that can be involved in undercover investigations which involve the collection of personal data. We advised the client on the requirement to carry out a Data Protection Impact Assessment and helped to complete the DPIA.

  • I drafted a guide to the GDPR for use within a global marketing, communications and advertising company and providing associated training
  • I drafted a contracts playbook for a controller negotiating GDPR compliant agreements with processors
  • I assisted a global company with the roll out of a third party threat intelligence system processing employee data
  • I supported a professional body structure its data privacy approach across its organisation including rolling out data use principles and data processing agreements.
  • I advise organisations on their marketing consent wording and associated privacy notices to comply with GDPR
  • I advise on the privacy issues associated with the merger of two charities
  • I carry out GDPR Healthchecks for a number of organisations seeking to understand their level of compliance with the GDPR requirements

Qualifications and career

  • University of Oxford, BA (Hons) English
  • BPP London, PGDL and LPC
  • Training Contract at Field Fisher Waterhouse LLP, 2001
  • Qualified as a solicitor at Field Fisher Waterhouse LLP, 2003
  • Director at Field Fisher Waterhouse LLP, 2013
  • Joined Hogan Lovells International LLP, 2014
  • Counsel at Hogan Lovells International LLP, 2017
  • Joined Bates Wells in 2018
  • Partner at Bates Wells from 2019
  • CIPP/E and CIPT qualifications from the International Association of Privacy Professionals

Pro bono, memberships, and appointments

  • International Association of Privacy Professionals, Member of the Privacy Faculty
  • Trustee of RENEW Foundation (Recovery Empowerment Networking and Employment for Women)
  • Trustee of Childnet