Data Subject Requests Under the Microscope: Legal Frameworks, Operational Challenges, and Enforcement Risks Attorneys Must Know

Amber Thomson | Mayer Brown

Amber Thomson is a partner in Mayer Brown’s Cybersecurity and Privacy practice. She advises clients across industries on operationalizing privacy and cybersecurity compliance. She has deep experience helping organizations build scalable DSAR response programs, navigate complex data mapping challenges, and manage high-risk or sensitive requests. Amber also helps clients with privacy and data security due diligence and facilitates executive and board training on incident response, privacy legal compliance, and the US cybersecurity and privacy law landscape. She is a Certified AI Governance Professional (AIGP) through the IAPP and the Treasurer for the National Bar Association’s Privacy, Cybersecurity and Technology Section.

Patrick J. Austin | Woods Rogers Vandeventer Black PLC

Patrick focuses exclusively on cybersecurity and data privacy issues. His clients span industries such as banking, healthcare, manufacturing, high-tech, and energy. Patrick helps clients navigate complex and novel regulatory compliance issues associated with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Health Insurance Portability and Accountability Act (HIPAA), Freedom of Information Act (FOIA), and other information technology laws and frameworks.

Patrick’s credentials in the field of cybersecurity and data privacy law are extensive. He is a Certified Information Privacy Professional in both U.S. and European law (CIPP/US & CIPP/E) by International Association of Privacy Professionals (IAPP), which is accredited by the American Bar Association. Most recently, Patrick was designated as a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) by the IAPP.

Patrick received his undergraduate degree from Old Dominion University and his law degree from George Mason University School of Law where he served as Editor-in-Chief of the National Security Law Journal.

Session I – Understanding Personal Data Rights Under U.S. Consumer Data Privacy Laws | 1:00pm – 2:00pm

• Basics of statutory data subject rights contained in various state consumer data privacy laws
• The steps necessary to acknowledge and process a data subject request
• Important processing timelines that must be followed
• General strategies/tips for developing a data subject request compliance program

Break | 2:00pm – 2:10pm

Session II – Operationalizing DSAR Compliance: Real-World Scenarios, Risk Management, and Internal Readiness | 2:10pm – 3:10pm

• What a DSAR really is and isn’t
• Real-world DSAR scenarios and pitfalls
• Organizational risk management
• Enforcement trends and lessons learned
• Assessing DSAR readiness
• Designing effective DSAR response protocols