Our Privacy team develops right-sized legal solutions to help you address global data privacy compliance requirements, manage data in development, and assist with data privacy in commercial transactions.

Global Compliance Programs & GDPR Readiness. We assist emerging and public companies (e.g., FTSE 100 and Fortune 500) with global compliance programs that facilitate business objectives and growth while mitigating regulatory and litigation risk. Clients that collect and process data related to customers, website visitors, employees and other individuals and use that data in connection with customer service, HR functions, big data analytics, product and service development, and strategic planning regularly call on us to provide efficient and business-sensitive advice on managing risk associated with these activities. As they develop and share more information between corporate entities, with third parties, and across borders, we work closely to develop global data sharing compliance strategies.


We conduct readiness assessments and develop tailored remediation plans to help clients move towards compliance with the General Data Protection Regulation (GDPR). We frequently partner with internal and/or third party privacy and project management stakeholders to provide counsel throughout the life cycle of GDPR compliance programs, specifically on the following:

  • Embedding GDPR principles and advising on regulatory best practices in relation to organisations’ handling of personal information;
  • Developing specific analysis and interpretation of key GDPR themes and their impact for clients (e.g., GDPR applicability and scope, appointment of data protection officers, approach to data subject rights and international data transfers, and the implications of the UK leaving the European Union); and
  • GDPR work products including drafting and negotiation of data processing agreements and a suite of internal and external privacy and related policies.

Product/Service Development.  We partner with clients to proactively manage every step in the data life cycle: collection, use, sharing, transfer, storage, protection, retention and disposal. Our experience working with global, multi-national public companies and start-up unicorn technology companies allows us to provide practical, risk-indexed privacy and security advice that works in a business-as-usual setting and comports with commercial needs. Because privacy issues most often arise following an audit, regulatory investigation, or data breach, the ability to systematize and operationalize proactive protocols is critical to risk mitigation and management. We have worked in this space on the following types of projects:

  • Developing privacy audits, privacy-impact assessments (PIA), and privacy-by-design (PbD) programs;
  • Developing privacy risk management processes for “Big Data” and “People Analytics” engines, Social Media, Internet of Things (IOT) and smart devices, and other disruptive technologies;
  • Designing and implementing legal and technical enterprise privacy-governance structures to manage international data transfers (both intragroup transfers and third-party transfers), including EU-US Privacy Shield, EU model contract clauses, and binding corporate rules (BCR);
  • Integrating foreign affiliates into internal data sharing/access schemes, and implementing  data processing through outsourcing by third-party service providers, including cloud computing platforms and services;
  • Evaluating privacy issues relating to new software applications to process, for example, employee or customer data (e.g., CRM systems, EARP systems, employee monitoring technologies);
  • Designing online privacy policies, terms of service (ToS), end-user licensing agreements (EULA), relating to core privacy and related consumer-protection issues; and
  • Counseling pursuant to a host of international privacy rules and regulations and related consumer-protection statutes.

Transactional Expertise.  Commercial transactions and deals regularly involve aspects of data privacy, including the sharing, and often purchase, of critical information and personal data assets. We conduct privacy reviews and deal diligence, and advise on risk mitigation strategies in relation to M&A transactions, as well as vendor agreements (e.g., cloud storage and processing, online advertising) and licensing agreements. We are often called on to advise on preclosing privacy mitigation strategy, particularly where the target-seller’s personal data assets are not subject to appropriate merger clauses.