If your U.S. company collects personal information from California residents (defined broadly to include for example, name and email), then you need to post a privacy policy that meets certain criteria.

 

If your U.S. company solicits goods or services from EU residents then you need to be compliant with the EU’s General Data Protection Regulation (GDPR). In simple terms, the GDPR requires a compliant privacy notice (often referred to in U.S. as a privacy policy) and certain written agreements with subprocessors.  It also requires analysis of other requirements such as record keeping, data mapping, and training of personnel. Depending on the scope of your EU business, it may be recommended that you self-certify under the U.S. Dept of Commerce’s Privacy Shield program.

 

Jenny has significant experience counseling small to medium size companies on their GDPR compliance strategy. This includes drafting their privacy policy (or notice under GDPR), and model written agreements with subprocessors (often referred to as Data Processing Addendums), and offering them sound advice on the GDPR internal practice requirements.

 

She also counsel clients on strategy to certify under the Privacy Shield or rely on standard contractual clauses (with GDPR modifications).

 

She has coordinated internal training on the GDPR compliance and can provide recommendations for outsourcing data mapping and other GDPR technical requirements.

 

She has counseled companies on the upcoming California Consumer Protection Act (CCPA) and their compliance strategy. Similar to GDPR compliance, she can recommend outsourcing vendors for data mapping and other CCPA technical requirements.

 

In technology transactions, she has deep experience with data protection issues both on the customer and the vendor side of technology agreements.