Privacy and Data Protection

Data Protection Officer ("DPO") Services

  • Perform and/or support Data Protection Officer ("DPO") services as contemplated by the European General Data Protection Regulation (the "GDPR"). Everything from serving as the named DPO to supporting a new or existing DPO.
    • Full-service outsourced DPO services that integrate with your existing team or create the function from the ground up.
      • Ongoing full-up DPO support as your organization's named DPO.
      • Interim named DPO services until you develop your internal DPO personnel and function.
      • Interim named DPO services to fill gaps in staffing, such as when a previous named DPO leaves the enterprise, giving you experienced coverage and breathing room to make a good hire for your next DPO.
    • DPO support functions where you already have a named DPO.
      • Ad hoc services for short-term or long-term projects.
      • Support functions for new product or service offerings.
      • Ongoing Privacy Impact Assessment conduct and compliance.
      • Contract management that covers Article 28, C-to-C, C-to-P, subprocessor, Privacy Shield, and other data transfer and processing agreements.
  • Before you consider a law firm to act as your DPO, make sure that the firm has cleared it with its insurers and governing body. Law firms might stop short of serving as the named DPO because they haven't had the discussion with their professional liability coverage providers. Tupper Law Firm PC had those conversations long ago and is ready to engage and serve.

Other Privacy and Data Protection Services

  • Design and draft external-facing privacy statements and internal privacy policies
  • Build internal privacy processes, including Privacy Impact Assessments (“PIAs”) and the processes that support them.
  • Build and manage contracting processes that meet the requirements of GDPR and other regulatory systems.
  • Represent both controller and processor parties to help them identify, contract for, and manage obligations under GDPR Article 28, Standard Contractual Clauses, subprocessor arrangements, Privacy Shield, and other requirements.
  • Manage large-scale and complex international data transfer compliance, especially projects involving transfers from the European Union/European Economic Area. Experienced with international data-transfer frameworks, subprocessor management, and maintaining compliance tracking programs that document compliance across multi-national enterprises.
  • Advising clients with respect to state, federal, and international privacy requirements, planning, and compliance strategies, including compliance under the FTC Act, state data breach and consumer protection laws.
  • Serve as US counsel for privacy and consumer-protection elements of e-commerce, logistics, technology, and other applications for clients in the automotive, consumer-product, Internet-of-Things, and other industries.


  • Extensive privacy and data-security engagements seconded with in-house teams at Fortune 50 enterprises.
  • Author and speaker covering privacy and data-security topics.
  • Certified Information Privacy Professional – US Private Sector (CIPP/US)
  • Certified Information Privacy Professional – Europe (CIPP/E)
  • Certified Information Privacy Technologist (CIPT)
  • Fellow of Information Privacy


  • Instituted global data transfer compliance programs for two major OEM durable goods manufacturers, a Tier 1 durable goods supplier, and a global fleet management enterprise, including a part-time secondment at two enterprises.
  • Handled privacy-related aspects of a major new generation of consumer location-based electronic service with six million customers.
  • Advised an Asian automotive OEM regarding compliance with US privacy, consumer-protection, and telecommunications its proposed telematics solution.