John Pilch is Woods Rogers’ Cybersecurity/Privacy Analyst, bringing to the role more than 20 years of experience in global privacy, data protection, and internal control at two Fortune 500 companies, including 15 years as a team leader or manager. John brings significant practical experience in privacy and cybersecurity to the Woods Rogers team and supports the legal team in an array of matters.
John’s background as a global privacy practitioner includes the following:
- Leading the privacy function for a company with 50,000 employees across more than 30 countries, serving customers around the world
- Leading a cross-functional initiative to understand and comply with privacy regulations worldwide, including those in the EU (GDPR), California (CCPA), and Brazil (LGPD)
- Establishing a Register of Processing Activities (ROPA) by surveying operations, human resources, and IT management at each location to identify systems and vendors used to process personal data
- Developing a list of existing privacy controls (i.e. “Technical and Organizational Measures”) and confirming with external counsel that these were sufficient to meet regulatory requirements
- Working with internal and external counsel to establish and operate a Cyber/Privacy Incident Response Plan and responding to numerous incidents. He improved the process for reporting potential incidents, developed related policies and documentation, and contributed to the annual tabletop exercises of the response plan
- Working with legal and HR professionals to develop and implement the procedure for handling data subject requests. He led internal and external cross-functional teams in completing numerous requests made under GDPR rules
- Identifying high-risk processing activities and completing Privacy Impact Assessments (PIAs)
- Supporting the legal and HR departments in developing, reviewing, translating, and distributing the Employee Privacy Notice and Acceptable Use Policy to EU employees as required in each country
- Providing privacy input into the design of a COVID-19 health assessment and events tracking processes, including the use of digital thermometers
Before his work in privacy, John developed, implemented, and led programs to ensure compliance with the IT-oriented requirements of the Sarbanes-Oxley Act (SOX). His work included:
- Performing reviews of modern ERP systems (SAP, JD Edwards), older legacy systems, and even “homegrown” applications
- Proposing, evaluating, and ensuring completion of corrective actions as needed
- Leading the implementation of the SAP Governance Risk and Compliance system, a suite of tools used to improve logical access and separation of duties controls around the SAP ERP system
- In all of these activities, coordinating efforts with Internal Audit, the business-side SOX audit team, and external auditors
John is a Certified Information Systems Security Professional (CISSP) and a Certified Information Privacy Professional for the U.S. and Europe (CIPP/US, E).
Thought Leadership
Virginia: CDPA requirements for data controllers | OneTrust DataGuidance | January 4, 2022
Virginia: The CDPA Work Group’s final recommendations | OneTrust DataGuidance | November 23, 2021
Virginia – Cookies & Similar Technologies | OneTrust DataGuidance | September 30, 2021
Virginia: CDPA Requirements and Vendors | OneTrust DataGuidance | April 29, 2021
Virginia: Assessment Requirements Under the CDPA | OneTrust DataGuidance | April 19, 2021
International: Comparing Virginia’s CDPA with the CPRA and the GDPR | OneTrust DataGuidance, February 2021
Attorney Perspectives
-
Meta Fined €1.2 Billion in Facebook Data Privacy Case: Should US Companies Be Concerned?
May 23, 2023
Featured Posts
-
Reviewing Online Tracking Technologies Could Keep HIPAA-Regulated Entities Out of Hot Water
March 8, 2023 -
Internal Inferences Must Be Disclosed to Consumers Under CCPA
April 15, 2022 -
Banks Will Have 36 Hours to Report Cyberattacks Under New Rule
January 12, 2022 -
Before the Breach: Time to Get Serious About Cyber Resilience
June 15, 2021 -
Governor Signs Virginia Consumer Data Protection Act
March 3, 2021
Speaking Engagements
-
OneTrust | Virginia CDPA Lands: What You Need To Know
March 4, 2021