Designing a GDPR compliance program aligning GDPR obligations with your company's strategic initiatives can significantly improve your GDPR compliance profile and result in lower regulatory fines should you be reviewed. Please review this summary of the broad range of real world guidance and global compliance implementation experience our in-house "mission support" team will bring to bear on your GDPR compliance mission.
Our principal consultant has been awarded the distinguished IAPP "Fellow Of Information Privacy" (FIP) designation and is a Wharton-trained business consultant (and Stanford-trained attorney) with fifteen years of experience in counseling US and non-US multinationals in EU data protection compliance. He formerly served as an in-house privacy counsel for a global leader in cloud infrastructure and data management and security software. In that role, he spent a year based in the United Kingdom, coordinating the global implementation of compliance with the EU Data Protection Directive (for a multinational entity transferring "PII" among a group of over thirty global subsidiaries). His responsibilities in that role included engineering senior executive "buy-in" and coordinating compliance activities with regional in-house counsel. He has also provided compliance program design and EU Privacy subject matter expertise on a number of data protection consulting engagements on behalf of US or non-US multinationals. The guidance covered compliance with data protection regulations, in particular cross-border data transfer restrictions, for jurisdictions in the EU, Asia and Latin America, including the representative consulting engagements summarized below:
**Provided counsel to a group of EU-based digital marketing services providers on GDPR and E-Privacy Regulation compliance matters:
Counseled on developing Privacy By Design procedures and GDPR mandated reporting and accountability systems.
Counseled on implementing and documenting lawful cross-border data transfer of personal data among legal entities located outside the EEA and on the flow-down of GDPR obligations to non-EU-Based IT vendors.
Designed and directed Data Inventory, PIA and Data Mapping exercises to establish baseline GDPR compliance obligations and document GDPR compliance program implementation plan.
Completed the design of a comprehensive, multi-year, GDPR compliance implementation program.
**Provided counsel on EU data protection compliance program implementation issues for US-based chemical company with 25+ global subsidiaries:
Identified cross-border data transfer compliance risk exposures in the EU, Asia and Latin America subsidiaries
Completed the design of a comprehensive, multi-year, global privacy compliance program
Provided tactical guidance on implementing specific HR and IT data transfer compliance mechanisms for cross-border data transfers from the European Union
**Provided guidance on existing and proposed cross-border personal data transfer compliance solutions, and regulator feedback covering EU compliance, for a Fortune 50 global financial services company:
In conjunction with the internal audit team , completed a comprehensive review of EU Data Protection compliance activities, including a comprehensive review of documentation and implementation of Binding Corporate Rules (BCRs) approved by a local EU regulatory authority
Provided recommendations for follow-on compliance activities and an internal organizational strategy to assure effective global implementation of policies and procedures in approved BCRs and supervising regulator directives
**Performed data protection consulting engagement with respect to EU and Asia Pacific cross-border data transfer compliance on behalf of the US-based subsidiary of a Germany-headquartered multi-national:
Performed global subsidiary risk “mapping” analysis to highlight current legal exposure for subsidiaries in Europe, and Asia-Pacific based on existing compliance obligations under comprehensive local data protection legislation.
Provided guidance in implementing cross-border data transfer compliance mechanisms for transfer of data between US-based IT operations and local operating subsidiaries in Asia-Pacific and EU jurisdictions
**Provided guidance to connected products manufacturers and digital marketing services providers on compliance with global data protection regulations in over twenty non-EU jurisdictions, including specific regulations on the collection and "export" of online information and COPPA (Children's Online Privacy Protection Act) in the United States:
- Provided guidance in implementing procedures to monitor instructions of online marketing clients for conflict with applicable privacy laws and marketing industry best practices
- Assessed and counseled on restrictions on online marketing and tracking activities in over twenty countries with actively enforced data protection regulations
- Supervised outside counsel in interfacing with online marketing client, and an investigating authority, in order to identify sources of potential exposure to COPPA violations based on online marketing services performed for global toy company website
- Counseled on, and negotiated the contractual allocation of, data privacy obligations with regard to PII and PHI collected in the use of wearable devices.
- Counseled on data protection and privacy obligations and implications with respect to international processing of device identifiers and cookie use, covering over twenty non-EU jurisdictions, including database localization obligations in Russia.
**Coordinated global implementation of the EU Directive on behalf of a global cloud infrastructure and services provider and completed several Cloud services-related consulting engagements, including negotiating key aspects of privacy obligations under Cloud Computing contracts, both on behalf of large Cloud providers and enterprise-level Cloud customers:
- Advised on preparation of data processing agreements and allocation of EU data protection compliance obligations in service contracts for Cloud infrastructure services.
- Negotiated EU Data Protection compliance obligations, including GDPR and Privacy Shield compliance obligations, with commercial users of Cloud-based software applications deployed in mobile devices and connected automobiles.
- Designed and implemented a GDPR compliance program on behalf of affiliated entities, located in the EU, Turkey, Russia, processing PII globally in providing digital marketing services to a global client base.
- Assessed cloud products for compliance with Privacy Shield and GDPR obligations and counseled product managers on remedial action to achieve Data Protection compliant products.