Global advice to solve complex security and privacy challenges

Navigating the intricate web of data protection, privacy and cybersecurity issues is critical to your business. Our global Data Protection, Privacy and Security practice is renowned for providing leading advice. With 180+ professionals in 40+ countries, we have the geographic footprint and experience to help you solve your most pressing problems and be ready for future threats.
We support clients with some of the most complex and high-profile privacy and cybersecurity matters globally; from innovative product pipelines, to handling security incidents in multiple countries and responding to regulators or enforcement requests. And because long-term resilience is crucial, we also help build governance and sustainability programs that go beyond compliance.

“DLA Piper is top-notch at providing risk-based legal analysis in many jurisdictions around the world.”

Client, Chambers USA 2022

Our approach is innovative, combining proven methodologies, technology, tools and practical advice to solve problems and preemptively spot future threats. We have a team of highly experienced cybersecurity, privacy risk and technology consultants, many with Big 4 consultancy backgrounds, who work closely with our lawyers. This means our clients benefit from a blend of management consultancy, technical skills and legal insight to protect project materials, communications, and work product under attorney-client privilege. And with lawyers focusing on enforcement, government affairs, OFAC/sanctions, litigation, government contracting, SEC disclosures, and insurance, our support is comprehensive.

Clients in a wide range of regulated and non-regulated sectors turn to us for guidance, from local startups to some of the largest and best-known multinationals in the world. And we’ve helped many of the most influential governmental agencies, including the lead expert witness on US law by the Irish Data Protection Commissioner in Schrems II.

We shape privacy and security laws globally. We’ve provided input on every piece of major US state consumer privacy, biometrics, breach notice, and student privacy legislation that has been put forward. And members of our practice have written many of the definitive privacy and security books. These include Information Security and Privacy: A Guide to Federal and State Law and Compliance and Information Security and Privacy: A Guide to International Law and Compliance, collectively a 6,000-page, three-volume treatise that examines all aspects of privacy and security laws, published by Thomson-West.

Our practical, risk-based guidance will help you collect, manage and unlock value from data lawfully and in line with privacy rights, wherever you operate.


  • Served as incident response counsel for SolarWinds in a global cybersecurity incident; we led the cyber response and managed multiple cybersecurity workstreams to assist the client through that difficult time.
  • Represented a global payments technology company, handling the privacy and security diligence for a USD5 billion transaction involving one of the largest fintech solutions companies, and currently providing cyber and privacy advice.
  • Representing an American video game holding company and its subsidiaries as long-time outside privacy and cybersecurity counsel, advising on privacy, cybersecurity, data retention and data protection compliance matters, including compliance with GDPR, CCPA, LGPD and ePrivacy, as well as response to Schrems II and other legal developments.
  • Lead expert witness on US law by the Irish Data Protection Commissioner in Schrems II. Our US practice chair, and Global Co-Chair, Andrew Serwin, was selected as the lead expert witness on US law by the Irish Data Protection Commissioner in Schrems II. His opinions on national security/surveillance, Article III standing, and the scope of US remedies, served as the basis of the US law discussion in the Commissioner’s Draft Decision, and this analysis was largely adopted by the Irish High Court in its decision and affirmed by the Irish Supreme Court, as well as by the CJEU in its decision. This decision was the highest-profile privacy case globally in 2020 and is one of the highest profile matters ever.
  • Counseled the business venture of one of the world’s best known consumer leisure brands in connection with their move into the IoT space in North America and Europe, including advising on mobile application and smart device design issues, consumer location tracking requirements, regulation of websites, transfers of personal data across borders, and consumer notice and choice requirements.
  • Advising a leading global supplier of manufactured products on the multi-year design and implementation of its global privacy program. We are working with the global compliance officer and privacy office on all aspects of the program, including global and regional data mapping, analysis of compliance gaps, advising on information governance structures, drafting policies and procedures, and determining group compliance requirements under new data protection laws (notably in Brazil and China). We are also assuming project management responsibility.
  • Represented an internet-based company being investigated by the Federal Trade Commission (FTC) for alleged violations of FCRA and ROSCA, and currently representing the client in litigation with the FTC and Department of Justice.
  • Providing ongoing cyber and privacy advice to one of the world’s largest energy utilities. This is cutting-edge work given the nature of the industry and the emerging issues regarding attacks on critical infrastructure and cybersecurity.
  • Represented a managed health care company in the negotiation of a Resolution Agreement and Corrective Action Plan with the Office for Civil Rights (OCR) over alleged HIPAA violations, and represented a Fortune 5 American health retail corporation in a number of privacy and security matters, including confidential investigations and compliance work.
  • Advised eBay on a security incident (including drafting notices on a global basis), on a breach allegedly involving over 140 million records.
  • Representing an American-Canadian multinational drink and brewing company. We have provided advice on a range of privacy matters including a large global ransomware and incident response; global privacy policy revisions; global responses to data subject access requests; global hotline and compliance requirements; global updates to data processing addenda; global cookie and website review and update; global privacy program gap assessment; the review and negotiation of vendor agreements; and the development of an internal customer data platform.
  • Representing a fintech provider to some of the world’s largest corporations, providing hundreds of different services and a wide range of products. We are advising the global Chief Privacy Officer on building out the privacy compliance program across all operations, including advising on a modernized global information governance strategy; preparing updated internal and external policies for employees and customers; revising data protection impact assessments; advising on global data transfer issues; drafting transfer terms and assessing transfer risks; advising on global marketing requirements; and advising on finance services privacy regulations.

Governing risk

Companies today face a host of rapidly evolving risks. Supply chain concerns, the relentless growth of globalization, heavy M&A activity, outsourcing of core functions, and ESG concerns are just a few of the areas that can generate profound and long-term problems for your business. As a result, privacy, security, and business continuity planning (BCP) risks are now front and center for many companies. Having a plan to address these issues, and govern these risks, is an important step.

How we can help: Governance

DLA Piper’s Data Protection, Privacy & Security team can help you govern risk, and create a situation in which your company understands and manages its risk profile and, in essence, stays out of the red. We have designed proprietary tools to help your company govern privacy, security, and BCP risk. These tools are based on governance frameworks and our extensive experience building programs, as well as our incident response and enforcement/litigation experience, which allows us to see around corners when we are advising you on regulatory matters.

For privacy, security and BCP, our frameworks provide actionable steps to help govern these important risks at all levels: the board, executive officers, senior management and beyond. The framework can be used to govern first-party risks, such as assessing your existing program, or for building processes to govern the creation of new product and services, as well as to understand the third-party risks that result from such areas as the supply chain, outsourcing or M&A.

Our assessments are also typically done under attorney-client privilege

Our goal is to help keep your company out of the red. Let us put our experience to work for you.

Data Sustainability

In a volatile world, resilience is an increasingly critical element of corporate performance. As Boards and senior leaders at leading companies evolve from a defensive risk management stance to a forward-looking one based on strategic resilience, data sustainability is a prerequisite to success, and a key consideration at the highest levels of leading organizations. As a result, data is being woven into long-term strategy development, placing privacy and security and plans to govern the opportunities and risks they present imperative for company boards and executives.

“To gain strategic advantage, companies must adapt and learn to interpret and leverage data faster than their competitors.”

DLA Piper provides governance solutions to help companies optimize their data strategies, mitigate their risks, and think beyond compliance. We combine broad legal and consulting experience to offer strategically driven, risk-informed solutions that are actionable. We understand the big picture and guide companies through opportunities, risk and change beyond what’s on the immediate horizon – both proactively and reactively. Our experience enables us to help companies solve their most challenging privacy problems with fully integrated legal and business solutions.

Governance is not compliance – and being compliant does not mean that your company has governed its risk. By improving governance, however, companies can improve compliance and by governing risk, we create an opportunity for a company to understand and manage its risk profile and, in essence, stay out the red and in alignment with company strategy. Let us put our experience to work for you.

Awards and recognition



Privacy Matters

DLA Piper’s Global Privacy and Data Protection Resource
Insights on data protection, privacy and cybersecurity issues critical to your business.
Visit the Privacy Matters blog

Featured insights