Your Privacy Compliance and Operations Experts

Advisori is a data protection and privacy consultancy comprised of privacy attorneys, privacy officers, privacy technicians, and privacy managers. Our People are experienced in the legal, technical, and operational aspects of data protection and privacy having worked in numerous jurisdictions and multiple industries.

We support privacy and data protection offices of all sizes and industries with their privacy operations. This includes the entire spectrum of operations, including selecting and installing privacy tools, developing associated standard operating procedures, continuing to manage and operate privacy platforms, and ongoing maintenance and training.

Advisori was founded in 2020 by Hilton’s first Global Data Protection Officer.

Our professionals have worked in multiple industries including hospitality, pharmaceuticals, technology, insurance, and retail.

If you have an identified need, we will assign you the right privacy professional(s). For instance, we will get you a PIA specialist to assist if you need support with your privacy impact assessments. If you need a privacy operations plan, we follow a structured four-step process: Assess We get to know your business – your industry, scope of operations, business goals, and related privacy and data protection challenges. We identify existing privacy assets, including people, processes, and technologies. We assess how your existing assets interact and perform. Finally, we identify related gaps or inefficiencies with existing privacy operations. Advise We report all identified strengths and weaknesses of your privacy operations. We provide a remediation strategy and action plan, including recommended modifications and implementations to existing processes and technologies. Where necessary, we recommend needed privacy tools and technologies. Where requested, we negotiate with the selected privacy vendors to get you the best pricing and services. Implement We Install and configure privacy plaform (OneTrust, BigID, Securiti.ai, etc.) Or upgrade and update existing privacy tools and technologies for maximum efficiencies. We operationalize and tune related processes and procedures to align and support privacy operations. We conduct training and awareness for employees and business partners on their roles and responsibilities regarding data privacy. Maintain & Improve When requested, we provide continuous management and improvement of privacy platforms (OneTrust, BigID, Securiti.ai, etc.) We oversee the day-to-day operations of the privacy program, including PIAs, DPA/SCCs drafting and negotiations, and handling data subject requests. We maintain and update related privacy operations playbooks.

First, we only focus on data protection and privacy. Second, we are available at your requested time commitment: hourly, daily, weekly, or monthly. Third, we are not just lawyers but also technologists and privacy program managers. Privacy operations are a combination of all three. Our experts work together to assist our clients with designing, building, and operating effective and efficient privacy operations at a fraction of what law firms charge.

Understanding Jurisdictions and Obligations: Assessing the specific data privacy regulations applicable to the organization based on its operational regions, such as GDPR in Europe, CCPA in California, and other global regulations. ​​ Gap Analysis: Identifying gaps between current data practices and regulatory requirements and providing recommendations to bridge these gaps. ​ Remediation Road Map: Provide a written strategy outlining an itemized and risk-based action plan to address identified privacy and data protection gaps.

Privacy Policies: Develop comprehensive privacy policies that outline how personal data is collected, used, stored, and shared. ​ Data Protection Measures: Implementing technical and organizational measures to protect personal data, such as encryption, access controls, and data minimization.

Regular Audits: Conducting periodic audits to ensure ongoing compliance with data privacy regulations and internal policies. ​ Continuous Monitoring: Implementing tools and processes to continuously monitor data privacy practices and detect potential issues.

Expert Guidance: Providing strategic advice on data privacy trends, regulatory changes, and best practices to help organizations stay ahead of compliance requirements. ​​ Custom Solutions: Tailoring data privacy solutions to meet the specific needs and challenges of the organization.

Our privacy technology experts assist our clients with selecting and pricing appropriate privacy platforms for their specific business needs.

Advisori privacy pros assist our clients with designing, implementing, and managing privacy technology solutions for our clients.

Advisori understands that finding well-experienced privacy counsel is becoming increasingly difficult as privacy laws and regulations are proliferating around the globe and there are few attorneys with substantive privacy law experience. Our founding mission is to provide corporate legal departments with the best and brightest privacy lawyers via a business model focused on the delivery of high-quality services at lower costs to our clients. We are able to do this because our people are focused on one thing: data privacy and protection.

Because we specialize in data protection and privacy, our attorneys have deep legal experience with global privacy regulations like the General Data Protection Regulation (“GDPR”) and US state privacy laws including the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). Moreover, we have worked in multiple industries including hospitality, healthcare, pharmaceuticals, technology, and many others. And, unlike legal staffing agencies, Advisori attorneys are a part of the Advisori team. Our attorneys benefit from weekly supervision from a senior privacy attorney manager; we have a massive index of privacy legal research and privacy-related artifacts, and our attorneys receive ongoing privacy law education and training.

Working with many clients in multiple industries, we have organized our services into three distinct packages, which have shown to best fit our clients’ needs: corporate privacy counsel, secondment attorneys, and project privacy counsel. Corporate Privacy Counsel Advisori offers corporate privacy counsels ready and able to handle a diverse set of privacy responsibilities, with special emphasis on the privacy laws and regulations governing your business. Our privacy counsels are essential to advising business groups on legal and policy issues related to data privacy and protection, including the development and marketing of products and services to assure compliance with privacy and data protection laws. We apply our deep knowledge of international and domestic privacy laws and regulations to provide strategic advice and counsel to all levels of the corporate organization chart. Secondment Counsel A secondment with an Advisori attorney provides flexible access to top legal privacy talent with the institutional knowledge necessary to make an immediate contribution to our clients’ legal teams. Under a secondment, we temporarily assign an Advisori lawyer(s) to your organization. This can be for a set period of time or the completion of a particular project. Secondments vary in length and our dependent on our client’s needs. Unlike most secondments, our secondment attorneys meet weekly with senior Advisori privacy attorney managers for guidance and supervision and have access Advisori resources (our legal research library, privacy and data protection playbooks, privacy document templates, etc.) to assist our clients and to increase efficiencies. Clients typically utilize our attorneys on a secondment basis to fill gaps in an organization chart, help with overflow, manage regulatory responses, provide specialized expertise, work to meet tight deadlines, and support complex privacy projects. Project Attorneys Advisori Privacy Project Attorneys meet a variety of specialized privacy business needs. Our project attorneys step in to assist with both large and small privacy initiatives. For instance, we have developed, implemented, and managed standard contractual clause remediation programs; assisted with massive data breach incident response and reporting efforts, assisted with data subject access request fulfillment, and numerous other privacy projects. Our project attorneys also have the necessary to lead project development and scoping efforts and construct related project plans and playbooks. We can also manage the program by providing real-time project progress and task completion metrics. In sum, Advisori professionals can serve as corporate privacy counsel, supplement existing legal staff, or even design and manage legal projects from start to finish. Moreover, our clients can engage us on either a short-term or long-term basis depending on their specific needs. Bottom line is, our highly experienced and specialized privacy lawyers increase efficiency by getting the job done better, faster, and cheaper.

A secondment with an Advisori attorney provides flexible access to top legal privacy talent with the institutional knowledge necessary to make an immediate contribution to our clients’ legal teams. We assign an Advisori lawyer(s) to your organization. This can be for a set period of time or the completion of a particular project. Secondments vary in length and are dependent on client needs. ​ Our clients determine weekly time commitments – they can be part-time or full-time. Unlike most secondments, our secondment attorneys meet weekly with senior Advisori privacy attorney managers for guidance and supervision and have access to Advisori resources (our legal research library, privacy and data protection playbooks, privacy document templates, etc.) to assist our clients and to increase efficiencies. Advise on data processing agreements and vendor contracts. Clients typically utilize our attorneys on a secondment basis to fill gaps in an organization chart, help with overflow, manage regulatory responses, provide specialized expertise, work to meet tight deadlines, and support complex privacy projects.

Advisori project attorneys can plan and manage privacy projects from start to finish. ​Our project attorneys step in to assist with both large and small privacy initiatives. For instance, we have developed, implemented, and managed standard contractual clause remediation programs; assisted with massive data breach incident response and reporting efforts, assisted with data subject access request fulfillment, and numerous other privacy projects. ​Our project attorneys step in to assist with both large and small privacy initiatives. For instance, we have developed, implemented, and managed standard contractual clause remediation programs; assisted with massive data breach incident response and reporting efforts, assisted with data subject access request fulfillment, and numerous other privacy projects. We can also manage programs by providing real-time project progress and task completion metrics. We can seamlessly supplement your existing project team. Our clients can engage us on either a short-term or long-term basis depending on their specific needs.

Advisori’s value add is privacy operations. Accordingly, our privacy counsel are trained in the latest privacy technology tools and have the experience and skill sets to leverage these tools to enhance compliance and streamline privacy management processes. We work closely with IT and security teams to implement and monitor privacy tools to create and maximize efficiencies in fundamental but often time-consuming privacy functions like data mapping and Article 30 management, privacy impact assessments, and data protection agreement negotiation and drafting. This synergy between legal expertise and technological solutions ensures a comprehensive approach to privacy management, ultimately safeguarding the organization’s data assets and fostering trust with stakeholders.

A privacy officer is a key figure within an organization, responsible for overseeing and managing the company’s data protection and privacy strategies. Our core services include developing and implementing effective privacy policies and procedures designed for our clients’ particular business and regulatory needs like the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (” CCPA”), or the Health Insurance Portability and Accountability Act (“HIPAA”). On behalf of our clients, we liaise with internal stakeholders, regulatory authorities, and data subjects to assist with all privacy-related inquiries and requests. We provide employees with data protection and privacy training and promote a privacy compliance culture. We also manage data protection-related incidents.

Assess First, we take the time to understand our clients and their needs. We start with identifying: All relevant stakeholders (privacy, security, legal, marketing, sales, etc.), How personal information is collected (websites, applications, etc.), Where personal information is collected (the U.S., EEA, China, etc.), What categories and types of personal information are collected (for example, sensitive personal information), The business reason for collecting the personal information and the legal basis allowing such collection, The data systems housing personal information (structured and unstructured databases, data lakes, etc.), Personal information data flows and transfers (within the US, from the EEA to third countries, etc.), and What safeguards are in place to protect personal information from loss, unauthorized access, or alteration (technical and operational measures and legal – data protection agreements, EU Standard Contractual Clauses, etc.). Advise Using the intelligence gathered during our assessment process, we offer advice and guidance on the following: The relevant data security and privacy laws governing the business, Accounting of the business’s existing data protection and privacy technologies, practices, and procedures, A written gap-analysis report setting forth: Identified risk (technical, legal, and reputational), Risk Occurrence Scale – the likelihood of a risk occurring (for example, a customer complaint, data protection authority inquiry, etc.), Potential penalties (based on historical regulatory fines, legal actions, etc.) and A written remediation plan setting forth: (1) Specific remediation tasks (for example, publishing a privacy notice on the business website), and (2) A prioritizing timeline based on our client’s risk appetite and available resources. Implement Our Privacy Officers can implement our prescribed remediation plan or assist our client’s internal teams in doing so by: Creating or updating existing internal privacy policies and external privacy notices, Installing and managing our Cookie Consent Management platform to ensure full compliance with cookie consent notice and preference requirements), Installing and managing our Data Subject Access Request (“DSAR”) portal for compliant data-subject validation, personal information retrieval and packaging, and secure delivery, Performing system-wide data discovery, mapping, and categorization, Developing an accurate, legally compliant, and real-time Article 30 report, Building an effective incident response and reporting program, and Dealing with customer and regulatory inquiries and complaints.

Yes. Our seasoned Privacy Officers interact and liaise with all necessary business units, including security, corporate, legal, procurement, contracting, etc., to ensure effective and efficient privacy operations.

Yes. Most of our clients provide our Privacy Officers with an internal business email add title. Our Privacy Offers are capable of interacting with internal stakeholders, customers, and regulators as a direct client representive.

It depends on what you need. We have short term engagements all the way to year or more long service; it all depends on what you need.

We have Privacy Officers who have worked in almost every industry and with all US laws and the General Data Protection Regulation. In addition, our Privacy Officers have specialized training from our privacy technology partners. We match our talent with your particular industry, regulatory, and technology needs.

Our DPOs take the time to understand our clients’ businesses and how they collect, process, share, and store personal data. We develop and implement a privacy program tailored to the client’s needs based on these factors. We then implement that strategy by advising the business on best practices, managing critical operational data protection activities (like data security assessments and audits), and providing employees with data protection education, training, and strategies.

A business governed by the General Data Protection Regulation (GDPR) is required to appoint a data protection officer (DPO) if it is: (1) a public body (except for courts), or (2) it uses data for the purpose of “regular and systematic monitoring” of people, or (3) it processes sensitive personal data related to a person’s race, religion, ethnic origin, or other personal information such as genetic or biometric data. If your business can be described by any of those statements, you must appoint a DPO as required by Articles 38 and 39 of the GDPR – a position that can be outsourced and virtual.

Article 37 of the GDPR requires the appointment of a DPO where a “core activity” of the business is the processing of personal data of EU citizens, “which require regular and systematic monitoring…” “on a large scale.” The GDPR views a “core activity” as one that is key to the operation of the business. For instance, the processing of health records is a “core activity” of a hospital. Alternatively, the processing of personal data for internal payroll is likely not. While the GDPR provides little guidance on the meaning of “regular and systematic monitoring” WP29 advises that this concept “clearly includes all forms of tracking and profiling on the internet, including for the purpose of behavioral advertising.” The definition of “large scale” is also absent from the GDPR text. Here again however, the WP29 provides the following factors to consider in this regard: The number of data subjects concerned – either as a specific number or as a proportion of the relevant population; The volume of data and/or the range of different data items being processed; The duration, or permanence, of the data processing activity, and The geographical extent of the processing activity. Examples of large scale processing include: Processing of patient data in the regular course of business by a hospital; Processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards); Processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities; Processing of customer data in the regular course of business by an insurance company or a bank; Processing of personal data for behavioural advertising by a search engine; or Processing of data (content, traffic, location) by telephone or internet service providers. Examples that do not constitute large-scale processing include: Processing of patient data by an individual physician; or Processing of personal data relating to criminal convictions and offences by an individual lawyer.

Advisori’s DPOs follow the General Data Protection Regulation’s (GDPR) key principles that organizations must adhere to when processing personal data. These principles are: Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Organizations must have a legal basis for processing personal data and must provide individuals with clear and concise information about how their data will be used. Purpose limitation: Personal data should only be collected for specified, explicit, and legitimate purposes. Organizations should not use the data for any other purposes that are incompatible with the original purpose of collection. Data minimization: Organizations should only collect and process personal data that is necessary for the intended purpose. They should avoid collecting excessive or irrelevant data and should ensure that the data is accurate and up to date. Accuracy: Personal data should be accurate and kept up to date. Organizations should take reasonable steps to ensure that inaccurate or incomplete data is rectified or erased. Storage limitation: Personal data should be kept in a form that allows identification of individuals for no longer than is necessary for the intended purpose. Organizations should establish retention periods and delete or anonymize data once it is no longer needed. Integrity and confidentiality: Personal data should be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. Organizations should implement appropriate technical and organizational measures to safeguard personal data. Accountability: Organizations are responsible for complying with the principles of the GDPR. They should be able to demonstrate their compliance by implementing appropriate policies, procedures, and documentation. By following these principles, organizations can ensure that they are processing personal data in a lawful, fair, and transparent manner, while respecting the rights and privacy of individuals.