David Williams, CIPP/US, CIPM, is an eDiscovery and Cyber, Privacy & Data Innovation lawyer in the San Francisco office of Orrick, Herrington & Sutcliffe. David advises clients on a broad range of privacy and cybersecurity matters, including compliance and risk management.
David's practice focuses on leveraging his experience in providing insight and guidance on U.S. and EU privacy laws to assist clients with their privacy and cybersecurity needs. David works primarily with the eDiscovery and Cyber, Privacy, & Data Innovation groups addressing privacy issues in the context of compliance and litigation efforts. David assists clients from a broad range of industries and sectors in assessing their current privacy and cybersecurity practices.
David has guided clients through tailored California Consumer Privacy Act (CCPA) compliance programs and has experience evaluating the applicability of European data protection requirements, including the General Data Protection Regulation (GDPR), to U.S. companies.
Before joining Orrick, David was a Privacy Law Clerk at LinkedIn, where he worked with the legal team to develop policies and procedures in preparation for the enforcement of the GDPR. David also addressed privacy and data management questions for LinkedIn services and managed data processing and handling issues for new products.
David also has an active pro bono practice, which has included representing clients in immigration and innocence matters and assisting small and non-profit businesses with their privacy needs.
• Guided and managed a multinational multi-level marketing company, a cloud-based document service company, and a financial technology company through the creation of tailored compliance programs to address the enforcement of the California Consumer Privacy Act.
• Drafted over a dozen internal and external data privacy notices, policies, and handbooks to reflect data collection, use, and handling practices; prepared an image and video recording policy to address the changes in business practices in light of the COVID-19 pandemic.
• Simultaneously managed multiple privacy compliance projects for a global technology company and conducted detailed weekly reporting.
• Completed data mapping exercises for both large and small companies with an emphasis on identifying data handling and processing risks.
• Developed and maintained a comprehensive state privacy legislative tracker identifying key initiatives and developments in the privacy field for multiple clients.
• Advised and assisted colleagues through GDPR Article 30 documentation and legitimate interest analysis in connection with data collection and transfer data from EU custodians on three separate matters.
• Completed six Data Protection Impact Assessments (DPIAs), documenting the steps taken to minimize data privacy risks associated with the collection, use, and disclosure of personal data.
• Assessed over two dozen Data Protection Agreements to ensure compliance with the GDPR, CCPA, and other applicable international regulatory and legal frameworks in Asia.
• Conducted assessment of over 100 automated data processing activities for data privacy-related risks and coordinated with internal teams to ensure compliance with applicable regulatory frameworks.
• Coordinated with external Europe-based Data Protection Officers (DPOs) regarding compliance with the GDPR and EU Member State data privacy frameworks for three global project deployments.