John Pilch is Woods Rogers’ Cybersecurity/Privacy Analyst, bringing to the role more than 20 years of experience in global privacy, data protection, and internal control at two Fortune 500 companies, including 15 years as a team leader or manager. John brings significant practical experience in privacy and cybersecurity to the Woods Rogers team and supports the legal team in an array of matters.

John’s background as a global privacy practitioner includes the following:

  • Leading the privacy function for a company with 50,000 employees across more than 30 countries, serving customers around the world
  • Leading a cross-functional initiative to understand and comply with privacy regulations worldwide, including those in the EU (GDPR), California (CCPA), and Brazil (LGPD)
  • Establishing a Register of Processing Activities (ROPA) by surveying operations, human resources, and IT management at each location to identify systems and vendors used to process personal data
  • Developing a list of existing privacy controls (i.e. “Technical and Organizational Measures”) and confirming with external counsel that these were sufficient to meet regulatory requirements
  • Working with internal and external counsel to establish and operate a Cyber/Privacy Incident Response Plan and responding to numerous incidents. He improved the process for reporting potential incidents, developed related policies and documentation, and contributed to the annual tabletop exercises of the response plan
  • Working with legal and HR professionals to develop and implement the procedure for handling data subject requests. He led internal and external cross-functional teams in completing numerous requests made under GDPR rules
  • Identifying high-risk processing activities and completing Privacy Impact Assessments (PIAs)
  • Supporting the legal and HR departments in developing, reviewing, translating, and distributing the Employee Privacy Notice and Acceptable Use Policy to EU employees as required in each country
  • Providing privacy input into the design of a COVID-19 health assessment and events tracking processes, including the use of digital thermometers

Before his work in privacy, John developed, implemented, and led programs to ensure compliance with the IT-oriented requirements of the Sarbanes-Oxley Act (SOX). His work included:

  • Performing reviews of modern ERP systems (SAP, JD Edwards), older legacy systems, and even “homegrown” applications
  • Proposing, evaluating, and ensuring completion of corrective actions as needed
  • Leading the implementation of the SAP Governance Risk and Compliance system, a suite of tools used to improve logical access and separation of duties controls around the SAP ERP system
  • In all of these activities, coordinating efforts with Internal Audit, the business-side SOX audit team, and external auditors

John is a Certified Information Systems Security Professional (CISSP) and a Certified Information Privacy Professional for the U.S. and Europe (CIPP/US, E).

Thought Leadership

Virginia: CDPA requirements for data controllers | OneTrust DataGuidance | January 4, 2022

Virginia: The CDPA Work Group’s final recommendations | OneTrust DataGuidance | November 23, 2021

Virginia – Cookies & Similar Technologies | OneTrust DataGuidance | September 30, 2021

Virginia: CDPA Requirements and Vendors | OneTrust DataGuidance | April 29, 2021

Virginia: Assessment Requirements Under the CDPA | OneTrust DataGuidance | April 19, 2021

International: Comparing Virginia’s CDPA with the CPRA and the GDPR | OneTrust DataGuidance, February 2021

Attorney Perspectives

Featured Posts

Speaking Engagements

  • OneTrust | Virginia CDPA Lands: What You Need To Know
    March 4, 2021