Introducing the GDR 100

Welcome to the inaugural edition of the GDR 100, in which the Global Data Review team identifies and profiles the world’s best data law firms.

We believe the GDR 100 is the only global ranking that captures the capabilities, track record and market reputation of the leading firms in the field – and the first data law ranking that does not exclusively focus on data protection and privacy.

The market for data legal advice

GDR is Global Data Review, not Global Data Protection Review. (If nothing else, Global Data Protection Review would have a confusing acronym.) It prides itself on covering the law and regulation of all types of data – not just personal data.

Since GDR launched in 2018, its editorial team has covered the likes of data localisation, private disputes revolving around the acquisition or misuse of industrial data, antitrust barriers to the exploitation of data, companies using IP and confidentiality laws to protect their proprietary information, and more. We wanted to give firms the opportunity to show us their full data practice, allowing us to peer under the hood and see how companies are using data as an asset.

While we have seen plenty of non-personal data as a result, the GDR 100 reflects the market: most companies primarily need data protection-related services. Data localisation is a big deal in certain Asian jurisdictions – especially in cloud and financial services – and data-focused companies need to have watertight IP and database rights over their assets, but the bulk of the data-focused work out there is related to personal data. For example, there is plenty of cybersecurity and data breach work to go around, but for many companies data protection and security go hand in hand. With the exception of some US lawyers, the vast majority of cybersecurity lawyers rarely advise on ‘pure’ cybersecurity matters that are unrelated to personal data. There is a business risk to losing control of valuable data, but the regulatory risk is just as important.

As such, most of the mandates we showcase here, and the capacities that we assessed, relate to personal data.


The ranking is based on in-depth submissions submitted by hundreds of law firms around the world, ranging from IT-focused boutiques to sprawling international giants.

We used GDR sister publication Who’s Who Legal: Data as a starting point. The Who’s Who Legal team identifies the very best practitioners, basing their selection on votes submitted by thousands of lawyers and experts around the world. We asked firms that had nominees in the 2019 Who’s Who Legal: Data directory to submit extensive information on the make-up of their practices, identify the lawyers that work within them, and provide information about ongoing and recently-concluded cases and other mandates.

Having identified potential candidates, we requested information about the partners and other lawyers who dedicate a significant amount of their time to data, and details of their work, broken down into non-contentious and advisory mandates, government-facing contentious investigations, and private disputes. We invited firms to send us details about confidential work, as it would assist us in building the final list.

Once we received those submissions, we included only those which we felt had deep, lasting practices with a track record of acting for major companies on complex cases and deals, and of advising on significant compliance projects and product launches.

It was not a purely quantitative approach: the GDR editorial team was also consulted in order to ensure that it brought its experience of the market to bear. Getting into the book was not just a numbers game – firms also needed to impress the editorial team. Given that the team spends its days reporting on the world’s leading cases, that is no easy task, and firms that have been included have good reason to be proud.

As our approach involved editorial discretion, we exercised that to include a few firms that chose not to send us submissions. While those profiles are not as full as we would like them to be, we felt that excluding them would undermine the ranking.

We also named 20 global elite firms. Read more about them here.

What is a data practice?

GDR is published by Law Business Research, which publishes brands such as Global Competition Review, Global Investigations Review, Global Restructuring Review, Global Arbitration Review and Global Banking Regulation Review. Each of these has its own 100 publication (with the exception of Global Banking Regulation Review, which launched in 2020 and has yet to publish its first). We also work alongside sister brands IAM and World Trademark Review, which respectively cover patents and trademark law, which have even more ambitious 1000 rankings.

There is a lot of variation between those rankings, but they all closely follow a single practice area and pick out the best firms on their respective markets.

We would argue that the GDR 100 is much harder to cleanly delineate. Each of 100s and 1000s above cover distinct markets: antitrust lawyers are easy to spot, international arbitration is a sufficiently distinct market from general commercial litigation that you can usually tell them apart, and restructuring and insolvency experts tend to hold themselves out as such.

Data law is a different beast – or rather, a collection of different beasts. GDR frequently comes across lawyers with backgrounds in contentious and non-contentious IP, technology contracts, white-collar investigations, commercial disputes and more. One leading global name in data privacy is listed by his law firm as working in more than 25 practice groups. It might be down to over-eager marketing, but it illustrates how wide the field has become, and how different people can bring different skillsets to the table.

If it’s hard to identify data lawyers, it’s even harder to say one team of such lawyers is better than the other: law firms also approach data in very different ways, and it’s tough to mount a fair head-to-head comparison.

Some, for example, have a small bench of data protection specialists who have spent decades doing little else. Others have retooled lawyers with backgrounds in soft IP, commercial contracts and outsourcing as it became clear that data increasingly drives technology markets, and now offer a one-stop-shop service that will handle all data-related aspects of a client’s activity – whether that data is personal or not.

We take no position on the ‘best’ way to do things. The privacy specialists make a good argument that experience trumps all, while the all-rounders can sometimes snipe that the experts can develop tunnel vision. GDR isn’t taking sides: both approaches are totally valid ways of doing business, and in reality most practitioners sit somewhere between the two extremes – if nothing else because it’s only relatively recently that the market has grown to the point where it can sustain scores of senior lawyers who only do data protection.

We’ve also been fascinated to see how different law firm models are able to gain strong market positions. On the one hand, your sprawling global behemoths – Baker McKenzie, Dentons and DLA Piper, which handle cutting-edge work and can do so in multiple locations. On the other, your boutiques – think Bristows and ZwillGen. They have a smaller geographical footprint; but their reputation and quality of work mean they deserve to be mentioned in the same breath as the bigger firms, and who deserve praise for building strong practices despite having more limited opportunities for inter-departmental cross-selling.

Consider two hypothetical firms. One is a two-partner boutique, with a focus on becoming trusted advisers for vendors and SMEs that need advice on all aspects of IT and technology law. The other is a cog in the machine that is a sprawling, international corporate law firm, which can bid for its own standalone work or act as a service department for other teams, and no doubt benefit from internal cross-selling and referrals.

Both are perfectly valid business models, and attract their own challenges, advantages and disadvantages. They might even compete with each other at times. But it is nearly impossible to make a like-for-like comparison of those firms – indeed, smaller firms are often close to larger international shops, as establishing a close and healthy referral relationship will generally be a safer approach.

What next?

Beyond the division between Elite firms and the chasing pack, this inaugural edition of the GDR 100 is unranked.

Having reviewed the submissions, we came to the conclusion that the data we had received was not yet rich enough that we could use it to make quantitative comparisons. In particular, we need to refine our process in order to do a good job of ranking the Elite firms fairly.

So, we have some thinking to do. We may ask for supplementary information in the 2022 edition in order to generate a richer dataset – ideally, one that we could use to generate more of an ordered ranking, and to which we can apply extra credit at the discretion of the GDR editorial team to result in comparable scores. We would certainly welcome feedback on ways to do this robustly.

We are already looking into expanding the types of firm that we consider in this ranking. There will be opportunities to identify the best non-lawyer advisers – the cybersecurity experts, the data monetisation consultants, and so on. While we have focused exclusively on law firms in this inaugural edition, that will not be the case forever.

We will also investigate how to bring other types of lawyer on board. The firms listed here almost exclusively carry out primarily defence-side work. That’s a feature of the market: outside of B2B disputes – which remain relatively rare – corporate law firms rarely represent plaintiffs against companies. Particularly in the US, you’ll most often see the Edelsons, Morgan & Morgans and Hausfelds of this world leading scores of privacy class actions, between them running cases that are worth billions of dollars. We don’t feel it would be fair to compare those specialised litigation practices with the broader firms we’ve ranked here: it just wouldn’t do either side justice. However, we may look into a separate section that names the leaders in that field.

Ultimately, there is of course scope to improve the GDR 100. But we feel that this inaugural edition is strong, and tells you what you need to know about the legal market for data.

Unlock unlimited access to all Global Data Review content