Privacy Practice
Data
Privacy
A global perspective on privacy law, informed by decades of cross-border experience and comprehensive review of regulatory frameworks.
46
Countries
33
Frameworks
20
US States
Each flag below indicates where Andrew, in his role as DPO, must ensure operational privacy oversight.
Canadian Provinces
Australian States & Territories
US State Privacy Laws
Background
Growing up in Europe, Andrew developed a deep, personal understanding of what privacy means across cultures — long before it became an industry. That perspective shaped everything that followed.
The California Consumer Privacy Act (CCPA) is one of the most significant consumer privacy laws in the United States — giving California residents the right to know what personal data is collected about them, to delete it, and to opt out of its sale. When California was in the process of putting the CCPA into place, Andrew submitted public commentary during the legislative review that resulted in changes adopted by the California legislature.
In the fall of 2025, Andrew traveled to Brazil and met directly with one of the four directors of the ANPD — Brazil's national data protection authority — to discuss the Lei Geral de Proteção de Dados (LGPD). The LGPD is Brazil's comprehensive data protection law, modeled in part after the GDPR, governing how personal data is collected, processed, and stored for over 200 million citizens. The conversation focused on real-world implementation challenges companies face when operating under the LGPD, particularly around cross-border data transfers and regulatory enforcement as the framework continues to mature.
As Data Privacy Officer at Symplicity, Andrew grew the company's privacy program from a mostly domestic operation to one spanning 46 countries — managing cross-border data transfers, remote workers across jurisdictions, and the regulatory complexity that comes with genuine international scale. He has read nearly every major privacy regulation cover to cover — the General Data Protection Regulation (GDPR) alone roughly fifteen times.
Areas of Specialization
Four markets,
four privacy landscapes
Education Technology
Student data carries some of the highest regulatory stakes in privacy. Ed tech platforms handle minors' information across school districts, universities, and international institutions — each with its own consent model, retention policy, and parental rights framework.
Government
Government software operates under strict compliance regimes where a single gap can disqualify a vendor from an entire contract vehicle. Privacy here isn't a policy document — it's baked into authorization boundaries, system security plans, and continuous monitoring requirements.
Healthcare
Health-adjacent platforms don't always trigger HIPAA directly, but they almost always touch protected information in some form — employee wellness data, benefits integrations, accommodations records. The privacy obligations are real even when the platform isn't a covered entity.
Corporate
When Sarbanes-Oxley mandates internal controls over financial reporting, it reaches directly into how data is stored, accessed, and retained. Corporate privacy programs have to satisfy overlapping demands — SOX auditors, SOC assessors, and privacy regulators all asking different questions about the same systems. The work is ensuring that data governance holds up under each of those lenses simultaneously, not just the one that happens to be asking.
Consulting
Engagements start at $250/hour.
Longer commitments and packages are priced more favorably.
Andrew does not provide consulting services related to the following: