Photo of Amy Carlson

Amy Carlson is Of Counsel in the firm's Corporate group and has more than 20 years of experience assisting clients with a wide range of privacy matters. Using her understanding of the intersection of law and technology along with her understanding of business, she helps companies develop and implement privacy policies, plans and audits, as well as manage data breaches. Amy also has experience with e-commerce, intellectual property, telecommunications, security policy, international privacy and export control issues. Amy is a Certified Information Privacy Professional and a Certified Information Privacy Manager by the International Association of Privacy Professionals. She co-leads the firm's privacy initiative.

The European Commission – Data Protection links to the Article 29 Working Party Guidelines which supplement our understanding of GDPR:

See European Regulation on the Protection of Personal Data Guide Sub-Contractor Edition, September 2017.

  • Are you a contractor within the meaning of European Regulation on data protection?
  • Are you subject to EU regulation on data protection?
  • What is the main change introduced by the European regulation for contractors?
  • What are your obligations as of

The Article 29 Working Party updated the Guidelines on PIAs and evaluation of risk guidance on October 4, 2017:

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

CNIL created a PIA Infography to outline the main principles. Keep

The Article 29 Working Party published two Guidelines related to GDPR:

Guidelines on Personal data breach notification under Regulation 2016/679, wp250

Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, wp251

The Guidelines are open for comments until November, 28, 2017. Comments should be sent to and