Ryan Mackie
Data Protection & Cyber Security Lawyer

In addition to being a Foreign (South Africa) Qualified Lawyer specialising in Cyber Security and Data Protection Law, Ryan is also a professional member of the International Association of Privacy Professionals (IAPP) and has been awarded the following certifications by this professional body:

Fellow of Information Privacy (FIP)

Certified Information Privacy Professional (CIPP/E)

Certified Information Privacy Manager (CIPM)



Ryan was recently granted the ISACA certification as a Certified Data Privacy Solutions Engineer (CDPSE) – the first experience based, technical certification of its kind, ISACA’s CDPSE certification assesses a technology professional’s ability to implement privacy by design to enable organisations to enhance privacy technology platforms and products that provide benefits to consumers, build trust and advance data privacy.

Ryan’s most recent work experience has been in helping several software vendors to design software and tools to help clients to assess and manage their Cyber Security and GDPR compliance efforts and he’s also working on developing an artificial intelligence (algorithmic) audit tool which he hopes to bring to market shortly to help clients manage and audit algorithmic risks.

Ryan also works as an advisor (and Angel investor) in a tech start up called Tapmydata which uses blockchain technology and Privacy by Design principles to manage data subject rights requests (DSARs) under the GDPR and related legislation – so Ryan has extensive knowledge of software design in the Data Privacy / Information Security and AI sectors.

Ryan prides himself in providing his clients with bespoke, practical and commercially relevant advice in the fields of Data Privacy, Information and Cyber Security Law and compliance,

In his previous role as Managing Executive for GRCI Law (a subsidiary of GRC International Group plc (GRCI Group), Ryan singlehandedly helped to design and build the outsourced DPO-as-a-Service (DPOaaS) function for the business, starting with only one DPO (i.e. himself) and then building a team of 9 DPOs spread across the UK & EU.

When Ryan first started with GRCI Group, they only had 1 potential client and he’s since grown the business to such an extent that it now services over 70 international clients. In so doing, Ryan acted as the DPO for clients such as Dominos Pizza, BFC Bank, MyDrive Solutions (part of the Generali Group), Keoghs Solicitors, Circle Health, Abercrombie & Kent Travel and Somerville and Wadham Colleges, Oxford University and he hopes to provide the same level of support for Nexa’s clients going forward.

Ryan’s experience of working in Data Protection/Privacy (DP) Law started in 2012 when he moved in house with a company called the APM Group. His journey into this field of the law started when he was asked to work on a project with several EU based Data Protection professionals to develop a Data Protection qualification. The qualification was being developed with a view to training and certifying EU Data Protection Officers – which were obligatory under that early version of the EU General Data Protection Regulation (GDPR).  Ryan has been lucky enough to apply what he learned on this project in practice in the various other DP related roles that he’s had since 2012.

Ryan has also been lucky enough to work on several projects with the MoD to develop and commercialise a system called CDCAT (a Cyber Defence Capability Assessment Tool) and with GCHQ to help them develop and commercialise several cyber security, training, assessment and defence programmes – Cyber Essentials & GCT (GCHQ Certified Training). His work on these projects as a legal subject matter expert helped him to develop his knowledge and experience in Cyber Security practices and laws. Ryan has also since worked on a project to advise the Marks & Spencer’s Cyber Security Team on GDPR and PCI DSS legal and compliance issues.

Over the last 3 years, Ryan has worked on several projects for multinationals such as Honda (Europe), Schroders, Pearson, Clydesdale Bank and Credit Suisse (to name a few) to help them prepare for the GDPR – his responsibilities on these projects included preparing and implementing a project plan to map each organisation’s Data and Data Processing activities, completing a GDPR Maturity Assessment to help each business to identify and plug any gaps in their current systems, processes and policies. Working closely with the relevant business’ Information Security teams to review their respective IT Asset Inventories (with a view to mapping any personal/sensitive date) and to help them develop their respective systems, procedures and policies to help them show compliance with the GDPR. Ryan also acted as the first point of contact for each business in relation to any IT, Cyber Security and Data Protection issues, advising them on any possible risks and legal implications that might be associated with the impending GDPR and advising them on how best to go about mitigating those risks.

Ryan has also helped several of his clients to design and recruit staff for their respective Data Privacy / DPO functions and assisting them to design and implement Records of Processing, DPIAs, Data Protection Risk Registers and with plugging any gaps in their existing/legacy systems, processes and policies.

Ryan has also worked closely with his clients’ C-Suite, Legal, HR, Product Development, Procurement and Information Security teams to advise the business on all things Data Privacy and Cyber Security related, e.g. helping to build Privacy by Design into all applicable applications, projects, systems and processes, so he also has hands on experience of working closely with a broad range of stakeholders.

Telephone: 020 7504 7071 ext 11