1. Home
  2. |Professionals
  3. |Grace Tang

Grace Tang

Associate
Associate
Z3RhbmdAY3Jvd2VsbC5jb20=
VCardLinkedIn
VCardLinkedIn

Areas of Focus

Overview

Grace Tang is an associate in Crowell & Moring’s Privacy and Cybersecurity Group, advising clients across a range of industries on technology and privacy-related legal matters. She combines her experience in technology with a strong foundation in privacy as clients often face an overlapping and increasingly complex regulatory landscape – particularly in areas such as online safety and artificial intelligence.

Grace regularly advises on high-value commercial technology and outsourcing arrangements, combining legal insight with a practical understanding of operational and business needs. On data protection matters, Grace has experience with advising on compliance programs, data subject rights and drafting privacy notices, data protection impact assessments and policies.

Having previously trained and qualified into a technology and data team in a London firm, Grace joined Crowell & Moring in 2025. She also gained experience as a paralegal for a few years at an international premium travel and payments company supporting all lines of business and legal operations.

Career & Education

    • University of Law, LPC, 2021
    • London School of Economics and Political Science (LSE), LLB Law, 2018
    • University of Law, LPC, 2021
    • London School of Economics and Political Science (LSE), LLB Law, 2018

    • Solicitor, England and Wales, 2023
    • Solicitor, England and Wales, 2023

Grace's Insights

Client Alert | 13 min read | 06.12.26

EU Cyber Resilience Act Countdown: 11 September 2026 Incident/Vulnerability Reporting Deadline Less Than 100 Days Away

The EU Cyber Resilience Act (CRA) is an EU product cybersecurity law for connected products (formally, “products with digital elements” under the CRA) commercialized in the EU; it entered into force on 10 December 2024, with direct application across the EU. Full application begins 11 December 2027, but one of its most operationally demanding provisions takes effect in just under 100 days, on 11 September 2026: the mandatory vulnerability and incident reporting under Article 14 CRA....

View All Insights

Insights

Client Alert | 13 min read | 06.12.26

EU Cyber Resilience Act Countdown: 11 September 2026 Incident/Vulnerability Reporting Deadline Less Than 100 Days Away

Publication | 05.28.26

Cyber Offense: How Far Can Private Organizations Go?

Client Alert | 8 min read | 05.01.26

Pre-Approved: ICO Publishes Guidance on "Recognised Legitimate Interests”

Client Alert | 7 min read | 03.23.26

UK Court Rules Duty to Safeguard Personal Data Extends to Hacked Pseudonymised Data in DSG Retail Ltd v The Information Commissioner

View All Insights

Practices

Industries

Grace's Insights

Client Alert | 13 min read | 06.12.26

EU Cyber Resilience Act Countdown: 11 September 2026 Incident/Vulnerability Reporting Deadline Less Than 100 Days Away

The EU Cyber Resilience Act (CRA) is an EU product cybersecurity law for connected products (formally, “products with digital elements” under the CRA) commercialized in the EU; it entered into force on 10 December 2024, with direct application across the EU. Full application begins 11 December 2027, but one of its most operationally demanding provisions takes effect in just under 100 days, on 11 September 2026: the mandatory vulnerability and incident reporting under Article 14 CRA....

View All Insights