Camila assists clients with privacy and data security compliance, artificial intelligence (AI) governance and information governance. As director of Shook’s Privacy Compliance and AI Governance Task Forces, Camila leverages her in-depth knowledge of data protection regulations worldwide to counsel clients on the compliant handling of personal data in a way that moves business forward.
With reputation and confidential information at stake, companies need a trusted advisor who has experience understanding the differing requirements of multiple jurisdictions and integrating them into a seamless privacy program. Camila’s experience working proactively with clients to streamline privacy practices and develop creative solutions to embed privacy awareness into an organization’s procedures, together with her commitment to client service, positions her well to advise companies navigating the complexities of U.S. state and federal and international data protection requirements. Camila also helps clients assess privacy and cybersecurity risk and proactively implement mitigating measures, and regularly advises companies of all sizes and in multiple industries on AI governance, helping develop policies, principles, and procedures for responsible use of the technology and on information governance, data classification and data retention issues.
Camila has achieved the Privacy Law Specialist (PLS) designation and has been certified as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP), demonstrative of her comprehensive knowledge of privacy laws, privacy program management and essential data protection practices. She has also been certified as an Information Privacy Professional in European Law (CIPP/E) and U.S. Law (CIPP/US) as well as Information Privacy Manager (CIPM). She speaks regularly on data protection and cybersecurity issues at various events, including those hosted by the IAPP, the Association of Corporate Counsel and the American Bar Association.
Representative Matters
Privacy and Data Security Compliance
Camila has helped companies on their path to compliance with various comprehensive privacy laws, including the California Consumer Privacy Act and other U.S. state privacy laws, the EU’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Brazil’s LGPD. This includes not only advising on the applicability and main requirements of the law, but also drafting policies and developing procedures to ensure compliance going forward. She helps companies with addressing information governance, data mapping, preparing a record of processing activities, updating incident response procedures, drafting and negotiating vendor agreements, drafting privacy notices, implementing data transfer mechanisms, and conducting training and awareness. As a fluent Spanish speaker, Camila is able to draft and review policies, notices and agreements, and conduct training relating to the processing of customer and employee data throughout the Americas region.
Camila’s ability to represent clients is bolstered by her in-house experience on secondment to Fortune 50 companies in the life sciences and CPG industries as well as with a North American retailer, a Silicon Valley fintech firm, and a global financial services company.
- Developing GDPR, PIPEDA, Quebec, and LGPD compliance programs for companies in the e-commerce, retail, financial services, life sciences, hospitality, education and adtech industries, including drafting policies, data subject consent forms and data processing agreements, as well as developing procedures for handling data subject requests and responding to information security incidents;
- Advising on the uplift of privacy compliance operations to meet new and expanded legal requirements in California, Colorado, Virginia, Utah and Connecticut as well as other U.S. state privacy laws, including working on adtech and website compliance issues;
- Conducting fact-finding, performing legal assessments, and drafting policies and guidelines for HR data activities, including analytics and AI use as well as other sensitive data handling activities such as automated decision-making and profiling;
- Advising on third-party risk management, including drafting data processing agreements for use with controller-customers or processor-vendors, including preparing playbooks;
- Assisting clients with developing and implementing enterprise-wide risk assessment processes including creating a risk methodology, drafting questionnaires, identifying stakeholders, preparing a plan for execution, conducting the assessments and analyzing potential risks to develop risk mitigation plans;
- Advising on data integration following M&A deals, including issues of consent for new uses of data;
- Preparing incident response plans for a variety of organizations from midsize to multinational; and
- Assisting with responding to data security incidents and conducting breach notification in multiple jurisdictions.
AI Governance and Information Governance
Camila leverages her in-house experience to help companies build and scale governance frameworks for appropriate data management. She works with multi-stakeholder teams, including legal, privacy, HR, product, and IT teams on data lifecycle issues, including collection, use, and disposal. Camila believes that compliance is a tool, rather than an obstacle, that helps companies effectively meet objectives while maintaining information integrity and confidentiality.
- Leading AI working groups to conduct discovery of AI uses, identify risks of adopting the technology internally or as part of a SaaS product, tracking legislative developments, and drafting internal policies, procedures, and FAQs;
- Advising on the implementation of AI self-governance frameworks, including the NIST framework; and
- Assisting clients with data minimization, including updating records retention policies, developing specific policies for personal data use cases, and implementing both manual and automated data deletion practices.
Publications and Presentations
Presenter, AI, Ethics, and the Practice of Law, The Florida Bar, September 25, 2024.
Co-Presenter, Current State of AI, Update of the Law CLE Webinar, June 6, 2024.
Presenter, Emerging Trends in the Digital Space: Practical Risk Management for Increasing and Evolving Litigation and Enforcement Threats, ACC Colorado In-House Counsel Forum, May 2, 2024.
Panelist, Safety First: Ethical Duties When Using Generative AI, ABA Motor Vehicle Product Liability Litigation Conference, April 11, 2024.
Author, Significant Regulatory Developments In 2023 In Artificial Intelligence, Mealey’s Litigation Report: Artificial Intelligence, February 2024.
Co-Presenter, Trends in Global Data Privacy Laws and Enforcement, ALM Legalweek, January 30, 2024.
Panelist, The Ethics of Using Generative AI When Practicing Law, American Bar Association AI & Robotics National Institute, October 10, 2023.
Panelist, Doing More with Less, International Association of Privacy Professionals Privacy.Security.Risk conference, October 6, 2023.
Panelist, AI and Privacy, International Association of Privacy Professionals San Diego KnowledgeNet Chapter, September 27, 2023.
Presenter, To Chat(GPT) or Not To, Association of Corporate Counsel Colorado webinar, August 2, 2023.
Panelist, The Pulse on Privacy and Data Security, Thomson Reuters webinar, June 2023.
Presenter, Responsible AI and Why It Matters, Association of Corporate Counsel Colorado, September 7, 2023.
Co-Presenter, Emerging Trends in Technology & Data Privacy + Building a Responsible AI Framework, Update of the Law CLE webinar, June 8, 2023.
Panelist, AI and Ethical Technology, International Association of Privacy Professionals Privacy Bar Section Forum, April 3, 2023.
Co-Presenter, Artificial Intelligence and Ethics: What You Need to Know and What You Should Be Thinking About, ACC Colorado Annual Ethics Day, December 1, 2022.
Panelist, Practice, Practice, Practice: What Attorneys Need to Know About AI, Robotics, and Ethical Obligations, ABA’s 2022 Artificial Intelligence and Robotics Virtual National Institute, October 11, 2022.
Panelist, International Privacy Law Update and U.S. Federal Privacy Law Update, Rocky Mountain Information Security Conference Privacy Forum, September 21, 2022.
Moderator, Analyzing How the Latest Tech and AI Innovations Are Transforming the Life Sciences Industry and Your Role in It, Women Leaders in Life Sciences Law, July 27, 2022.
Presenter, Data Protection Issues in M&A, Colorado Bar Association’s 20th Annual Rocky Mountain Intellectual Property and Technology Institute, June 3, 2022
Panelist, Tidal Wave Approaching: The Accelerating Trend of Comprehensive Privacy Laws, Shook, Hardy & Bacon Update of the Law, June 2, 2022.
Presenter, Ethics and the Connected Lawyer, Practicing Law Institute 23rd Annual Institute on Privacy and Cybersecurity Law, May 24, 2022.
Panelist, Real World Evidence v. Privacy, Philadelphia Association of Corporate Counsel In-house Counsel Conference, May 4, 2022.
Presenter, Colorado Privacy Act Lunch and Learn, Innovative Discovery and the Colorado Technology Association, September 23, 2021.
Panelist, Legal and Risk Management Issues Relating to Governance of Mobility Data, 60th Annual Workshop on Transportation Law, Transportation Research Board, September 14, 2021.
Panelist, Privacy, Microtransit and Micromobility, American Public Transportation Association Legal Affairs Seminar, June 16, 2021.
Panelist, U.S. Privacy Law Updates, Colorado Bar Association’s 19th Annual Rocky Mountain Intellectual Property and Technology Institute, June 4, 2021.
Presenter, Colorado Privacy Act Update, Colorado Technology Association Technology Affairs Council, May 27, 2021.
Panelist, U.S. State and EU Privacy Developments, University of Denver Sturm College of Law Privacy Seminar, April 30, 2021.
Author, Toward a Patchwork of State Privacy Regulations: Recommendations for Colorado Businesses, Law Week Colorado, April 26, 2021.
Panelist, The Balancing Act of Data Privacy in 2021, Sirius Communications Webinar, April 27, 2021.
Presenter, Colorado Privacy Act, Davis Graham & Stubbs Webinar, April 13, 2021.
Presenter, U.S. State Privacy and Data Security Laws: An Overview, Rocky Mountain Mineral Law Foundation, April 7, 2021.
Presenter, Colorado Privacy Act Overview, Colorado Technology Association Technology Affairs Council, March 25, 2021.
Panelist, LATAM Data Privacy Roundup: Harmonising Compliance Across the Region, PrivSec Global, March 23, 2021.
Author, Colorado Privacy Act Introduced, DGS Legal Alert, March 19, 2021.
Panelist, Vendor Risk Management: Best Practices and Impact of Schrems II, IAPP Denver KnowledgeNet, December 15, 2020.
Contributor, IAPP Latin America Dashboard Digest, December 8, 2020.
Panelist, Top Tech Policy Debates, Colorado Bar Association Webinar, December 3, 2020.
Panelist, Policy Issues in Emerging Technologies Affecting Colorado Businesses, Denver Metro Chamber of Commerce Public Policy Affairs Council, October 29, 2020.
Panelist, Top Tech Policy Debates, Davis Graham & Stubbs webinar, October 21, 2020.
Panelist, Data Privacy and Employment Law, Davis Graham & Stubbs webinar, September 23, 2020.
Moderator, Data Privacy, Cybersecurity, Technology, Ethics and Business Lawyers, Colorado Bar Association’s Business Law Institute, September 8, 2020.
Panelist, COVID-19 Impacts on Colorado Businesses, Davis Graham & Stubbs Webinar, August 25, 2020.
Panelist, 2020 Data Privacy Update, Colorado Bar Association’s 18th Annual Rocky Mountain Intellectual Property and Technology Institute, August 6, 2020.
Author, Privacy Implications of Open Banking, Davis Graham & Stubbs, July 2020.
Panelist, How to Maximize Your 2020 Legal Budget in Privacy, IP, and Licensing Contracts, Davis Graham & Stubbs webinar, July 21, 2020.
Author, Privacy Shield Invalidated by the Court of Justice of the European Union, Davis Graham & Stubbs Legal Alert, July 17, 2020.
Panelist, Early Lessons for Asset Managers from COVID-19, Davis Graham & Stubbs webinar, July 14, 2020.
Co-Author, Pandemic v. Privacy: Implications of Social Distancing and Contact-Tracing Technologies, Law Week Colorado, April 27, 2020.
Panelist, How Does the Pandemic Challenge Privacy-Smart Companies, Davis Graham & Stubbs/Boundree Webinar, April 16, 2020.
Panelist, DGS COVID-19 Town Hall, Webinar Series, April 9, 2020.
Panelist, ADA Website Compliance, Association of Corporate Counsel Speaker Series, February 20, 2020.
Panelist, Privacy Law Update, Davis Graham & Stubbs Public Company Update, January 14, 2020.
Panelist, Cybersecurity Resilience and Best Practices for Fraud Prevention, by The Denver CFO Leadership Council, December 5, 2019.
Panelist, CCPA: Updates and Top 10 Things Companies Should Focus on to Comply, IAPP KnowledgeNet Meeting, November 20, 2019.
Panelist, Cybersecurity, Risk Compliance & Insurance Trends, Davis Graham & Stubbs Seminar, October 17, 2019.
Panelist, Data Security for Law Firms, IAPP Privacy.Security.Risk Conference, Las Vegas, Nevada, September 24, 2019.
Presenter, Consumer Privacy Overview, Colorado Technology Association’s Tech Affairs Council, July 25, 2019.
Panelist, AI and Machine Learning: What is Big Data? Colorado Bar Association’s 17th Annual Rocky Mountain Intellectual Property and Technology Institute, May 30, 2019.
Moderator, Will Colorado’s Innovative Approach to Blockchain Play Nationally? Hispanics in Technology, May 20, 2019.
Panelist, Privacy & Data Security Updates, Davis Graham & Stubbs Seminar, May 15, 2019.
Co-Author, California Consumer Privacy Act: A Comprehensive Review, Information Law Journal, Winter 2019 (with Al Saikali and Steve Vieux).
Webinar, Navigating Lei Geral de Proteção de Dados Pessoais: Brazil’s New General Data Privacy Law, (with Al Saikali and Marina Lima Silviera de Souza), November 2018.
Presenter, Privacy by Design Starts Here: Assessing Privacy Risk Under the GDPR, IAPP Privacy.Security.Risk Conference, Austin, Texas, October 18, 2018.
Webinar, Privacy by Design Starts Here: Assessing Privacy Risk Under the GDPR, IAPP, October 16, 2018.
Presenter, Privacy and Data Security - How to Identify and Avoid Traps for the Unwary, ACC Tampa, July 19, 2018.
Panelist, Breach Notification Under the GDPR, ABA Third National Institute on Cybersecurity Law, June 21, 2018.
Panelist, The Legal and Ethical Risks of Privacy and Data Security Traps, Update of the Law CLE, Kansas City, Missouri, June 14, 2018 (with Alfred Saikali, Eric Boos, Patrick Castle, Bill Sampson, and Colman McCarthy).
Presenter, What In-House Counsel Needs to Know About the GDPR and Other Privacy & Data Security Developments, ACC South Florida Chapter, May 9, 2018.
Moderator, Data Breach Response: Tips from the Trenches, IAPP Europe Data Protection Intensive, London, England, April 19, 2018.
Presenter, Biometric Information Privacy Overview, ACC Colorado, Denver, Colorado, April 11, 2018.
Co-Presenter, GDPR: What Litigators Should Know, ABA Webinar, March 8, 2018 (with Melia Archie and David Manek).
Panelist, Money for Nothing: Preventing and Defending Class Actions Seeking Statutory Damages for Technical Violations of the Law, Association of Corporate Counsel, Chicago, Illinois, January, 24, 2018 (with Patrick Castle, Matt Wolfe, and Anna S. Knight).
Panelist, The GDPR is Upon Us: Prioritize Your Response, Webinar, January 11, 2018.
Co-Presenter, Ethics in the Digital Age, ACC Colorado, Denver, Colorado, December 6, 2017 (with Cory Fisher, Lynn Murray and Wendy Cassity).
Co-Presenter, Privacy Goes Global, Update of the Law CLE, June 22, 2017 (with Bill Sampson).
Panelist, What A Fine Mess: Avoiding the Privacy and Cybersecurity Regulators' Crosshairs, Minority Corporate Counsel Association Global TEC Forum, June 20, 2017.
Co-Presenter, Will New Regulations Make It More Difficult to Comply with Data Protection Requirements?, Association of Corporate Counsel (ACC) In-House Counsel Forum, April 2017
Co-Presenter, International Privacy Law Bootcamp and Updates on EU Privacy Law, Third Annual South Florida Privacy and Data Security Summit, October 2016
Author, European Commission Adopts EU-U.S. Privacy Shield for Transatlantic Data Flows, Shook, Hardy & Bacon Client Alert, July 2016
Co-Presenter, A Compliance Toolbox to Minimize Privacy and Data Security Risks, ACC Colorado, June 2016
Co-Presenter, Recent Developments in EU Privacy Law, Rocky Mountain IP Institute, June 2016
Co-Presenter, Changes Impacting US Business: UK Insurance and EU Data Protection, Shook, Hardy & Bacon Webinar, April 2016.
Co-Presenter, Riding the Wave of Change in EU Privacy Law, ACI Data Breach & Privacy Litigation and Enforcement Conference, March 2016.
Co-Presenter, The New EU General Data Protection Regulation, IAPP KnowledgeNet Meeting, March 2016.
Presenter, EU-U.S. Privacy Shield, Shook, Hardy & Bacon Conversations in Privacy, February 2016.
Co-Presenter, Legal Issues in Privacy for the Hospitality Industry, Hospitality eResources Privacy & Data Security Bootcamp, January 2016.
Co-Presenter, Schrems and the Safe Harbor Framework: What’s Next?, IAPP KnowledgeNet Meeting, December 2015
Author, European Court of Justice Invalidates the U.S.-EU Safe Harbor Framework for Transfers of Personal Data, Shook, Hardy & Bacon Client Alert, October 2015
Co-Presenter, Mining Customer Data & Minimizing Privacy and Data Security Risks, Association of Corporate Counsel (ACC), October 2015
Presenter, Privacy Law in Latin America: Trends and Hot Topics, Latin American Corporate Counsel Association (LACCA) Meeting, September 2015
Co-Presenter, Data Protection and Employee Monitoring: Developments in Latin America, Global Employment Law & Litigation, Trends for the Multinational Corporations, September 2015
Co-Presenter, International Issues in Privacy and Data Security, Sedona Conference Working Group 11 on Privacy and Data Security mid-year meeting, June 2015
Co-Presenter, Responding Like a Pro: A Mock Data Breach Response, Denver Litigation Roundtable, June 2015
Presenter, Understanding the EU “Cookie Directive,” Rocky Mountain IP Institute, June 2015
Co-Presenter, Industry-Specific International Privacy Issues for Multi-National Companies, South Florida Data Privacy and Data Security Law Summit, March 2015
Co-Presenter, International Data Security Legal Risks for Financial Institutions, Florida International Bankers Association, March 2015
Author, Data Privacy Laws in Latin America: An Overview, American Bar Association International Law News, Spring 2015
Co-Presenter, Emerging Data Privacy Issues: What Corporate Counsel Needs to Know, Association of Corporate Counsel (ACC), September 2014
Presenter, An Overview of Latin America Data Privacy Law, South Florida Data Privacy and Data Security Law Summit, June 2014
Co-Author, Mexico’s Class Action Law: An Overview, Defense Research Institute (DRI), Summer 2013
Media
Art Law, a Unique Practice at the Intersection of Law and Creativity, Law Week Colorado, November 5, 2024.
Utah Sets New Floor In Joining Consumer Privacy Law Fray, Law360, March 29, 2022.
Colorado Is the Third State to Pass a Consumer Data Privacy Bill. Now What? Colorado Sun, June 17, 2021.
Data Privacy Bill Could Affect Consumer-Facing Companies Across Colorado, Denver Business Journal, April 9, 2021.
Countdown Begins for California’s New Privacy Law, Law Week Colorado, December 14, 2020.
Viva a Revolução? Brazil’s New Data Protection Regime, PrivSec Global, October 12, 2020.
Navigating Business Responsibilities and Consumer Consent, Law Week Colorado, May 27, 2019.
Congress Makes New Attempt at Data Privacy Legislation, Law Week Colorado, December 3, 2018.
The GDPR Effect - Lawyers Help Companies Prepare for 2018's Biggest Task in Cybersecurity Law, Law Week Colorado, May 28, 2018.
Symbiosis Through Secondment, Law Week Colorado, January 25, 2017.
Multimedia
BIZLIT | TODAY: Tips for Developing an AI Framework, American Lawyer Media, June 19, 2023.
BIZLIT | TODAY: Biometric Litigation, American Lawyer Media, May 22, 2023.
Camila’s representative experience includes:
- Developing a GDPR compliance program for the clinical trial arm of a pharmaceutical company, including drafting policies, data subject consent forms, and data processing agreements, as well as developing procedures for handling data subject requests and responding to information security incidents;
- Advising two financial software companies on issues relating to the GDPR for the processing of customer and employee data;
- Assisting a marketing company with implementing GDPR-compliant policies and procedures, including updating notices, preparing controller-to-processor and processor-to-subprocessor contract templates, advising on handling data subject access requests and advising on responding to information security questionnaires;
- Assisting a financial services provider with employees and franchisees in the EU on the implementation of a GDPR compliance program, including preparing policies, updating notices and working on technological solutions to streamline compliance practices;
- Advising a multinational consumer-goods manufacturer on implementing a consent-based program for collecting and processing a subset of company data.
- Advising an e-commerce company on website policies;
- Advising two insurance companies on GDPR contract issues, including negotiating data protection terms with customers and vendors;
- Advising a pharmaceutical company on the specific requirements for the collection and handling of biometric data of employees;
- Preparing global contract templates for a multinational medical device firm, including joint controller, controller-to-processor, and processor-to-subprocessor agreements.
- Assisting a technology company with implementation of a GDPR compliance framework for handling employee data;
- Assisting a U.S.-based retailer with obtaining Privacy Shield certification;
- Advising multiple entities on the appropriate implementation of Standard Contractual Clauses for the transfer of personal data outside the EU/EEA;
- Advising on compliance with the ePrivacy directive.
Privacy and Data Security Compliance
Camila also helps clients proactively address requirements for privacy and data security legislation in the U.S., Latin America, and Canada. As a fluent Spanish speaker, Camila is able to draft and review policies, notices and agreements relating to the processing of customer and employee data throughout the region. Camila also has a unique perspective on privacy and data security compliance, after having spent seven months in-house on secondment to a life sciences company developing and implementing policies and procedures to streamline their U.S.-based privacy program. Camila believes that privacy compliance is a tool, rather than an obstacle, that helps companies effectively meet objectives while maintaining information integrity and confidentiality.
Camila’s experience in this area includes:
- Assisting a consumer goods manufacturer with developing and implementing an enterprise-wide risk assessment process. This work includes creating a risk methodology, drafting questionnaires, identifying stakeholders, preparing a plan for execution, conducting the assessments and analyzing potential risks to develop risk mitigation plans;
- Developing a semi-automated risk assessment process for a multinational company by creating templates and establishing risk assessment guidelines;
- Advising a company in the food and beverage industry on data protection issues associated with a market research project, including advising on risk mitigation through contractual arrangements and transparency measures;
- Advising a pharmaceutical company on the processing and transfer of employee data from a Mexican subsidiary, including drafting privacy notices in Spanish;
- Assisting an equipment manufacturer with preparing a Spanish-language privacy notice for consumers in Mexico;
- Assisting a U.S. retailer with negotiating data processing agreements with a vendor in the Dominican Republic;
- Advising a multinational retailer on the handling of biometric information for employees in Canada;
- Preparing incident response plans for a variety of organizations from midsize to multinational;
- Assisting with responding to data security incidents and conducting breach notification in multiple jurisdictions;
- Advising on the implementation of a compliance program to address the requirements of Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) and the new California Consumer Privacy Act.
Other international matters
Camila has also advised clients on other types of matters with an international focus, ranging from dispute resolution to public policy to commercial transactions. Her experience includes:
- Serving as coordinating counsel for the defense of products liability litigation in Latin America;
- Assisting with claims filed before consumer protection agencies relating to the disparate treatment of consumers based on geolocation;
- Advising on public policy issues and legislative trends throughout the region;
- Drafting and negotiating commercial agreements relating to transactions in several countries in Latin America and the Caribbean, while on secondment to the Latin American in-house legal department of a Fortune 50 company.