Frequently Asked Questions

Engage privacy counsel before a triggering event — at product design, vendor onboarding, M&A diligence, or new market entry — not after a breach or regulator letter.

Privacy by design under GDPR Article 25 and analogous U.S. state law obligations require privacy assessment before processing begins. Late engagement narrows your options, leaves you negotiating from a position of weakness with regulators, and exposes the organization to fines under GDPR Article 83 (up to 4% of global annual turnover) and statutory damages under CCPA/CPRA. Learn more about our privacy consulting services.

We are practitioners, not order-takers.

Our team includes lawyers, privacy engineers, data scientists, former Chief Privacy Officers, and retired regulators who have lived through enforcement actions, breach notifications, and cross-border investigations from every side of the table. We deliver strategic counsel — not template policies — and our engagements are led by senior personnel from intake through regulator engagement.

A PIA is a U.S./global best-practice exercise; a DPIA is a mandatory legal instrument under GDPR Article 35 when processing is "likely to result in a high risk" to data subjects.

DPIAs are required for systematic profiling, large-scale processing of special categories under GDPR Article 9, and systematic monitoring of public spaces. Colorado, Virginia, Connecticut, and several other state privacy laws now require analogous Data Protection Assessments for sale of personal data, targeted advertising, profiling with legal effect, and processing of sensitive data. We design PIA/DPIA programs that satisfy the strictest applicable standard so a single assessment covers GDPR, UK GDPR, CPRA, VCDPA, CPA, CTDPA, and the Maryland Online Data Privacy Act.

We start with a data inventory and Records of Processing Activities (RoPA) under GDPR Article 30, map the regulatory perimeter, and build the program around an established framework — typically NIST Privacy Framework or ISO/IEC 27701.

From there we develop policies, DSAR (data subject access request) workflows, vendor due-diligence procedures, training, and governance committees. Programs are calibrated to be effective, scalable, and sustainable — not paper exercises. See our privacy program development service.

GDPR Article 33 requires controllers to notify the lead supervisory authority of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it."

The clock starts when you have a reasonable degree of certainty that a breach occurred — not when forensic investigation completes. Late, incomplete, or unjustified delays draw enhanced enforcement scrutiny. Where the breach is "likely to result in a high risk" to individuals, GDPR Article 34 separately requires notification to data subjects. We help clients build the playbooks, decision trees, and forensic preservation steps that allow accurate notification within the window. See our privacy incident response planning service.

Every U.S. state, the District of Columbia, and several territories now have breach notification statutes, each with its own definition of "personal information," timing, content, and AG-notification thresholds.

HIPAA's Breach Notification Rule (45 CFR §§ 164.400–414) overlays a separate regime for protected health information, with HHS OCR notification within 60 days and "without unreasonable delay." We maintain a 50-state notification matrix calibrated to each statute's specific triggers and use it to drive a consistent, defensible notification strategy across affected jurisdictions in a single matter.

We build cross-functional incident response teams — privacy, legal, security, IT, communications, HR, and executive sponsor — and train them with realistic tabletop exercises before a live incident.

Training covers detection and triage, evidence preservation, regulator communication, customer notification scripts, and post-incident review. A trained team that has rehearsed under pressure makes the difference between a controlled disclosure and an enforcement action. See our privacy incident response planning capabilities.

A defensible post-incident review identifies root cause, quantifies impact, closes program gaps, and produces documentation suitable for regulators and litigation.

We assess the incident timeline, identify privacy program gaps that allowed the event, and develop remediation plans grounded in business process re-engineering, system modification, or new control deployment — not just policy updates. Outputs are calibrated to be regulator-ready, including for FTC consent decrees, state AG settlements, and supervisory authority follow-on inquiries.

The pragmatic approach is to design once to the strictest applicable standard — typically CPRA plus Colorado Privacy Act rules — and layer state-specific requirements on top.

We map your processing activities against the California Consumer Privacy Act / CPRA, Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Indiana, Tennessee, Texas, Oregon, Montana, Maryland Online Data Privacy Act (MODPA), and the rest of the growing patchwork. Outputs include a unified consumer rights workflow, a single sensitive-data inventory, opt-out and opt-in mechanisms (including Global Privacy Control), and a consolidated vendor contract program. See our privacy-focused regulatory services.

Cross-border transfers require a valid GDPR Chapter V mechanism — adequacy, Standard Contractual Clauses (SCCs) under GDPR Articles 46/47, Binding Corporate Rules, or a derogation under Article 49 — supported by a Transfer Impact Assessment under Schrems II.

The EU-U.S. Data Privacy Framework provides adequacy for self-certified U.S. importers. UK transfers require the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. Switzerland's revFADP, China's PIPL (Standard Contract, Security Assessment, or Certification routes), and Brazil's LGPD all impose distinct cross-border requirements. We design transfer architectures that hold up to regulator and DPA review.

GDPR Article 28 and analogous U.S. state law require controllers to use only processors that provide "sufficient guarantees" of compliance and to enter into a written data processing agreement.

We design risk-tiered vendor privacy due diligence programs covering DPA negotiation, sub-processor controls, security assessments under GDPR Article 32, breach-notification SLAs, audit rights, and exit/return-of-data terms. This is where most enforcement actions originate — not at the controller level, but in unmonitored processor relationships.

We design DSAR workflows that satisfy GDPR Articles 15–22, CCPA/CPRA right-to-know and right-to-delete, and analogous state law rights — within statutory deadlines and without leaking other individuals' data.

Effective DSAR fulfillment depends on identity verification, accurate data mapping (you cannot fulfill a request against data you cannot find), redaction protocols, and clear extension procedures. For high-volume environments we deploy DSAR portals integrated with the underlying data inventory so the response is verifiable, auditable, and timely.

We advise on the full range of jurisdictions in which our clients operate.

That includes GDPR (EU), UK GDPR and the Data Protection Act 2018, Switzerland's revFADP, Canada's PIPEDA and Quebec Law 25, Brazil's LGPD, China's PIPL, Singapore's PDPA, Japan's APPI, Australia's Privacy Act, India's DPDPA, and South Africa's POPIA — alongside CCPA/CPRA and the U.S. state law patchwork. Programs are designed to satisfy the strictest applicable regime so a single privacy operating model can serve a global business.