Unlike some “big firm” privacy and cybersecurity practices, our practice isn’t focused on hourly billings from massive data breaches. We are more than happy to help a client dust off and regain its footing after a breach, and to defend any associated litigation, but our primary goal is to reduce the likelihood that litigation will arise by helping clients build cost-effective yet powerful privacy and security programs and maintain them over the long term.
- advice on the legal requirements imposed by the GDPR, CCPA/CPRA, and other potentially applicable privacy laws
- development of compliant data protection, privacy, and security programs
- advice on and drafting of compliant privacy notices
- advice on and drafting of client consents
- assistance with data subject requests
- data protection/privacy impact assessments
- assistance with data mapping, classification, and the development of records of processing activities
- vendor management, including privacy and security due diligence and data processing agreements
- incident response and notification
Neil Riemann leads this practice. He holds Certified Information Privacy Professional credentials (CIPP/US, CIPP/E, and CIPM) from the International Association of Privacy Professionals (IAPP) and also has technical experience with software development and information security. He participates in the Sedona Conference’s Working Group 11 on Data Security and Privacy Liability, the North Carolina Bar Association’s Data Privacy and Security Section, and IAPP activities.
More detailed information about specific aspects of the practice can be found below.
GDPR, CCPA/CPRA, and Other Privacy Laws
In 2023, companies face new privacy obligations on multiple fronts. Companies subject to GDPR that use Standard Contractual Clauses to effect cross-border transfers must update to the new clauses, and all such companies must consider the potential impact of a new US-EU privacy framework. Companies subject to the CCPA must cope with the changes wrought by CPRA, including additional disclosures, the end of the right to cure, changes to data processing agreements, and the extension of CCPA to employee and business-to-business data. In addition, completely new privacy laws take effect in Virginia, Colorado, Connecticut, and Utah, granting new data subject rights and imposing new obligations, including restrictions on the selling and sharing of personal information and on automated decision-making. We can help you update your policies, procedures, and notices to reflect these changes.
Privacy Policies and Notices
We help organizations draft privacy policies and notices that satisfy applicable legal requirements and explain privacy practices to customers, employees, and other affected parties.
Data Subject Consents
The law continues to impose new burdens on companies seeking to obtain consent from data subjects for processing personal information. We can help you identify situations where consent cannot be relied upon, as well as potential alternative bases for processing that personal information. Where consent can be obtained, we can help you draft a consent form that will maximize the likelihood of satisfying legal requirements.
Data Subject Requests
We can help you authenticate data subject requests and determine the scope of your obligation to respond to them.
Data Protection/Privacy Impact Assessments
Privacy laws impose on organizations an obligation to conduct data protection or privacy impact assessments where certain types of processing are concerned. We can help you design processes that avoid the need for such assessments and help you conduct those assessments where they are required.
Data Mapping, Classification, and ROPAs
In order to implement an effective data protection program and satisfy the legal requirements imposed by privacy laws, an organization must know what kinds of data it holds, where, and what is done with that data. We can help organizations with these mapping exercises, with the development of appropriate classification schemes, and with legally adequate adequate documentation of their processing of personal data.
Organizations often entrust personal or other sensitive business information to third-party vendors like call centers and cloud service providers. In a typical case, they are legally and practically required to oversee the performance of that third party as it pertains to the information shared. We can help organizations conduct due diligence on these vendors and implement contracts that allow effective oversight without imposing unnecessary liability, and we can show you how to monitor contract performance effectively.
Incident Response and Notification
We will advise and represent any type of organization that suffers a security incident or data breach. We can advise you on how to address the incident. If necessary, we can also oversee a privileged investigation, and, if necessary, mount a cost-effective defense in litigation.