Amy Carlson

Photo of Amy Carlson

Amy Carlson is Of Counsel in the firm’s Corporate group and has more than 20 years of experience assisting clients with a wide range of privacy matters. Using her understanding of the intersection of law and technology along with her understanding of business, she helps companies develop and implement privacy policies, plans and audits, as well as manage data breaches. Amy also has experience with e-commerce, intellectual property, telecommunications, security policy, international privacy and export control issues. Amy is a Certified Information Privacy Professional and a Certified Information Privacy Manager by the International Association of Privacy Professionals. She co-leads the firm’s privacy initiative.

Subscribe to all posts by Amy Carlson

Visiting With SKW Schwarz at IAPP’s Global Privacy Summit

Hunter Ferguson and I were joined by Dr. Matthias Orthwein and Dr. Volker Wodianka at IAPP’s Global Privacy Summit 2018.  We had many interesting discussions about GDPR, German data privacy law and DPO services. Our firms, Stoel Rives LLP and SKW Schwarz Rechtsanwalte are members of TerraLex ®, an international network of 155 leading independent law firms … Continue Reading

France – CNIL

France’s Commission Nationale de l’Informatique et des Libertés (“CNIL”) provides great tools and resources as well. CNIL recently updated its Privacy Impact Assessment (PIA) Guides which include application to connected objects, methodology, template and knowledge bases. CNIL also recently updated its PIA software tool in four languages that companies can use for compliance. CNIL provides … Continue Reading

Germany – BfDI

Germany’s Bundesbeauftragte für den Datenschutz und die Informationsfreiheit published the Federal Data Protection Act to adapt GDPR. Germany provided some extensive guidance on GDPR here. Germany also publishes the standard data protection model, SDPM, in English on its site. Also available from the site are guidance materials about GDPR from the German Data Protection Conference, Datenschutzkonferenz … Continue Reading


The United Kingdom’s Information Commissioner’s Office (“ICO”) is a great resource for companies looking for clear DPA guidance. The ICO has provided a Guide to the GDPR which is very targeted and comprehensive as well as resources for organizations including several guides. Getting Ready For GDPR Resources is a nice package of information prepared by … Continue Reading

Article 29 Working Party

The European Commission – Data Protection links to the Article 29 Working Party Guidelines which supplement our understanding of GDPR: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01) Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) Guidelines on the application and setting of administrative fines (wp253). In multiple language versions. … Continue Reading

European Commission – Data Protection

The European Commission – Data Protection provides links to EC data protection policies, information and services.  The Commission provides the official GDPR text in multiple languages, describes the European Data Protection Board and its responsibilities, provides detailed guidance and resources on data transfers outside the EU, and some focused discussion of the changes to the … Continue Reading

Useful Official GDPR Resources

Recently, I have been asked several times where there are good, official resources on GDPR. The following series of posts provide links to these resources.  We will post additional resources from time-to-time. European Commission – Data Protection Article 29 Working Party UK ICO Germany – BfDI France – CNIL Visiting With SKW Schwarz at IAPP’s … Continue Reading


See European Regulation on the Protection of Personal Data Guide Sub-Contractor Edition, September 2017. Are you a contractor within the meaning of European Regulation on data protection? Are you subject to EU regulation on data protection? What is the main change introduced by the European regulation for contractors? What are your obligations as of May … Continue Reading


The Article 29 Working Party updated the Guidelines on PIAs and evaluation of risk guidance on October 4, 2017: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 CNIL created a PIA Infography to outline the main principles. Keep … Continue Reading

Your Car and GDPR

CNIL, the French DPA, published a new Compliance Pack called “Connected Vehicles: A Compliance Pack for Responsible Data Use” on October 17, 2017. CNIL broke its guidance into three scenarios: Personal data remains in the car Personal data is transmitted externally to provide a service to the individual Personal data is transmitted outside to trigger … Continue Reading

GDPR Data Breach & Profiling Guidelines and last chance to comment!

The Article 29 Working Party published two Guidelines related to GDPR: Guidelines on Personal data breach notification under Regulation 2016/679, wp250 Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, wp251 The Guidelines are open for comments until November, 28, 2017. Comments should be sent to and… Continue Reading

When 1 DPA becomes 2 DPAs

Facebook’s experience with regulators is a cautionary tale.  Several European Union Data Protection Authorities formed a Contact Group to coordinate their investigations of Facebook.  The moral of this story is that when one regulator in the EU becomes interested in reviewing privacy compliance, do not become surprised if there are soon several DPA’s who coordinate … Continue Reading

Will Your Company Have To Stop Using Kaspersky?

Acting Secretary of DHS, Elaine Duke, issued a BOD requiring departments and agencies to identify the use or presence of all Kaspersky products on their information systems and to develop detailed plans to remove and discontinue present and future use of the products and to finalize implementation of those plans within 3 months.  She is … Continue Reading

ePrivacy Regulation On Track

The Council of the European Union published a revised version of the ePrivacy Regulation (EPR) which will be discussed at the September 19, 20 and 25th meetings of the Working Party for Telecommunications and Information Society.  The EPR is keeping on track to meet its deadline of May 2018.  As a regulation, it will be … Continue Reading

Should I Place A Fraud Alert vs. Security Freeze?

Should I Place A  Fraud Alert vs. Security Freeze?  As a privacy professional, almost all your fellow employees were affected by the Equifax data breach.  You may be asked about whether to place a fraud alert or a security freeze.  You can send this guidance from the FTC on the difference between fraud alerts and … Continue Reading

Yawn – Another Company Failed to Patch. Wait! 144 Million Affected?

Yawn – Another Company Failed to Patch.  Wait!  144 Million Affected?  A PR Disaster?  Failure to promptly patch is an incredibly common cause of data breaches.  Learn from Equifax’s situation about patching and communication.  Boards, Senior Management and privacy personal should confirm that patches are applied promptly.  Also, when breaches occur, hire and listen to … Continue Reading