How I Contract: Natalya Northrip on Privacy Terms and Data Privacy Agreements
This interview is part of our How I Contract interview series. We talk to lawyers and professionals about how they approach balancing legal risk with business objectives. In this interview, we talked to Natalya Northrip, Associate General Counsel, Privacy, Cybersecurity, and Product at Latch.
Natalya is a senior lawyer "who creates and owns global privacy programs and provides product compliance counseling to software and hardware product and engineering teams."
She also "provides broad support to a variety of corporate functions with go-to-market strategies, commercial matters, data protection agreements, M&A due diligence, and employment matters, including investigations and privacy concerns."
Over the past 6 years, Natalya served as a Chief Privacy Officer at two financial sector companies, as a technology and product counsel for Amazon's Last Mile, and as the head of the privacy and product legal function at Latch, where she currently works.
Challenges in Privacy Contracts
What was your biggest challenge when you started working with contracts? If you could go back in time, but keep all the knowledge and experience you have now, how would you deal with it?
I started my legal career as a litigator.
For years, my exposure to contracts related only to drafting settlement agreements or reading commercial agreements that were in dispute.
When, in 2018, I went in-house as Global Chief Privacy Officer for a global leader in the financial sector, I quickly needed to learn how to translate my privacy law knowledge into contractual data protection terms in the form of Data Protection Agreements (or Data Protection Addendums) (DPAs).
At that time, the EU General Data Protection Regulation (GDPR) took effect and my company had to put in place thousands of DPAs that were mandated by the GDPR and that were somewhat of a new concept to many US companies.
DPAs are contracts for the processing of personal data and they typically accompany a services agreement between two companies, where one typically acts as a data controller and the other as a data processor.
Data controllers determine the purposes of data processing and data processors conduct that data processing on behalf of data controllers.
Fortunately for me, my company at the time had a seasoned commercial counsel who helped me learn the basics of contracts and how MSAs related to DPAs. I have been responsible for DPAs in every other in-house role I've held since then and have now developed a playbook that helps both me and the commercial counsel in ensuring that the MSA and DPA read as a holistic document.
If I could go back in time, I would tell myself to get into the deep end sooner.
While I had the benefit of a strong commercial counsel in my first in-house role who took the primary responsibility for framing my thoughts into contractual language and for negotiating with the other side's counsel while I listened in, I learned the most when I had to do this work myself.
I would also tell myself to develop my playbook sooner.
Changes in Contract Drafting Techniques
How have your contract drafting techniques changed over the years? What did you stop doing? What did you start doing?
In the beginning, I would stick to the script when drafting the DPAs.
In 2018-2020, all my DPA work revolved around EU GDPR requirements, which are quite prescriptive. At the time, there was a lot of upheaval with the EU-US Safe Harbor and the Schrems legal actions in Europe challenging the protection (or rather alleged lack thereof) afforded by the US for personal data transferred from the EU.
This uncertainty affected both intra-company agreements and agreements with customers and vendors.
While certain things were mandated by regulation, additional items, such as indemnification, were inserted into the DPAs by counsel who were trying to give their clients an advantage.
At first, I did not know how to address this, particularly where some of these "add-on" provisions differed from the underlying MSA.
I started looking at DPAs as an integral part of the overall agreement and not as a stand-alone contract.
I also stopped telling the opposing counsel that they couldn't have any terms that were not specifically prescribed by the regulation.
I adopted a more flexible mindset toward achieving a result everyone could be happy with.
Contracting Lessons for My Younger Self
Imagine sharing a contract-related story from your career to inspire or educate your younger self. What would that story be?
I would tell my younger self that contracting requires a different mindset than litigating.
With contracting, the goal is not to maximize the wins at the risk of antagonizing the counter-party but rather to create a beneficial partnership.
I would tell myself that most contracts never end up in litigation and that the worst-case scenarios I may be worried about more than likely will never materialize.
I would also tell myself that my company is counting on me to be practical rather than academic.
I would also tell myself that I should have a repeatable mechanism for the creation of any DPA that ensures a good understanding of:
the business objectives for data processing at issue,
the type of data that will be processed,
the duration of processing,
the desired disposition of data at the end of the relationship.
Key Lessons in Contract Remediation
What’s your biggest lesson learned in contracts?
Many companies are hesitant to invest in contract remediation work when it comes to DPAs.
Since DPAs are a newer concept, the vast majority of older contracts do not have them, but now should be amended to include them.
Depending on the size of the company and the number of contracts in place, contract remediation can be a labor-intensive process that takes several months or even years and additional resources to complete.
Not doing so, however, could prove to be very costly.
The privacy function in every organization should explain the risks of not going through with remediation and lobby for time and resources to analyze existing contracts and amending, as needed, to strengthen privacy protections.
I learned this lesson the hard way.
One of my previous companies used a variety of outside counsel and typically agreed to law firms' standard engagement letters.
Many such engagement letters, particularly from smaller and mid-size firms, do not adequately protect the client company in case of a data breach.
One such law firm was engaged before my arrival to assist my company with a small matter. A series of unfortunate events ensued, including my company receiving poor advice from the law firm on the search terms and techniques (which resulted in a vastly broader set of personal data being transferred to the law firm than the needs of litigation required) and the law firm's partner then transferring that data to a personal unencrypted hard drive and losing it in a public place.
This resulted in a large and very expensive data breach.
Not surprisingly, the engagement letter did not contain clear terms that would place specific data protection responsibilities on the law firm and did not provide for recourse in case of a data breach.
The law firm refused to accept any financial responsibility, forcing litigation.
Having gone through this experience, my company overhauled its outside counsel engagement procedures to ensure that its interests are adequately protected in case of a personal data breach both for existing and future law firm engagements.
Avoiding Common Mistakes in Privacy Agreements
What mistakes should contract lawyers and professionals avoid when working with contracts? How would you avoid them?
I often see contracts that do not discuss data retention both during the term of the contract and at termination.
When there is no discussion of data retention during the life of the contract, it becomes unclear whether the data retention schedule of the data controller or the data processor applies.
For instance, you engage a customer service vendor and your data retention schedule requires you to retain customer service records for 4 years, as this satisfies your contractual and regulatory obligations. If you do not require your customer service vendor to keep your data in a personalized format for 4 years, your vendor might depersonalize this data in accordance with their own retention schedule that says that all customer service records will be depersonalized after 2 years.
If that happens and you need data in year 3, you are out of luck.
With termination, you want to include a provision that calls for the deletion (or anonymization) of personal data after a reasonable time (e.g., 30-60 days) after the end of the relationship.
Some lawyers like to say "return or delete," but in the digital world we are in now, "return" proves to be a tricky concept.
Think about whether your team really needs this data "returned" and what that would look like, particularly if you have an API through which you can take the data yourself.
This is also the area where contract remediation can prove to be crucial.
I once had a situation where a former background check vendor lost the personal data of job applicants (including social security numbers, driver's license numbers, and other sensitive information) from background checks conducted 15 years prior!
You never want to be in a position where you have to explain to the affected individuals and the public why a vendor you haven't used in 10 years still had personal data in its possession you've given it but forgot to require it to delete.
How to Learn About Your Client's Business
What is the best way to understand the business you represent? Could you share specific steps?
Understanding the business you represent is crucial. From a privacy lawyer perspective, at a minimum, you need to understand: the types of data your business processes, the size of the dataset, the purposes for which each type of data is being processed, the third parties with which you share the data and for what purposes, how long you keep the data. The answer to these questions will differ depending on the department or team you talk to and depending on the customer or vendor or contract purposes.
Every contract you will work on will be different. You'll need to have a conversation with the team that is requesting the contract. You will want to develop a privacy questionnaire that the team would be required to complete at the start of the contract development process.
My questionnaire includes not only the actual questions but also information on how to think about each question and an answer example or two. This is helpful in educating teams that may be newer to the process. Based on the answers you receive, you may need to conduct a follow-up to confirm the details. You will then take this information and apply it to your DPA template.
You will then want to stay in touch with your team to discuss any important changes throughout the negotiation process. You want to balance the level of engagement with your team with the characteristics of the deal (commercial impact, size of the dataset, any novel issues). You do not want to be a nuisance to the team, but you also want to be effective in your job.
What I also learned is that to get quality engagement with the team, it is crucial to have strong backing from the top of your organization. Every team that comes to you needs to know that privacy is recognized as an important goal and risk to the company, and not a check-the-box exercise.
You also will want to automate and scale as much as possible. For example, you can prepare a DPA for situations where your company is the data processor and post it on your company's homepage. MSAs for all new data controllers who will be engaging your company for data processing would include a weblink to your DPA. This significantly reduces the amount of customization and negotiation you need to do on new deals that involve personal data processing.
Your Contract Mentors
If you could give a shoutout to one (or more) person who has influenced your life in contracts (or is your mentor), who would that be?
I learned a lot about contract drafting and negotiation from working with Matt Strothoff, General Counsel, who is very skilled at negotiating high volumes of high-stakes contracts. I also learned a lot from Angela Lawrie, Senior Corporate Counsel, Commercial Contracts, who is great at streamlining the process and asking the right questions. Both Matt and Angela showed me how to navigate complexities and stay professional throughout the contract negotiation process.
Other Transactional Lawyers to Interview
Who should we interview next and why?
I would recommend you interview Priscilla Debar, AGC Commercial/GTM. Priscilla is a colleague of mine who handles all things commercial and contracts for our organization. She is a startup founder and brings a pragmatic, business-savvy approach to her work that prioritizes desired outcomes. Priscilla also has an international background which allows her to work well with global teams and clients.
Thank you very much, Natalya!
Keep updated on everything How to Contract with our newsletters. We share Laura's contract tips and cartoons, upcoming courses and events, plus discounts only for newsletter subscribers. Sign up today!