1. Home
  2. |Professionals
  3. |Grace Tang

Grace Tang

Associate
Associate
Z3RhbmdAY3Jvd2VsbC5jb20=
VCardLinkedIn
VCardLinkedIn

Areas of Focus

Overview

Grace Tang is an associate in Crowell & Moring’s Privacy and Cybersecurity Group, advising clients across a range of industries on technology and privacy-related legal matters. She combines her experience in technology with a strong foundation in privacy as clients often face an overlapping and increasingly complex regulatory landscape – particularly in areas such as online safety and artificial intelligence.

Grace regularly advises on high-value commercial technology and outsourcing arrangements, combining legal insight with a practical understanding of operational and business needs. On data protection matters, Grace has experience with advising on compliance programs, data subject rights and drafting privacy notices, data protection impact assessments and policies.

Having previously trained and qualified into a technology and data team in a London firm, Grace joined Crowell & Moring in 2025. She also gained experience as a paralegal for a few years at an international premium travel and payments company supporting all lines of business and legal operations.

Career & Education

    • University of Law, LPC, 2021
    • London School of Economics and Political Science (LSE), LLB Law, 2018
    • University of Law, LPC, 2021
    • London School of Economics and Political Science (LSE), LLB Law, 2018

    • Solicitor, England and Wales, 2023
    • Solicitor, England and Wales, 2023

Grace's Insights

Client Alert | 7 min read | 03.23.26

UK Court Rules Duty to Safeguard Personal Data Extends to Hacked Pseudonymised Data in DSG Retail Ltd v The Information Commissioner

In a significant ruling on the application of data protection law in the United Kingdom, on 19 February 2026, the UK’s Court of Appeal (CA) ruled in favour of the UK Information Commissioner (ICO) in its appeal against the decision of the Upper Tribunal (UT) in the case of DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. This ruling clarifies the scope of data controllers’ security obligations with pseudonymised personal data and confirms that a controller’s duty to safeguard personal data is not diminished merely because a cyber attacker who exfiltrates that data would be unable to re-identify the individuals concerned....

View All Insights

Insights

Client Alert | 7 min read | 03.23.26

UK Court Rules Duty to Safeguard Personal Data Extends to Hacked Pseudonymised Data in DSG Retail Ltd v The Information Commissioner

Publication | 12.15.25

International Comparative Legal Guide - Telecoms, Media & Internet 2026

Client Alert | 10 min read | 12.01.25

EU AI Act, GDPR, and Digital Laws Changes Proposed

Client Alert | 5 min read | 11.18.25

The UK’s Cyber Security & Resilience Bill at a glance

View All Insights

Practices

Industries

Grace's Insights

Client Alert | 7 min read | 03.23.26

UK Court Rules Duty to Safeguard Personal Data Extends to Hacked Pseudonymised Data in DSG Retail Ltd v The Information Commissioner

In a significant ruling on the application of data protection law in the United Kingdom, on 19 February 2026, the UK’s Court of Appeal (CA) ruled in favour of the UK Information Commissioner (ICO) in its appeal against the decision of the Upper Tribunal (UT) in the case of DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. This ruling clarifies the scope of data controllers’ security obligations with pseudonymised personal data and confirms that a controller’s duty to safeguard personal data is not diminished merely because a cyber attacker who exfiltrates that data would be unable to re-identify the individuals concerned....

View All Insights