Marcus Desouza

• Act as lead privacy legal support in a fast-paced cybersecurity environment, ensuring compliance with global data protection legislation and regulation, including GDPR, CCPA/CPRA, emerging U.S. state laws and other jurisdictions. Drafting and negotiating complex DPAs, including cross-border data transfer mechanisms (e.g., SCCs, UK IDTA), in support of SaaS, MSSP, OEM, Distribution and Channel Partner agreements.

• Providing governance and managing risk for engaging with suppliers and product development of solutions utilising Generative AI.

• Partner with security engineers and product teams to embed privacy-by-design into products and solutions.

• Oversee DPIAs for high-risk processing activities related to threat telemetry, user behaviour analytics, and automated incident response systems.

• Manage regulatory audits and liaise with supervisory authorities regarding compliance inquiries, breach reporting, and data subject rights.

• Coordinate privacy reviews of internal tools and third-party vendors, integrating privacy risk assessments with the company's broader cybersecurity risk management processes.

• Design and deliver targeted privacy training to information security, sales, and marketing teams, bridging the gap between legal obligations and technical execution.

• Contribute to policy development on data retention, encryption, access controls, and secure data sharing in alignment with industry best practices (NIST, ISO 27001, etc.).

• Drafting and reviewing the university's IT policies and processes.

• Promoting and embedding the data protection strategy, associated policies, and procedures across the university's Professional Services Directorate.

• Managing data subject rights requests received by the university, ensuring compliance with its legal obligations.

• Handling the university's personal data incident response procedure, investigating potential breaches, collating evidence to support notification to the UK ICO per the UK GDPR, and ensuring that all breaches, including notification decisions, are recorded and all relevant breaches are notified.

• Supporting the DPO to manage the privacy compliance programme by supporting data mapping, conducting data protection impact assessments of new projects/services and scoring this against relevant frameworks, and drafting policies and procedural documents for University staff.

• Ensuring the robustness of all data protection due diligence processes and that they can be applied and enforced within all partnership and supplier contracts that may require the sharing of personal data.

• Responsible for conducting and managing all the DPIAs initiated by HCA Healthcare UK.

• Drafting and updating policy documents regarding the formal DPIA process across the entire organisation.

• Providing GDPR training, with a specific focus on the data protection and security concerns faced within the health industry, to staff across a number of healthcare facilities.

• Responding to and handling SARs received from patients and former employees.