Demetrios A. Eleftheriou

20+ years of privacy and data security experience (regulatory and transactional).  Adept in simplifying complex laws for clients and streamlining processes to reduce operational complexities, costs and legal risk.

Created and implemented end-to-end privacy and data security processes, including:

  • Internal privacy and data security policies that provide guidance on accessing, collecting, using, disclosing, transferring, retaining, securing, or otherwise processing personal information, including HR and customer data
  • Privacy notices or disclosures
  • Privacy and data security trainings (from simple “101” trainings to global and comprehensive trainings)
  • Data protection agreements for vendors and customers (from simple agreements to global agreements)
  • Vendor management guidance
  • Playbooks for negotiating data protection language with vendors and customers
  • Marketing guidance
  • M&A due diligence checklists
  • Data protection-by-design guidance
  • Privacy and data security impact assessments/audits
  • Indemnity and limitation of liability guidance
  • Data security breach management, plans and statutory decision trees
  • Processes that address new or evolving technologies, such as big data analytics, intelligence-driven security, cloud computing, BYOD and mobile

Drafted and negotiated hundreds of data protection agreements, both from a service provider (processor) and customer (controller) standpoint, addressing issues such as:

  • Data processing
  • Privacy principles, such as data minimization
  • Administrative, technical and physical security measures
  • Breach notification, cooperation and costs
  • Cross-border data transfers
  • Audits, attestations and certifications
  • Data protection training
  • Use of subcontractors and onward transfers
  • Termination and data disposal
  • Indemnity and limitation of liability

Counseled clients on U.S. and non-U.S. privacy and data security laws/requirements, including:

  • Federal data protection laws, such as HIPAA, GLBA, FCRA, CAN-SPAM, ECPA, COPPA and the FTC Act as it applies to unfair/deceptive trade practices
  • State data protection laws, such as the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17)
  • Federal and state data security breach laws
  • Regulatory consent decrees and guidance
  • NIST guidance, including the Cybersecurity Framework
  • EU laws and guidance, including the General Data Protection Regulation (GDPR), Member State laws implementing the Data Protection Directive, and Article 29 Working Party documents
  • Cross-border data transfer issues, such as Safe Harbor, Privacy Shield, EU Model Clauses, Binding Corporate Rules and other derogations for transferring data under the Data Protection Directive and GDPR
  • Various data protection requirements in other regions, such as in Canada, Latin America and APJ
  • Industry security requirements, such as PCI DSS

Deep understanding of in-house environments and cross functional collaboration:

  • Significant experience working with and counseling in-house lawyers and other groups on data protection, including procurement and contract negotiators, sales and account reps, compliance, engineering, global security, CISO, HR, government affairs, marketing, public relations and risk/audit
  • Partnered with business groups to address gaps and inefficient ad-hoc processes by creating and instituting effective and consistent self-executing processes to greatly reduce risk to the business, drive business growth and achieve measurable savings to the business