Alessandra Borelli
Partner
Privacy and Data Protection
We advise our clients on all aspects related to privacy and data protection. To this end, we are structured into three main areas:
- Services for risk analysis, construction of privacy programs, as well as preparation and review of policies and procedures;
- Services for managing the privacy program, either as an outsourced DPO (DPO as a Service), or support work for the DPO (Data Protection Officer) appointed by the company;
- Consulting services, review of contracts and documents, and preparation of training and awareness materials.
Services
Projects for adapting to the LGPD (Brazilian General Data Protection Law): we offer consulting for private companies and public bodies, perform maturity diagnostics of personal data governance, and structure governance and compliance programs with the LGPD.
Maturity Audit of the Privacy Program: we align the level of maturity of the organization by applying a privacy framework developed by the firm. This process includes the analysis and validation of the evidence of the privacy program, identification of any inconsistencies, and formulation of recommendations for correction.
Review and preparation of policies and procedures: we provide consulting in the analysis, review, and preparation of various policies and procedures related to data protection, such as: privacy notices, sharing policy, privacy by design procedure, among others.
Personal Data Protection Impact Assessment (DPIA): preparation and review of personal data protection impact assessments, as a way to analyze specific processing activities that may generate risks to civil liberties and fundamental rights of data subjects, pointing out risks and appropriate mitigation measures.
Legitimate Interest Assessment (LIA): preparation and review of legitimate interest assessments, as a way to evaluate the elements that allow its attribution as a legal basis for a specific personal data processing activity.
Due Diligence in privacy and data protection: assessment of companies or assets to identify privacy and data protection risks in the main processes, products, and services targeted by the merger or acquisition (M&A) transaction, giving visibility on: i) serious risks that may compromise the acquirer's business; ii) effort required, time, and resources to correct and/or mitigate identified risks; and iii) any obstacles to the main databases of the target being used by the acquirer.
Cookie compliance: analysis of the website to identify cookies used and their purposes, as well as assessment of legal bases authorizing said cookies and preparation of a notice aimed at transparency to data subjects.
Measurement of the level of transparency: measurement of the level of transparency of our clients's; websites and applications, based on user experience, through a framework developed by the firm. The result of this work is an action plan to correct identified vulnerabilities.
Maturity measurement for incident response: measurement of the level of maturity of an organization to respond to security incidents involving personal data, through a framework developed by the firm. The result of this work is an action plan to correct identified vulnerabilities.
Maturity measurement for fulfilling data subject rights: measurement of the level of maturity of an organization to fulfill data subject rights, through a framework developed by the firm. The result of this work is an action plan to correct identified vulnerabilities.
Outsourced DPO (DPO as a Service): we act as the DPO of our clients, from formal appointment to the proactive management of compliance programs. For the development of this activity, we elaborate a plan with activity milestones for the next two years.
DPO support services: we also act as support to the DPO appointed by the organization. In these cases, we work together with the DPO to prepare the work plan, execute management activities, as well as other consulting activities in privacy and data protection.
Response to data subject rights: guidance, preparation, and/or review of formal responses to be presented to data subjects seeking to exercise their rights.
Mapping review: we review the record of personal data processing activities for validation of the legal basis and updating of information. We also recommend the preparation of Data Protection Impact Assessments.
Measurement of the level of severity in cases of security incidents: preparation of a report to indicate the level of severity of security incidents involving personal data, with a recommendation of communication to the National Data Protection Authority (ANPD) and data subjects.
Review of contracts: construction and review of privacy and data protection clauses for various legal instruments, such as contracts, addenda, data processing agreements, data transfer agreements, and contracts involving international transfer of personal data.
Preparation and review of documents: adaptation of documents to the LGPD and/or other applicable privacy and data protection laws and regulations. Preparation and review of documents, forms, terms of use, consent terms, and other terms for compliance with applicable data protection legislation.
Legal analyses: preparation of legal analyses assessing compliance requirements and any inherent risks to processing activities in light of applicable privacy and data protection laws and regulations, as well as their respective mitigating measures.
Preparation of training and capacity-building materials on privacy and data protection: preparation of guides, presentations, and other materials and documentation for training and awareness of employees, partners, and service providers.
Support in Security Incidents: analysis of security incidents involving personal data, with preparation of an incident score and recommendations regarding the need or not to notify competent authorities and data subjects involved.
Consultations: answering queries and clarifying specific doubts by telephone, email, or participation in meetings or videoconferences.
