Privacy FAQ

Engage privacy counsel before a triggering event — at product design, vendor onboarding, M&A diligence, or new market entry — not after a breach or regulator letter. Privacy by design under GDPR Article 25 and analogous U.S. state law obligations require privacy assessment before processing begins. Late engagement exposes the organization to fines up to 4% of global annual turnover under GDPR Article 83 and statutory damages under CCPA/CPRA.

We are practitioners, not order-takers. Our team includes lawyers, privacy engineers, data scientists, former Chief Privacy Officers, and retired regulators who have lived through enforcement actions, breach notifications, and cross-border investigations. Engagements are led by senior personnel from intake through regulator engagement.

A PIA is a global best-practice exercise; a DPIA is a mandatory legal instrument under GDPR Article 35 when processing is likely to result in a high risk to data subjects. Colorado, Virginia, Connecticut, and other state privacy laws require analogous Data Protection Assessments for sale of personal data, targeted advertising, profiling with legal effect, and processing of sensitive data.

We start with a data inventory and Records of Processing Activities (RoPA) under GDPR Article 30, map the regulatory perimeter, and build the program around NIST Privacy Framework or ISO/IEC 27701. From there we develop policies, DSAR workflows, vendor due-diligence procedures, training, and governance committees.

GDPR Article 33 requires controllers to notify the lead supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The clock starts when you have a reasonable degree of certainty that a breach occurred — not when forensic investigation completes. GDPR Article 34 separately requires notification to data subjects when there is a high risk to individuals.

Every U.S. state, DC, and several territories have breach notification statutes with distinct definitions of personal information, timing, content, and AG-notification thresholds. HIPAA's Breach Notification Rule (45 CFR 164.400–414) overlays a separate regime for PHI with HHS OCR notification within 60 days. We maintain a 50-state notification matrix calibrated to each statute's specific triggers.

We build cross-functional incident response teams — privacy, legal, security, IT, communications, HR, executive sponsor — and train them with realistic tabletop exercises before a live incident. Training covers detection and triage, evidence preservation, regulator communication, customer notification scripts, and post-incident review.

A defensible post-incident review identifies root cause, quantifies impact, closes program gaps, and produces documentation suitable for regulators and litigation. We assess the incident timeline, identify privacy program gaps, and develop remediation plans grounded in business process re-engineering, system modification, or new control deployment.

The pragmatic approach is to design once to the strictest applicable standard — typically CPRA plus Colorado Privacy Act rules — and layer state-specific requirements on top. Outputs include a unified consumer rights workflow, a single sensitive-data inventory, opt-out mechanisms including Global Privacy Control, and a consolidated vendor contract program.

Cross-border transfers require a valid GDPR Chapter V mechanism — adequacy, Standard Contractual Clauses under GDPR Articles 46/47, Binding Corporate Rules, or a derogation under Article 49 — supported by a Transfer Impact Assessment under Schrems II. The EU-U.S. Data Privacy Framework provides adequacy for self-certified U.S. importers. UK, Switzerland, China PIPL, and Brazil LGPD impose distinct requirements.

GDPR Article 28 and analogous U.S. state law require controllers to use only processors providing sufficient guarantees of compliance and to enter into a written data processing agreement. We design risk-tiered vendor privacy due diligence covering DPA negotiation, sub-processor controls, security assessments under GDPR Article 32, breach-notification SLAs, audit rights, and exit terms.

We design DSAR workflows that satisfy GDPR Articles 15–22, CCPA/CPRA right-to-know and right-to-delete, and analogous state law rights — within statutory deadlines and without leaking other individuals' data. Effective DSAR fulfillment depends on identity verification, accurate data mapping, redaction protocols, and clear extension procedures.

GDPR, UK GDPR and the Data Protection Act 2018, Switzerland's revFADP, Canada's PIPEDA and Quebec Law 25, Brazil's LGPD, China's PIPL, Singapore's PDPA, Japan's APPI, Australia's Privacy Act, India's DPDPA, and South Africa's POPIA — alongside CCPA/CPRA and the U.S. state law patchwork.