About the Course
Introduction
This CLE webinar will discuss data risk assessment requirements and risks under U.S. data privacy laws. The panel will walk through the completion of various aspects of a privacy risk assessment and provide helpful tips and resources for making assessments more efficient and effective.
Description
Many state privacy laws require, or will soon require, companies to carry out assessments—referred to as data protection assessments, risk assessments, or DPIAs. These requirements extend to "high risk" activities or those that involve a "heightened risk of harm," including, in most cases, targeted advertising, sale of personal information (PI), and processing sensitive data, among many other things.
Risk assessments generally should include: a summary of the processing activity, a description of the personal data involved, the context and purpose of processing the data, a risk-benefit analysis, measures taken to mitigate risks, and identification of external and internal actors involved in processing the data. Some states have very specific additional requirements enumerated by law that must also be included in a risk assessment. Thus, it is imperative that each state's specific laws are reviewed before conducting and completing a risk assessment.
The assessment documentation must be available for review by regulators, and some states, including California, currently require or will soon require risk assessments (or summaries thereof) to be filed with the state and updated within prescribed timeframes. This means that companies subject to the applicable state privacy laws need to develop or refine their data inventory and assessment practices as a top priority in 2026 to be prepared for state enforcement of these requirements.
Listen as our authoritative panel of privacy experts reviews the current state laws governing privacy assessment requirements and risks and provides guidance to assist clients in developing risk assessment protocols and policies that address the nuanced requirements of the various state laws.
Presented By
Mr. Friel is a thought leader in digital media, intellectual property, data privacy and protection, and consumer protection law, with over three decades of relevant experience to address the intersection of law and technology.
Having served as a general counsel for several years in the late 1990s before returning to private practice, he has the necessary expertise to advise clients on making practical and informed business decisions and help companies and entrepreneurs navigate the complex opportunities created by disruptive technology. With his in-house and private practice experience, Mr. Friel assists clients with creating data inventories, and information governance and data privacy and security programs. He has been helping shape law and public policy regarding digital media since he was the Sherwood Shafer Fellow at the American Civil Liberties Union from 1992-1994, addressing the potential benefits and risks of the then emerging Internet, and has made the evolution of data technologies, and corresponding regulation, the focus of his legal practice.
Mr. Kim leverages a diverse range of experiences in data privacy, cybersecurity and artificial intelligence (AI), as well as technology, corporate and commercial transactions, to provide his clients with holistic, innovative and pragmatic solutions to their compliance needs and complex legal issues. He works with clients across varying industries, including financial institutions, health and insurance providers, business-to-business (B2B) and business-to-consumer (B2C) technology providers, retail and e-commerce businesses, marketers, publishers and AdTech intermediaries, schools and universities, and critical infrastructure and government contractors. Mr. Kim focuses his practice on advising clients on cutting-edge data privacy, security and consumer protection issues. He frequently helps clients comply with US federal and state privacy laws, including by developing, evaluating and enhancing their data privacy and compliance programs. Mr. Kim also has extensive experience in conducting diligence and negotiating transactions in the data privacy, IT, AI and cybersecurity context. In addition, he assists clients in assessing and managing cybersecurity risks, including by advising on cybersecurity preparedness activities and incident response. Mr. Kim also maintains a robust pro bono practice and dedicates his pro bono efforts to help veterans, small businesses and nonprofits, and other clients needing legal services.
Ms. Yushchak has over 20 years of experience in technology and litigation consulting, including compliance consulting relating to EU privacy and data protection laws (including, but not limited to, the GDPR), e-discovery and litigation support, cyber breach, change management, and information governance.
-
This 90-minute webinar is eligible in most states for 1.5 CLE credits.
-
Date + Time
- event
Wednesday, February 25, 2026
- schedule
1:00 PM E.T.
I. Overview: What is a data risk assessment, and what is its purpose
II. Determining when a data risk assessment is required or advisable under state consumer privacy laws
III. Key elements of a data risk assessment
IV. Timeframe for conducting and documenting a risk assessment
V. Updating and maintaining risk assessments
VI. Requirements for filing or disclosing assessments with state regulators
VII. Preparing for California audit requirements
VIII. Tools and resources available to operationalize risk assessments for greater efficiency and effectiveness
IX. Practitioner pointers and key takeaways
The panel will discuss these and other key considerations:
- When is a risk assessment required or advisable in most states?
- What information is required to be included in a risk assessment?
- When must risk assessments be conducted and updated, and how long should they be maintained?
- What are the requirements for filing or disclosing risk assessments to state regulators?
- What resources and tools are available to operationalize risk assessments for greater efficiency and effectiveness?
