complying with the eu general data protection regulation ... · 4/24/2018 · 7) assist in data...
Post on 04-Oct-2020
6 Views
Preview:
TRANSCRIPT
_____________________________ PROGRAM MATERIALS Program #2819 April 24, 2018
Complying with the EU General Data Protection Regulation (GDPR): Third Party Vendor Management Programs
Copyright ©2018 by David A. Zetoony, Esq., Bryan Cave
LLP; Christopher M. Achatz, Esq., Bryan Cave LLP. All Rights Reserved. Licensed to Celesq®, Inc.
________________________________________________________________________
Celesq® AttorneysEd Center
www.celesq.com
5301 North Federal Highway, Suite 180, Boca Raton, FL 33487 Phone 561-241-1919 Fax 561-241-1969
1 1
Complying With The EU GDPR
Bryan Cave Data Privacy and Security Team
2
Overview: GDPR
Module 1. Information Notices / Privacy Policies
Module 2. Conducting Data Inventories
Module 3. Data Subject Requests
Module 4. Incident Response Plans
Module 5. Third Party Vendor Management Programs
Module 6. Cross Border Transfers
Agenda
3
Overview
4
• The EU Data Protection Directive (EC/46/95)
– Enacted in 1995
– Creates a standard legal framework for
EU member states.
– It was not a self-implemented statute, regulation, or rule.
– In US legal parlance, it was akin to an unfunded federal
mandate.
– There were 28 state implementing statutes in various
languages, with various texts, and with various requirements.
– There is an advisory body (the Article 29
Working Party) that provided interpretative guidance.
Overview: Historical background
5
The General Data Protection Regulation (EU) 2016/679
• Replaces the EU Data Protection Directive.
• Enters into force on May 2016,
• Applies beginning May 2018,
• Directly applicable in all EU Member States,
• Aims to unify data protection law within the European Union and
increases data subject’s rights,
• Still authorizes individual EU Member States to implement more
specific rules in certain areas.
Overview: GDPR
6
The Countdown
Overview: GDPR
7
Overview: GDPR 10 Top Talked About
Provisions
1. Penalties. Under Directive functionally non-existent; under Directive
up to 4% of revenue.
2. Floor not ceiling. Member states can enact additional safeguards in
certain areas, including research.
3. Extraterritorial. Purports to impact “establishments” in the EU and
other organizations that monitor behavior of EU data subjects or offer
services to EU data subjects
4. Breach Notification. Adopts new breach notification obligations.
5. Children. Adopts US-like protections concerning collection of data
from children.
6. Right to be Forgotten. Grants data subjects a right to have their
information erased.
7. Right to Data Portability. Grants data subjects a right to ask for their
information.
8. Data Protection Officers. Requires some organizations to designate
data protection officers.
9. Data Privacy Impact Assessments. Requires organizations to create
internal records concerning impact of high-risk processing.
10. Data Minimization. Requires that personal data be kept for no longer
than is necessary.
8
Overview: Core Requirements
Requirements differ depending upon whether you are a “Data Controller” or a
“Data Processor.”
• A “Data Controller” is defined as the entity which “determines the purposes
and means of the processing of personal data.” GDPR, Art. 4(7).
• A “Data Processor” is defined as an entity “which processes personal data on
behalf of the controller.” GDPR, Art. 4(8).
9
Overview: Core Requirements
10
Overview: Ability to Process Data
11
Overview: Individual Rights
12
Overview: Accountability / Governance
13
Overview: Data Security
14
Overview: Transferring Data Outside
EEA
15
Overview: Service Providers
16
Overview: Operationalizing the GDPR –
Top 10 Core Documents
17
Overview: GDPR
Module 1. Information Notices / Privacy Policies
Module 2. Conducting Data Inventories
Module 3. Data Subject Requests
Module 4. Incident Response Plans
Module 5. Third Party Vendor Management Programs
Module 6. Cross Border Transfers
Agenda
18
Overview: Service Providers
19
Outline:
– Processing Requirements between Controller and Processor
• Practice Pointers for Controllers and Processors
– Processor Liability
– Comparison against Controller/Processor Model Clause
– Comparison against Privacy Shield
– Practice Pointers
Module 5: Vendor Management
20
Module 5: Processing Requirements
Article 28(1)
Processing Requirements
“Where processing is to be carried out on behalf of a controller, the controller
shall use only processors providing sufficient guarantees to implement
appropriate technical and organizational measures in such a manner that
processing will meet the requirements of this Regulation and ensure the
protection of the rights of the data subject.”
Article 28(3)
Processing Requirements
“Processing by a processor shall be governed by a contract or other legal act
under Union or Member State law that is binding on the Processor with regard
to the controller . . . .”
21
• Description of Subject Matter and Duration
• Description of Nature and Purpose
• Description of Type of Personal Data
• Description of Categories of Data Subjects
Module 5: Processing Requirements
1) Subject Matter/Purpose/Type of
Data/Categories of Data Subjects
1) Subject Matter/Purpose/Type of Data/Categories of Data Subjects
Article 28(3)
“Processing by a processor shall be governed by a contract or other legal act
under Union or Member State law that is binding on the Processor with regard
to the controller and that sets out the subject-matter and duration of the
processing, the nature and purpose of the processing, the type of personal
data and categories of data subjects and the obligations and rights of the
controller.”
22
• Controller Practice Pointer: – Controller still has wide latitude to determine processing.
– Processor cannot abdicate its responsibility under the GDPR
• Processor Practice Pointer: – Processor may request that Controller warrant that it has obtained all
necessary rights and consents in order for processor to fulfil its obligations.
Module 5: Processing Requirements
2) Documented Instructions
2) Documented Instructions
Article 28(3)(a)
“processes the personal data only on documented instructions from the
controller, including with regard to transfers of personal data to a third country
or an international organization, unless required to do so by Union or Member
State law to which the processor is subject; in such a case, the processor shall
inform the controller of that legal requirement before processing, unless that
law prohibits such information on important grounds of public interest"
23
• Controller Practice Pointer:
– Clearly applies to processors employees, and likely extents to a subprocessor and its employees (and subject to the records requirements of Article 28(3)(h)).
• Processor Practice Pointer:
– Likely to already be covered, at least in part, under another agreement between controller and processor.
Module 5: Processing Requirements
3) Confidentiality
3) Confidentiality
Article 28(3)(b)
“ensure that persons authorized to process the personal data have committed
themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality"
24
• Controller Practice Pointer: – There is a lot in Article 32, including references to encryption,
pseudonymization, confidentiality, integrity, availability, restoration of data, security program testing, regular evaluations, and terms related to a personal data breach.
• Processor Practice Pointer: – Appropriate technical and organizational measures is a broad standard
without much guidance.
Module 5: Processing Requirements
4) Processor Security
4) Processor Security
Article 28(3)(c)
“takes all measures required pursuant to Article 32 [Security of Processing –
processor shall implement appropriate technical and organizational measures]"
25
• Controller Practice Pointer: – Open-ended specific written authorisation.
• Processor Practice Pointer: – General authorization, with limits on how a controller can object,
which may end in termination. May request consent to list of subprocessors in agreement.
Module 5: Processing Requirements
5) Subprocessors – Part 1
5) Subprocessors
Article 28(3)(d) => Article 28(2)
“The processor shall not engage another processor without prior specific or
general written authorisation of the controller. In the case of general written
authorization, the processor shall inform the controller of any intended changes
concerning the addition or replacement of other processors, thereby giving the
controller the opportunity to object to such changes."
26
• Controller Practice Pointer:
– Request third-party beneficiary rights.
– Fully liable, not simply responsible.
• Processor Practice Pointer:
– Maintain role as intermediary between controller and subprocessor.
Module 5: Processing Requirements
5) Subprocessors – Part 2
5) Subprocessors
Article 28(3)(d) => Article 28(4)
“Where a processor engages another processor for carrying out specific processing
activities on behalf of the controller, the same data protection obligations as set out
in the contract or other legal act between the controller and processor as referred
to in paragraph 3 shall be imposed on that other processor by way of a contract or
other legal act under Union or Member law, in particular providing sufficient guarantees
to implement appropriate technical and organisational measures in such a manner that
the processing will meet the requirements of this Regulation. Where that other processor
fails to fulfil its data protection obligations, the initial processor shall remain fully liable
to the controller for the performance of that other processor’s obligations.”
27
• Controller Practice Pointer:
– Processor is to receive, refer, and act on data subject requests at discretion of controller.
• Processor Practice Pointer:
– Refer only, in accordance with processor’s standard practice.
– Ability to charge for time and materials.
Module 5: Processing Requirements
6) Data Subject Rights
6) Data Subject Rights
Article 28(3)(e)
“taking into account the nature of the processing, assists the controller by
appropriate technical and organisational measures, insofar as this is possible,
for the fulfilment of the controller’s obligation to respond to requests for
exercising the data subject’s rights laid down in Chapter III [Rights of the
Data Subject]"
28
• Controller Practice Pointer:
– Require cybersecurity audit report.
• Processor Practice Pointer:
– Simply implement the measure already required by Article 28(3)(c) –
Processor Security, with ability to charge for time and materials for
anything additional.
Module 5: Processing Requirements
7) Assist in Controller Security
7) Assist in Controller Security
Article 28(3)(f)
“assist the controller in ensuring compliance with the obligations
pursuant to Articles 32 to 36 [32 – Security of Processing] taking into
account the nature of processing and the information available to the
processor"
29
• Controller Practice Pointer:
– Notice (“promptly” = <72 hours) and reasonable cooperation, ability
to direct response, and indemnity.
• Processor Practice Pointer:
– Notice (“promptly” = >72 hours) and reasonable cooperation.
Module 5: Processing Requirements
7) Assist in Personal Data Breach
7) Assist in Controller Security
Article 28(3)(f)
“assist the controller in ensuring compliance with the obligations
pursuant to Articles 32 to 36 [33 & 34 – Personal Data Breach] taking into
account the nature of processing and the information available to the
processor"
30
• Controller Practice Pointer:
– Ability to control flow of information and coordination.
• Processor Practice Pointer:
– Reasonable coordination, with ability to charge for
time and materials.
Module 5: Processing Requirements
7) Assist in Data Protection Impact Assessment
7) Assist in Data Protection Impact Assessment
Article 28(3)(f)
“assist the controller in ensuring compliance with the obligations
pursuant to Articles 32 to 36 [35 & 36 – DPIA/Supervisory Authority] taking
into account the nature of processing and the information available to the
processor"
31
• Controller Practice Pointer:
– Delete or return upon request, and with instructions.
• Processor Practice Pointer:
– Rely on confidentiality provision of base agreement.
– Implement tools to allow controller to handle itself.
Module 5: Processing Requirements
8) Return or Delete Personal Data
8) Return or Delete Personal Data
Article 28(3)(g)
“at the choice of the choice of the controller, deletes or returns all the
personal data to the controller after the end of the provision of services relating
to processing, and deletes existing copies unless Union or Member State Law
requires storage of the personal data"
32
• Controller Practice Pointer: – Records, audits, and inspections, with controls mandated by controller.
– Subprocessor contracts and processing subject to audit.
• Processor Practice Pointer: – Review or control of independent audit report.
– Controls mandated by processor.
– Ability to charge for time and materials to comply.
Module 5: Processing Requirements
9) Records and Audit
9) Records and Audit
Article 28(3)(h)
“makes available to the controller all information necessary to
demonstrate compliance with the obligations laid down in this Article and
allow for and contribute to audits, including inspections, conducted by the
controller or another auditor mandated by the controller."
33
• Controller Practice Pointer:
– Processor shall comply with all instructions with regard to international
data transfers.
• Processor Practice Pointer:
– Processor has pre-signed Controller-Processor SCC.
Module 5: Processing Requirements
10) International Data Transfer
9) International Data Transfer
Article 46(1)
“a controller and processor may transfer personal data to a third country or
an international organisation only if the controller or processor has provided
appropriate safeguards, and on a condition that enforceable data subject
rights and effective legal remedies for data subjects are available.”
34
1) Subject Matter/ Purpose/ Type of Data/ Categories of Data Subjects
2) Documented Instructions
3) Confidentiality
4) Processor Security
5) Subprocessors
Module 5: Processing Requirements
Top Ten Operational Requirements.
6) Data Subject Rights
7) Assist the Controller in Controller Security/Personal Data Breach/DPIA
8) Return or Delete Personal Data
9) Records and Audit
10)International Data Transfer
35
Module 5: Processor Liability
1. Expressly Unlimited
“Notwithstanding anything to the contrary in the Principal Agreement, Vendor's liability for any breach of this Addendum shall be unlimited”
2. Fully Liable language
“Service Provider shall remain fully liable to the Company for its performance, and the performance of any subprocessors.”
3. Fully Liable Language (added to Subprocessing section)
Integrating an indirect reference to full liability within the subprocessing section (where it is least likely to be recognized or objected to. For example, “In addition to being fully liable to Company for its own obligations under this Addendum, Vendor shall remain fully liable for any
failure by each Subprocessor to fulfill its obligations in relation to the Processing of any Company Personal Data.”
4. Carveout for Fully Liable for Personal Data Breach and/or Data Security Measures
“Any damages, costs, or fines arising from this [Personal Data Breach/Data Security measures] Section supersede, and are not limited by, any limitations of liability provided in the Agreement.”
5. No Reference in DPA, but DPA set up as a stand-alone agreement
6. Liability Cap but No Indemnification Cap
“The total combined liability of either Party and its Affiliates toward the other Party and its Affiliates for damages under or in connection with this Addendum will be limited to the Agreed Liability Cap for the relevant Party. Notwithstanding any limitation on liability, however, Service Provider will indemnify and defend Controller in relation to any third party claim that relates to, or arises from, a breach of Service Provider’s
obligations under this Addendum. “
7. No Reference in DPA, but DPA set up to Amendment to Underlying Agreement
8. Capped At Underlying Agreement
The total combined liability of either Party and its Affiliates towards the other Party and its Affiliates under or in connection with this Addendum will be limited to the agreed liability cap in the Principal Agreement. Drafting note: Only include if required, otherwise rely on
caps in Principal Agreement.
9. Additional Indemnity from Controller for Controller Instructions
“Controller shall indemnify and defend Processor in connection with any processing carried out by Processor of a Subprocessor pursuant to any instruction of Controller that infringes any Data Protection Laws.”
36
Module 5: Comparison Against
Controller/Processor Model Clause (1)
GDPR Controller-Processor Contractual Clauses
Summary of Requirement Reference Requirement Satisfied by
Standard Clauses
Explanation
1. Description of Processing. The parties must
specify:
1. subject matter of processing.
2. duration of processing.
3. nature and purpose of processing.
4. type of personal data to be processed
5. categories of data subjects about which the
data relates.
Art. 23(3) Partial Gap Appendix 1 of the Standard Contractual Clause
describes (1) subject matter of processing, (2) nature
and purpose of processing, (3) type of personal data,
and (4) categories of data subjects.
The standard contractual clause, and the Appendix,
do not discuss the duration of processing.
2. Documented Instructions. A service provider can
only process personal data consistent with a
controller’s documented instructions.
Art. 28(3)(a) Satisfied. Clause 5(a) and (b) of the Standard Contractual
Clauses contain a requirement that processing can
only occur based on a controller’s instructions.
3. Confidentiality. It must contain a confidentiality
provision. That provision must ensure that persons
authorized to process personal data have
committed themselves to confidentiality.
Art. 28(3)(b). Gap The Standard Contractual Clauses do not contain a
representation by a data importer concerning
confidentiality.
4. Processor Security. Service provider will
implement appropriate technical and organizational
measures to secure information.
(c/p)
Art. 28(1)
Art. 28(3)(c)
Art. 32(1) (
Satisfied. Clause 5(c) of the Standard Contractual Clauses
requires the processor to agree to the security
provisions contained in Appendix II. Presuming that
Appendix II contains a description of appropriate
security there would be no gap.
37
Module 5: Comparison Against
Controller/Processor Model Clause (2)
GDPR Controller-Processor Contractual Clauses
Summary of Requirement Reference Requirement Satisfied
by Standard Clauses
Explanation
5. Subcontracting authorization. A service provider
must obtain written authorization before
subcontracting, and must inform the Company
before it makes any changes to its subcontractors.
(c/p)
Art. 28(2)
Art. 28(3)(d).
Satisfied. Clauses 5(h) and 11(1) of the Standard Contractual
Clauses requires that a processor notify the controller
before using a subprocessor, and obtain their prior
written consent.
6. Subcontracting flow down obligations. Service
provider will flow down these obligations to any
subprocessors.
(c/p)
Art. 28(3)(d) Art.
28(4)
Satisfied. Clause 11(1) of the Standard Contractual Clauses
requires that a processor flow down obligations to any
subprocessors.
7. Subcontracting liability. A service provider must
remain fully liable to the controller for the
performance of a sub-processors obligations..
Art. 28(3)(d)
Satisfied. Clause 11(1) of the Standard Contractual Clauses
requires that a processor remain fully liable for the
actions of its subprocessors.
8. Responding to data subjects. Service provider
will assist the Company to respond to any requests
by a data subject.
(c/p)
Art. 28(3)(e)
Art. 12 – 23
Partial Gap Clause 5(d)(iii) and clause 5(e) of the Standard
Contractual Clauses require that a subprocessor notify a
controller of a data subject request. The clauses do not
specifically discuss an obligation to cooperate in
responding to such request.
38
Module 5: Comparison Against
Controller/Processor Model Clause (3) GDPR Controller-Processor Contractual Clauses
Summary of Requirement Reference Requirement Satisfied
by Standard Clauses
Explanation
9. Assisting Controller In Responding to Data Breach.
Service provider will cooperate with controller in the
event of a personal data breach.
Art. 28(3)(f) Art.
33 – 34
Gap Clause 5(d)(ii) requires that a processor notify a
controller concerning a subset of what the GDPR defines
as a “data breach.” It does not comply with the GDPR’s
timing requirements. It also does not discuss obligations
to cooperate in investigations and response.
10. Assisting Controller In Creating DPIA. Service
provider will cooperate with controller in the event
the controller initiates a data protection impact
assessment.
Art. 28(3)(f)
Art. 35)
Art. 35-36
Gap The Standard Contractual Clauses do not discuss the
obligation of a processor to participate in DPIA’s
conducted by a controller.
11. Delete or return data. Service provider will delete
or return data at the end of the engagement.
(c/p)
Art. 28(3)(g) Satisfied. Clause 12(1) of the Standard Contractual Clauses
requires a processor to delete or return data upon
termination of an agreement.
12. Audit Right. Service provider will allow Company
to conduct audits or inspections for compliance to
these obligations.
(c/p)
Art. 28(3)(h). Partial Clauses 5(f) and 12(2) of the Standard Contractual
Clauses refer to the ability of the controller to audit or
inspect the processor for compliance with the
requirements of the clauses; as the clauses do not
include all of the requirements of the GDPR the audit
provision is technically narrower than is required under
GDPR.
13. Cross-border transfers. Service provider will not
transfer data outside of the EEA without permission
of Company.
(c/p)
Art. 28(3)(a)
Art. 46
Partial The Standard Contractual Clauses permit the transfer of
data from the controller to a processor that is not based
in the EU. The clauses do not discuss whether the
processor is permitted to engage in onward transfers to
additional countries outside of het EEA.
39
Module 5: Comparison Against Privacy
Shield (1) GDPR Privacy Shield
Summary of Requirement Reference Requirement Satisfied
by Privacy Shield
Explanation
1. Description of Processing. The parties must
specify:
1. subject matter of processing.
2. duration of processing.
3. nature and purpose of processing.
4. type of personal data to be processed
5. categories of data subjects about which the
data relates.
Art. 23(3) Gap Privacy Shield registration does not in of itself specify the
type of personal data processed, the categories of data
subjects involved, or the scope of permissible processing.
2. Documented Instructions. A service provider can
only process personal data consistent with a
controllers documented instructions.
Art. 28(3)(a) Gap Privacy Shield recognizes that a controller in the EU is
“always required to enter into a contract when a transfer
for mere processing is made . . . whether or not the
processor participates in the Privacy Shield, and that the
purpose of the contract is to “make sure that the processor
acts only on instructions from the controller.”
3. Confidentiality. It must contain a confidentiality
provision. That provision must ensure that persons
authorized to process personal data have committed
themselves to confidentiality.
Art. 28(3)(b). Partial Gap The purpose limitation contained in Privacy Shield
Principle 5(a) might be interpreted as precluding a service
provider from disclosing personal data, as such disclosure
would presumably be “incompatible with the purposes for
which [the data] has been collected . . . .”
4. Processor Security. Service provider will
implement appropriate technical and organizational
measures to secure information.
Art. 28(1)
Art. 28(3)(c)
Art. 32(1) (
Satisfied Privacy Shield requires that “Organizations creating,
maintaining, using or disseminating personal
information must take reasonable and appropriate
measures to protect it from loss, misuse and
unauthorized access, disclosure, alteration and
destruction, taking into due account the risks involved
in the processing and the nature of the personal data.
40
Module 5: Comparison Against Privacy
Shield (2)
GDPR Privacy Shield
Summary of Requirement Reference Requirement Satisfied
by Privacy Shield
Explanation
5. Subcontracting authorization. A service
provider must obtain written authorization before
subcontracting, and must inform the Company
before it makes any changes to its
subcontractors.
Art. 28(2)
Art. 28(3)(d).
No. Privacy Shield requires that a registrant ensure that its
service providers only use information for “limited and
specified purposes.” It does not, however, require that a
registrant that is acting as a processor obtain the consent of
the controller prior to the use of a subcontractor.
6. Subcontracting flow down obligations. Service
provider will flow down these obligations to any
subprocessors.
Art. 28(3)(d) Art.
28(4)
Partial Gap While Privacy Shield does have some flow down
obligations, as not all of the provisions that must be placed
in contracts by GDPR are inherent in Privacy Shield, flow
down provisions created by Privacy Shield do not cover the
full scope of the flow down obligations in GDPR.
7. Subcontracting liability. A service provider
must remain fully liable to the controller for the
performance of a sub-processors obligations.
Art. 28(3)(d)
Partial Gap The Privacy Shield references that an organization remains
“liable under the Principles if its agent processes such
personal information in a manner inconsistent with the
Principles unless the organization proves that it is not
responsible for the event giving rise to the damage.” It
is not clear whether the exception to liability in Privacy
Shield is consistent with the liability provisions in the
GDPR.
8. Responding to data subjects. Service provider
will assist the Company to respond to any
requests by a data subject.
Art. 28(3)(e)
Art. 12 – 23
Partial Gap Privacy Shield requires that a service provider grant
access, rectification, and deletion requests to a data
subject. This may be at odds with GDPR which requires
that a service provider cooperate with the controller, but
permit the controller to respond to such requests.
41
Module 5: Comparison Against Privacy
Shield (3)
GDPR Privacy Shield
Summary of Requirement Reference Requirement Satisfied
by Privacy Shield
Explanation
9. Assisting Controller In Responding to Data
Breach. Service provider will cooperate with
controller in the event of a personal data breach.
Art. 28(3)(f) Art. 33
– 34
Gap Privacy Shield does not discuss the obligation of a service
provider to cooperate with a controller in the event of a
personal data breach.
10. Assisting Controller In Creating DPIA. Service
provider will cooperate with controller in the event
the controller initiates a data protection impact
assessment.
Art. 28(3)(f)
Art. 35)
Art. 35-36
Gap Privacy Shield does not discuss the obligation of a service
provider to cooperate with a controller to conduct a DPIA.
11. Delete or return data. Service provider will
delete or return data at the end of the engagement.
Art. 28(3)(g) Partial Gap Privacy Shield prohibits maintaining information in an
identifiable manner after it has served its permissible
purpose. Note, however, that it does not mandate that
the personal data be deleted or returned at the election of
the controller.
12. Audit Right. Service provider will allow
Company to conduct audits or inspections for
compliance to these obligations.
Art. 28(3)(h). Gap Privacy Shield requires that the registrant conduct their
own audits of their internal privacy practices; it does not
guarantee that a controller has audit rights vis-à-vis a
processor.
13. Cross-border transfers. Service provider will not
transfer data outside of the EEA without permission
of Company.
Art. 28(3)(a)
Art. 46
Gap Privacy Shield does not prohibit a service provider from
doing an onward transfer to a Subprocessor that is
located outside of the EEA (or outside of the US).
42
Module 5: Practice Pointers
• Are all service providers considered to be “processors”?
• Is it the responsibility of the Controller or the Processor
to enter into a Data Processing Addendum?
• What if the Controller and Processor never sign a Data
Processing Addendum?
• Should the Controller or Processor proactively come out
with a Data Processing Addendum?
• Should the Controller or Processor proactively come out
with a pre-signed Controller/Processor Model Clause?
43
Module 5: Biography
David Zetoony
Partner
Chair, Data Privacy & Security Team
Bryan Cave LLP
Washington, D.C. / Boulder, Colorado
202 508 6030
David.Zetoony@bryancave.com
David Zetoony is the leader of the firm's global data privacy and security
practice. He has extensive experience advising clients on how to comply with
state and federal privacy, security, and advertising laws, representing clients
before the Federal Trade Commission, and defending national class actions.
He has assisted hundreds of companies in responding to data security
incidents and breaches, and has represented human resource management
companies, financial institutions, facial recognition companies, and consumer
tracking companies before the Federal Trade Commission on issues involving
data security and data privacy.
43
44
Module 5: Biography
Chris Achatz
Associate
CIPP/US
Bryan Cave LLP
Boulder, Colorado
303-417-8544
Chris.Achatz@bryancave.com
Chris Achatz is an Associate with the Data Privacy and Security team at Bryan
Cave. Achatz’s data privacy and security practice involves advising his clients
on industry-specific regulations and standards that govern the responsible use,
collection and management of their customers’ personal information. His
experience also includes developing company policies and drafting and
implementing privacy- and security-related compliance strategies and
programs. He is a certified information privacy professional and former in-
house counsel for a leading data and analytics company.
44
top related