Samuel Grogan

Sam advises clients on a wide range of complex global data privacy and cybersecurity matters, including with respect to emerging requirements in the US, the EU, and China.

Sam has deep experience drafting privacy and data security policies and procedures in compliance with applicable laws, and counseling clients to navigate and comply with state, federal, and international privacy laws, including the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and China’s Personal Information Protection Law (PIPL). Sam works with clients to revise online privacy notices, implement processes to respond to consumer rights requests, negotiate privacy terms in vendor contracts, and prepare for and respond to cybersecurity incidents. In addition, Sam has experience in advising businesses on legal issues related to cutting-edge technologies, such as artificial intelligence (AI) and machine learning, biometrics, the metaverse, and smart cities.

Sam is an IAPP Certified Information Privacy Professional and Manager (CIPP/US, CIPP/E, CIPP/C, CIPP/A, CIPM). He is also a principal of Hunton Andrews Kurth’s Centre for Information Policy Leadership (CIPL), a global privacy and data policy think tank, and has written over 100 CIPL white papers on data protection issues.

During law school, Sam worked with the Stanford Center for Internet & Society and Penn Law’s Center for Technology, Innovation and Competition and undertook internships with the privacy office of Shell Oil as well as Matheson, one of Ireland’s leading law firms.

Relevant Experience

• Advises clients on compliance with state privacy law requirements, including the CCPA of 2018, the California Privacy Rights Act of 2020, and other emerging comprehensive state privacy laws, including conducting due diligence, preparing gap analyses, developing remediation plans, and undertaking compliance projects.
• Assists clients to evaluate AI-related legal risks with the onboarding, development, and deployment of AI applications and tools, as well as with creating AI policies and building AI governance programs.
• Guides companies in developing and managing global privacy programs, including assessing global legal requirements and developing compliance roadmaps, conducting Data Protection Impact Assessments, implementing governance structures, designing policies and procedures, and creating training programs.
• Counsels clients on their international data transfer strategies, including requirements to certify to the Data Privacy Framework (DPF), implement standard contractual clauses, and conduct PIPL data transfer security assessments.
• Advises a luxury retailer on global privacy and security issues and compliance with global data privacy requirements, including US state privacy laws, the EU GDPR, China PIPL, and global marketing rules, and advises the company on its privacy policies, vendor contract negotiations, and cybersecurity issues.
• Assists clients with managing and responding to global security incidents, including compliance with breach notification requirements and responding to regulatory inquiries.