20+ years of privacy and data security experience (regulatory and transactional). Adept in simplifying complex laws for clients and streamlining processes to reduce operational complexities, costs and legal risk.
Created and implemented end-to-end privacy and data security processes, including:
Internal privacy and data security policies that provide guidance on accessing, collecting, using, disclosing, transferring, retaining, securing, or otherwise processing personal information, including HR and customer data
Privacy notices or disclosures
Privacy and data security trainings (from simple “101” trainings to global and comprehensive trainings)
Data protection agreements for vendors and customers (from simple agreements to global agreements)
Vendor management guidance
Playbooks for negotiating data protection language with vendors and customers
Marketing guidance
M&A due diligence checklists
Data protection-by-design guidance
Privacy and data security impact assessments/audits
Indemnity and limitation of liability guidance
Data security breach management, plans and statutory decision trees
Processes that address new or evolving technologies, such as big data analytics, intelligence-driven security, cloud computing, BYOD and mobile
Drafted and negotiated hundreds of data protection agreements, both from a service provider (processor) and customer (controller) standpoint, addressing issues such as:
Data processing
Privacy principles, such as data minimization
Administrative, technical and physical security measures
Breach notification, cooperation and costs
Cross-border data transfers
Audits, attestations and certifications
Data protection training
Use of subcontractors and onward transfers
Termination and data disposal
Indemnity and limitation of liability
Counseled clients on U.S. and non-U.S. privacy and data security laws/requirements, including:
Federal data protection laws, such as HIPAA, GLBA, FCRA, CAN-SPAM, ECPA, COPPA and the FTC Act as it applies to unfair/deceptive trade practices
State data protection laws, such as the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17)
Federal and state data security breach laws
Regulatory consent decrees and guidance
NIST guidance, including the Cybersecurity Framework
EU laws and guidance, including the General Data Protection Regulation (GDPR), Member State laws implementing the Data Protection Directive, and Article 29 Working Party documents
Cross-border data transfer issues, such as Safe Harbor, Privacy Shield, EU Model Clauses, Binding Corporate Rules and other derogations for transferring data under the Data Protection Directive and GDPR
Various data protection requirements in other regions, such as in Canada, Latin America and APJ
Industry security requirements, such as PCI DSS
Deep understanding of in-house environments and cross functional collaboration:
Significant experience working with and counseling in-house lawyers and other groups on data protection, including procurement and contract negotiators, sales and account reps, compliance, engineering, global security, CISO, HR, government affairs, marketing, public relations and risk/audit
Partnered with business groups to address gaps and inefficient ad-hoc processes by creating and instituting effective and consistent self-executing processes to greatly reduce risk to the business, drive business growth and achieve measurable savings to the business