BakerHostetler
Alumni Login
| Subscribe | Print
Open search/close search button Open menu/close menu button
Services
Professionals
About Us
Offices
News/Resources
Diversity
Careers
Alumni

Melinda L. McLellan

She | Her | Hers

Partner

New York
T +1.212.589.4679
F +1.212.589.4201
mmclellan@bakerlaw.com
Download Vcard LinkedIn

Overview

Melinda McLellan is a seasoned privacy and cybersecurity law advisor whose practice focuses on the regulation of emerging technologies, compliance with evolving U.S. state and federal privacy legislation, and cross-border data protection matters. As leader of the firm’s EU General Data Protection Regulation (GDPR) initiative, Melinda works with multinational clients to identify, evaluate and manage the myriad of compliance obligations associated with corporate privacy and information security practices. Her broader practice includes advising on a wide variety of privacy and data security issues, including the use of biometrics, securing the Internet of Things, implementation of blockchain technologies, cybersecurity threats to the financial services and energy sectors, autonomous vehicles, genetic privacy, artificial intelligence, Big Data, information security incident response, and negotiating complex tech transactions.

Melinda is co-leader of the Privacy Governance and Technology Transactions team.

Select Experience

  • Advises on compliance with international data transfer restrictions and data localization requirements, including through the implementation of cross-border transfer mechanisms such as standard contractual clauses, intercompany agreements and binding corporate rules. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
  • Developed and implemented EU General Data Protection Regulation (GDPR) compliance programs for numerous US and international organizations, including GDPR applicability analysis, data mapping, data transfer mechanisms, consent mechanisms, “right to be forgotten,” data security assessments, breach response programs, selection of Data Protection Officers and employee training.
  • Manages complex technology transactions on both the vendor side and the customer side, drafting and negotiating multiparty contracts and outsourcing agreements from the RFP through follow-up compliance assessments.
More »

Experience

  • Advises on compliance with international data transfer restrictions and data localization requirements, including through the implementation of cross-border transfer mechanisms such as standard contractual clauses, intercompany agreements and binding corporate rules. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
  • Developed and implemented EU General Data Protection Regulation (GDPR) compliance programs for numerous US and international organizations, including GDPR applicability analysis, data mapping, data transfer mechanisms, consent mechanisms, “right to be forgotten,” data security assessments, breach response programs, selection of Data Protection Officers and employee training.
  • Manages complex technology transactions on both the vendor side and the customer side, drafting and negotiating multiparty contracts and outsourcing agreements from the RFP through follow-up compliance assessments.
  • Advises companies on requirements under the California Consumer Privacy Act (CCPA), including by developing broad-based compliance strategies to address other pending state and federal privacy legislation.
  • Counsels clients on regulatory compliance strategies and best practices for private-sector use of cloud computing solutions, biometric authentication, facial recognition technology, geolocation tracking systems, mobile applications, behavioral marketing tools, social media platforms, data analytics services and other emerging technologies.  
  • Works with cross-disciplinary teams to devise and implement clear, concise, non-obtrusive and legally compliant disclosures regarding data management practices as well as opt-in and opt-out mechanisms for the collection, use and sharing of sensitive information.
  • Manages all aspects of information security breach response, including evaluating legal and regulatory notification obligations, developing written communications for affected populations and internal stakeholders, refining media messaging strategies, coordinating forensic investigations, working with law enforcement authorities, and interfacing directly with state and federal regulators.
  • Prepares cyber risk exposure analyses, disclosure statements and supporting materials for publicly traded companies and entities preparing for IPOs and other corporate transactions.
  • Advises clients on legal risks and best practices associated with background checks, employee monitoring and Bring Your Own Device programs, including by developing internal policies and protocols and implementing mobile device management systems. 
  • Drafts and negotiates privacy and data security provisions for commercial contracts, including service provider agreements; assists clients with remediation of privacy and data security deficiencies and lacunae in legacy vendor contracts.
  • Conducts thorough assessments of third-party vendor candidates to evaluate data protection posture and compliance readiness prior to engagement, then assists with oversight and enforcement of privacy and security representations over the course of the service agreement. 
  • Devises privacy and information security awareness programs and training modules for personnel, typically deploying a multitiered, risk-based approach to account for varying degrees of employee access to, and responsibility for, sensitive data.
  • Conducts in-house security training and tabletop exercises to build awareness and help companies prepare to effectively and efficiently manage data security threats and incidents.
  • Counsels clients on information governance practices and the development of records retention, maintenance and destruction policies and procedures.
  • Implements insider threat analysis tools for organizations, particularly in the financial sector, to detect and prevent security incidents and facilitate integrated enterprise-wide security solutions.
  • Provides data protection counseling to a variety of technology companies and outsource vendors that offer big data analytics and complex fraud detection and prevention services.
  • Works directly with in-house counsel, internal stakeholders and third-party technologists to develop complex privacy and information security policies, procedures, protocols, guidelines and notices.

Recognitions and Memberships

Recognitions

  • New York Metro Super Lawyers "Rising Star" (2012 to 2018)
  • New York Super Lawyers "Top Women Attorneys" (2012 to 2018)
  • New York State Bar Association: Empire State Counsel (2007 to 2013)
  • The Legal 500 United States (2017 to 2020)
    • Next Generation Lawyer in Media, Technology and Telecoms - Cyber Law (including data privacy and protection)

Memberships

  • International Association of Privacy Professionals
    • Certified Information Privacy Professional – United States (CIPP/US)
    • Certified Information Privacy Professional – Europe (CIPP/E)
  • Women in eDiscovery, New York City Chapter
  • The Sedona Conference: Working Group 11, Data Security and Privacy Liability 

News

News

Press Releases

Publications

Articles

Videos

Blog Posts

Events

Pro Bono

  • New York City Bar Justice Center, Legal Clinic for the Homeless
  • Lawyers' Committee for Civil Rights Under Law, Election Protection Program
  • Successfully represented a West African victim of gender-based violence seeking asylum in the United States before the Department of Homeland Security

Featured Video

GDPR Compliance – Enforcement, Brexit, and Breach Response
Play Video

Learn about the GDPR enforcement trends, the Brexit effect, and managing personal data breaches.

Services

Industries

Emerging Issues

Admissions

  • New York

Education

  • J.D., Harvard Law School, 2005; Executive Editor, Harvard International Law Journal
  • B.A., Political Science and French Studies, Rice University, 2000

Languages

  • French
  • Italian

Blog

In The Blogs

Previous Next
Data Counsel
New York Legislature Introduces CCPA Clone with Private Right of Action
By Kyle R. Fath, Melinda L. McLellan
January 8, 2021
The 2021-22 New York State legislative session started off with a bang, featuring nearly a dozen consumer privacy bills introduced in the House and Senate on the opening day. A number of the proposals, including the New York Privacy Act...
Read More ->
Data Counsel
Privacy and Product Counseling: 2020 in Review
By Carolina A. Alonso, Orga Cadet, Kyle R. Fath, Gerald J. Ferguson, Alan L. Friel, Barbara D. Linney, Melinda L. McLellan, Veronica Reynolds, Nichole L. Sterling, Patrick R. Waldrop
December 17, 2020
Advising our clients on compliance with laws and regulations is, hands down, the most important aspect of our role as attorneys. In addition to seeking counsel on their obligations under laws and regulations, however – motivated by...
Read More ->
Data Counsel
European Authorities Release Back-to-Back Drafts Addressing Cross-Border Data Transfers
By Melinda L. McLellan, Nichole L. Sterling
November 19, 2020
Last week, both the European Data Protection Board (EDPB) and the European Commission released highly anticipated draft documents offering guidance to organizations that engage in cross-border data transfers involving EU personal data. The...
Read More ->
Data Counsel
5 Key Things to Know about the Landmark Schrems II Decision
By Andreas T. Kaltsounis, Melinda L. McLellan, Jeewon K. Serrato, Nichole L. Sterling
July 16, 2020
Quick Links CJEU Press Release CJEU Decision Press Releases from the Parties Irish Data Protection Commission Max Schrems U.S. Department of Commerce Electronic Privacy Information Center (EPIC) BSA The Software Alliance DIGITALEUROPE 1...
Read More ->
Data Counsel
Belgian Authority Raises Red Flag for DPOs with Multiple Roles
By Andreas T. Kaltsounis, Melinda L. McLellan, Nichole L. Sterling
May 29, 2020
Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of...
Read More ->

Services

Find Professionals

Offices

About Us

Careers

Firm Diversity

LinkedIn Twitter Facebook Instagram Youtube RSS
Subscribe »
© 2021 Baker & Hostetler LLP