Privacy and data security issues impact every organization. Every company is a “data company” and is responsible for safeguarding and responsibly handling personal information. Davis Graham and Stubbs LLP’s privacy and data security practice partners with clients to streamline compliance practices and address requirements from the patchwork of U.S. and international laws governing the collection, use, storage, transfer, and disposal of personal information.
Many of our team members hold advanced certifications in privacy, including the CIPP/E, CIPP/U.S., CIPM, and FIP designations. To keep abreast of the latest data trends and technologies, our attorneys are involved in numerous privacy leadership and industry groups, including the International Association of Privacy Professionals’ Education Advisory Board and the Colorado Technology Association.
- Data inventory and risk assessment
- Policy drafting
- Information governance and records retention
- Information security policies and assessments
- Incident response planning and data breach response and notification
- Vendor management
- Contract drafting and negotiation
- Due diligence in M&A transactions
- Employee training
- Cyber insurance coverage analysis
- Assist client in the life science, financial services, retail, technology, and hospitality industries in developing privacy compliance programs, both generally and with specific focus on GDPR and CCPA. This includes drafting policies; preparing and negotiating vendor agreements; developing procedures for handling individual inquiries; updating incident response procedures; and conducting employee training.
- Advise clients on international data protection requirements, including implementing legal mechanisms for the transfer of data from the EU, Latin America, and Asia to the U.S.; addressing direct marketing requirements, including under the ePrivacy Directive; drafting individual consent requests and protocols for requesting and documenting the same; and developing procedures for data subject access requests.
- Assist clients in developing data inventories and data maps, including designing a protocol, conducting interviews with stakeholders, and documenting data, systems, and flows.
- Draft records retention policies and update retention schedules. Work with clients on data disposal policies.
- Development and implement risk assessment programs, both project-specific and enterprise-wide, including creating a risk methodology, preparing questionnaires, working with stakeholders, identifying risks, and developing risk mitigation plans.
- Draft online privacy notices addressing requirements in the U.S. and internationally; prepare layered privacy notices.
- Develop compliance programs for the handling of biometric data.
- Design and update vendor management programs, including due diligence procedures, contract drafting and negotiation, and monitoring of vendor compliance.
- Prepare incident response plans for a variety of organizations and assist with response to data security incidents and breach notification in multiple jurisdictions.
- Draft information security policies and direct information security assessments.
- Work with clients to conduct, or respond to, due diligence inquiries for M&A transactions.
- Conduct company-wide and targeted employee training.