International Privacy Compliance

Through Carlton Fields’ International Privacy Compliance services, we assist U.S.-based companies that do business internationally in complying with the ever-changing landscape of data privacy laws. We have particular experience in the European Union and Central and South America, including Brazil. 

Whether our clients are seeking to expand products and services to international markets, or are looking to ensure an existing compliance program is up to date with the latest guidance and regulations, Carlton Fields’ multidisciplinary team can assist. As needed, we partner with clients’ existing foreign law firms, or through a referral from within our network of trusted law firms based in your target country, for “on the ground” advice outside the United States.  

Assisting Clients With 

• GDPR
• Brexit transition from GDPR
• Brazil’s LGPD
• Canada’s PIPEDA
• Jamaica's Data Protection Act
• EU Data Protection Authority guidance and enforcement, including:
  • Irish Data Protection Commissioner’s cookie consent and management
  • German Data Protection Authority data transfer mechanisms
• Bringing businesses up to date with their data control, processing, and transfers post-Schrems II
• Compliance with global industry standards (PCI-DSS, IAB Frameworks)

 Keeping Clients Up to Date and Ahead Of 

• Guidance issued from European Union Data Protection Authorities
• Investigations and enforcement actions from international regulators
• Emerging privacy regulations
• Transfer of data, including employee data, from the EU to the United States, and vice versa

Assembling a Compliance Roadmap

Carlton Fields offers flexible programs that leverage prior compliance efforts and allow our clients to adjust without reinventing the wheel: 

• Data mapping and risk assessment
• Privacy policy creation and maintenance
• Data subject access request management
  • Opt-out processes for data deletion, data portability, and other GDPR consumer rights
  • Workflows for responding to data subject access requests (scripts, forms, and operationalization)
  • Internal management mechanisms for response and audit trails of data subject access requests
• Draft and negotiate contracts and agreements to reflect data privacy obligations and data processing
• Implementation of employee training related to the GDPR and LGPD and responding to data subject requests
• Creation of an incident response plan for GDPR data security requirements
• Updates to internal and external privacy policies related to the GDPR and LGPD
• Review of consent mechanisms for general data collection
• Cookie consent and management of preferences
• Global data breach notification analysis and compliance

Providing Turnkey Training Solutions

Carlton Fields provides turnkey and white-label training solutions such as: 

• GDPR Basic Training for All Employees
• GDPR Data Subject Access Request Management Training
• LGPD Basic Training for All Employees
• LGPD Data Subject Access Request Management Training
• EU Cookie Consent and Management Training

Ramping Up Existing Compliance Programs

Carlton Fields can assist companies in determining effective and innovative ways to build on existing compliance programs, assisting in-house counsel and other legal support staff. 

Flexible Solutions for Small to Midsize Businesses 

Carlton Fields provides turnkey solutions and applications to help SMBs that are looking to expand sales and relationships abroad meet their compliance needs. Our solutions and alternative fee models get our clients to their compliance goals and in a position to scale their data collection. 

Industries Served Include:

• Biotechnology
• Artificial intelligence
• Technology
• Media and entertainment
• Telecommunications
• Professional services
• Video games and esports
• Advertising
• Financial services

• Development and implementation of GDPR compliance programs for international social media software as a service (SaaS) platform.
• Development and implementation of GDPR compliance programs for international retail company.
• Representation with local counsel of companies before EU Data Protection Authorities in regulatory inquiries.
• Launch of mobile application startups in app stores in international markets.
• Scaling privacy compliance programs as outside counsel from startup to IPO.
• Drafting and negotiation of data processing agreements and related documents in connection with international data transfers.
• Contract review for compliance with international data security and privacy laws, including vendor contract reviews.
• Assisting international corporations and investment groups in the preparation and response to global cybersecurity threats, including serving as “breach coach” with consumer notifications required under GDPR.