Chris Wheaton

Teach global privacy and data protection law to current JD and MSL seeking students focusing on legal theories, data protection agreements, compliance, and international transfers.

• Build and maintain a strategic and comprehensive privacy program that defines, develops, and implements policies and processes that enable consistent, effective privacy practices which minimize risk and ensure the confidentiality of protected information across all media types.
• Work with organization senior management, security, and corporate compliance officer to establish governance for the privacy program.
• Collaborate with the IT security to ensure alignment between security and privacy compliance programs including policies, practices, investigations
  • Serve in a leadership role for global privacy compliance. Responsible for implementation of and compliance of GDPR (EU), UK DPA (UK), LGPD (Brazil), PIPEDA (Canada), PIPL (China), PDPC (Singapore), PDPA (Thailand), KVKK (Turkey), any other region/country-specific privacy requirements.
• Perform or oversee initial and periodic information privacy risk assessment/analysis, mitigation, and remediation.
• Lead efforts to ensure the organization has and maintains appropriate privacy and confidentiality consents, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
• Participate in the development, implementation, and ongoing training and compliance monitoring of Business Associate and Data Protection Agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
• Initiate, facilitate, and promote activities to foster information privacy awareness within the organization and related entities. Establish and administer a process for investigating and acting on privacy and security complaints.
• Maintain current knowledge of applicable global, federal, and state privacy laws and accreditation standards.
• Work with leadership and under the direction of Chief Privacy Officer to represent the organization's information privacy interests with external parties (state, local, or foreign actors) who undertake to adopt or amend privacy legislation, regulation, or standard.
• Serve as the information privacy resource to the organization regarding release of information and to all departments for all privacy related issues.

• Coordinate with IT, Global Security, Legal and business teams to plan and execute on privacy initiatives while conducting research and provide advice and guidance on existing and emerging privacy laws and regulations.
• Participate in internal and external audits for certification to ISO/IEC 27001:2013 and ISO/IEC 27018:2014 standards.
• Assist in the development, implementation and coordination of company policies, procedures and training to support privacy initiatives.
• Conduct and evaluate privacy risk assessments and/or privacy impact assessments for new or updated products and services, analyze results to recommend mitigation and remediation activities, as appropriate, ensuring compliance with laws and internal standards.
• Prepare and documents, data flows, standard and custom text and other materials related to privacy activities.
• Support third party risk management program and assist with due diligence and integration of newly acquired companies.
• Provide privacy and legal input regarding data incidents and data breaches in coordination with security and cross-functional teams.
• Prepare data protection and data transfer agreement templates for use with clients and vendors, including internal usage guidelines.
• Provide prompt, consistent and accurate review, interpretation, and negotiation of data protection agreements with clients and vendors.

• Define and continuously improve the Lucid worldwide privacy program to comply with the EU General Data Protection Regulation (GDPR) including implementing policies, procedures, and privacy management system to demonstrate compliance.
• Maintain current knowledge of applicable, and evolving, federal, state, and international privacy laws, including the California Consumer Privacy Act (CCPA), EU member state specific GDPR implementations, Brazil GDPA, India PDPA, and Singapore PDPA and advise on the impact on Lucid business, products, and services.
• Maintain Lucid’s Privacy Shield certification, Data Transfer Agreements, and all required national privacy registrations.
• Lead organization in maintaining appropriate privacy and data processing consents, authorization and information notices and materials reflecting current organization and legal practices and requirements.
• Oversee and manage Information Security to implement ISO 27001:2013 policies, procedures, and audit program and handle incident response, including the review, coordination and management of potential privacy or data security incidents and related investigations, notifications, and other resolution efforts.
• Partner with members of the Legal, Information Security, Product, Development, Technology/CloudOps, Marketing, and People teams, and outside counsel to help ensure the company's compliance with privacy laws, regulations, frameworks, and customer contracts.
• Support and oversee privacy-related sales, marketing, customer and vendor management, and business development activities.
• Advise product management and engineering teams on all privacy and information security requirements throughout the entire product life-cycle using privacy by design and default, open source compliance using FOSSA, and data governance.
• Serve as the Lucid GDPR Article 37 Data Protection Officer (DPO) managing Data Protection Office staff and advising Lucid and acting as liaison with the UK Information Commissioners Office (ICO).
• Handle Data Subject Access Rights (DSAR) requests from EU Data Subjects ensuring all requests are verified, completed, and records of compliance are securely retained.

• Manage data privacy and information security program functions, including policies, standards, and procedures; monitoring and auditing; business continuity; complaint and incident management; and training and awareness programs.
• Facilitate definition of internal and external data privacy and information security policies and procedures to address global privacy and information security compliance obligations.
• Consult and advise lines of business on legal and regulatory requirements, guidelines and contractual expectations to address compliance with regulatory data privacy and information security obligations while ensuring business requirements align with those obligations
• Monitor, research, and analyze changes to market landscape and legal obligations to address privacy risks, information security business implications, including recommend actions to business leads.
• Lead enterprise data privacy and information security projects, privacy impact assessments and audits including reporting to management on data privacy and information security findings.
• Drive enterprise move from US-EU Safe Harbor certification to US-EU Privacy Shield and toward GDPR compliance by May 2018.

• Analyze and advise on data privacy and information security legal and regulatory matters throughout the organization and with various levels of management and stakeholders.
• Develop and maintain a corporate-wide data privacy, information security and compliance programs in accordance with AICPA SOC 2, PCI-DSS, EU Directive 95/46/EC (Safe- Harbor/Privacy Shield), and other relevant requirements, including alignment to the company’s strategic business goals.
• Develop comprehensive GDPR program moving the company towards EU privacy compliance by 2018 in accordance with the Regulation.
• Ensure compliance results, risks, and issues are properly documented, issues are escalated and addressed, and results are used as input back to the program for ongoing improvement.
• Facilitate development, implementation and maintenance of processes throughout the organization to identify new regulatory and privacy compliance in-scope areas, including third parties, and ensure appropriate compliance controls and oversight are implemented.
• Ensure privacy and compliance training is conducted across the organization while serving as subject matter expert for compliance guidance.
• Develop and maintain relationships with cross-functional business leaders, developers, architects and other stakeholders building a “privacy by design” platform for delivering solutions worldwide.

• Serve as Privacy Counsel and subject matter expert advising internal stakeholders on domestic and international privacy and data security laws, regulations, cross border data transfers, data security standards, and best practices relating to all corporate initiatives and customer agreements.
• Maintain current knowledge of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic Clinical Health Act (HITECH), Children's Online Privacy Protection Act (COPPA), CAN-SPAM Act, the Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian Anti-Spam Law (CASL), and EU Data Protection Directive (95/46/EC), as well as the increasing number of US state and federal laws, rules and regulations.
• Serve as Compliance Counsel advising on a wide variety of regulatory and compliance obligations and best practices while balancing business needs.
• Advise transactional legal staff on privacy and compliance requirements during the sales process.
• Develop forward-looking privacy strategy, policies, and tools to engender trust in the areas of privacy and data usage employing “privacy by design” approach to projects by promoting privacy and data protection compliance from the inception.
• Conduct or direct internal audits/investigations of ISO27001:2013 ISMS, HIPAA protections, PCI-DSS, CSA-STAR, and additional legal/regulatory regimes.
• Record audit findings and risks, as well as the remediation recommendations, and work with management to agree on proposed action plans.
• Manage enterprise SOC2 Report project from risk assessment and control testing focusing on Privacy, Security and Availability Trust Principles.
• Manage compliance registrations, Shared Assessments (SIG) questionnaire(s), compliance and privacy programs, cloud security certifications, compliance staff and interns.
• Implement and manage open source compliance program implementation and workflows between product management, information security and legal using Black Duck.
• Advise on International Traffic in Arms Regulations (ITAR) export compliance requirements relating to contractual obligations with regulated customers.
• Research and draft internally facing legal memoranda on specific compliance obligations our customers are subjected to and our obligation in holding the data of those customers.