Melinda L. McLellan

She | Her | Hers

Partner

New York
T +1.212.589.4679
F +1.212.589.4201

Overview

As co-leader of BakerHostetler’s Privacy Governance and Technology Transactions team, Melinda McLellan provides clients with innovative, business-oriented solutions to evolving data protection compliance challenges. She coordinates a talented group of privacy and information security lawyers, leveraging a multidisciplinary approach to develop proactive and pragmatic legal strategies that address both immediate needs as well as long-term goals.

Melinda is a seasoned privacy and cybersecurity law advisor whose practice focuses on the regulation of emerging technologies, compliance with U.S. state and federal privacy legislation and cross-border data protection matters. As leader of the firm’s General Data Protection Regulation (GDPR) initiative, Melinda works with multinational organizations to identify, evaluate and manage the overlapping and intersecting legal obligations associated with corporate privacy and information security practices. Her broader practice includes advising on a wide variety of data management issues, including the use of biometrics, securing the Internet of Things, blockchain technologies and digital currencies, cybersecurity threats to the financial services and energy sectors, autonomous vehicles, genetic privacy, artificial intelligence, information security incident response and negotiating complex tech transactions.

Select Experience

  • Advises on compliance with international data protection obligations, including cross-border personal data transfer restrictions and data localization requirements and the implementation of cross-border transfer mechanisms such as standard contractual clauses, intracompany agreements and binding corporate rules.
  • Counsels clients on laws, regulations and best practices applicable to private-sector use of biometric technologies, including biometric identification and authentication software, facial recognition systems, retina and iris scanning, genetic data analysis and other emerging tools to leverage physiological measurements and human characteristics.
  • Directs the preparation and implementation of broad-based compliance strategies to address requirements under the California Consumer Privacy Act (CCPA) and other similar comprehensive state privacy laws enacted in Colorado, Connecticut, Utah and Virginia.
More »

Experience

  • Advises on compliance with international data protection obligations, including cross-border personal data transfer restrictions and data localization requirements and the implementation of cross-border transfer mechanisms such as standard contractual clauses, intracompany agreements and binding corporate rules.
  • Counsels clients on laws, regulations and best practices applicable to private-sector use of biometric technologies, including biometric identification and authentication software, facial recognition systems, retina and iris scanning, genetic data analysis and other emerging tools to leverage physiological measurements and human characteristics.
  • Directs the preparation and implementation of broad-based compliance strategies to address requirements under the California Consumer Privacy Act (CCPA) and other similar comprehensive state privacy laws enacted in Colorado, Connecticut, Utah and Virginia.
  • Advises clients on marketing privacy compliance protocols, including obligations under the TCPA, the CAN-SPAM Act, the GLBA’s Affiliate Marketing Rule, platform-specific tracking restrictions and advertising industry self-regulatory requirements.
  • Handles EU/UK General Data Protection Regulation (GDPR) compliance issues for domestic and international organizations, including extensive work on GDPR applicability analysis, data flow mapping, data transfer mechanisms, individual consent protocols, data subject rights requests processing, data security assessments, security breach response procedures, Data Protection Officer selection and employee training.
  • Manages complex technology transactions on both the vendor side and the customer side, drafting and negotiating multiparty contracts and outsourcing agreements from the RFP through follow-up compliance assessments.
  • Develops forward-thinking internal corporate policies to address private-sector use of virtual and augmented reality technology, cloud computing solutions, geolocation tracking and targeting, mobile applications, precision digital marketing, social media platforms, data analytics services and other emerging technologies.
  • Drafts and implements clear, concise and legally compliant disclosures regarding data management practices, including opt-in and opt-out mechanisms for the collection, use and sharing of personal information.
  • Prepares cyber risk exposure analyses, disclosure statements and supporting materials for publicly traded companies and entities preparing for IPOs and other corporate transactions.
  • Advises clients on legal risks and best practices related to employee privacy, including credit and background checks under the Fair Credit Reporting Act (FCRA), employee monitoring and mobile device management systems.
  • Drafts and negotiates privacy and data security provisions for commercial contracts, including service provider agreements and assists clients with remediation of privacy and data security deficiencies in legacy vendor contracts.
  • Conducts thorough assessments of third-party vendor candidates to evaluate data protection posture and compliance readiness prior to engagement, then assists with oversight and enforcement of privacy and security representations over the course of the service agreement. 
  • Devises privacy and information security awareness programs and training modules for personnel, deploying a multitiered, risk-based approach to account for varying degrees of employee access to, and responsibility for, sensitive data.
  • Conducts in-house security training and tabletop exercises to build awareness and help companies prepare to effectively and efficiently manage data security threats and incidents.
  • Counsels clients on information governance practices and the development of records retention, maintenance and destruction policies and procedures.
  • Implements insider threat analysis tools for organizations, particularly in the financial sector, to detect and prevent security incidents and facilitate integrated enterprise-wide security solutions.
  • Provides data protection counseling to a variety of technology companies and outsource vendors that offer big data analytics and complex fraud detection and prevention services.
  • Works directly with in-house counsel, internal stakeholders and third-party technologists to develop complex privacy and information security policies, procedures, protocols, guidelines and notices.

Recognitions and Memberships

Recognitions

  • The Legal 500 United States (2017 to 2022)
    • Next Generation Lawyer in Media, Technology and Telecoms - Cyber Law (including data privacy and protection) (2017 to 2020)
    • Recommended in Cyber Law (including data privacy and data protection) (2021 to 2022)
  • New York Metro Super Lawyers "Rising Star" (2012 to 2018)
  • New York Super Lawyers "Top Women Attorneys" (2012 to 2018)
  • New York State Bar Association: Empire State Counsel (2007 to 2013)

Memberships

  • International Association of Privacy Professionals
    • Certified Information Privacy Professional – United States (CIPP/US)
    • Certified Information Privacy Professional – Europe (CIPP/E)
  • Women in eDiscovery, New York City Chapter
  • The Sedona Conference: Working Group 11, Data Security and Privacy Liability 

Blog Posts

Pro Bono

  • New York City Bar Justice Center, Legal Clinic for the Homeless
  • Lawyers' Committee for Civil Rights Under Law, Election Protection Program
  • Successfully represented a West African victim of gender-based violence seeking asylum in the United States before the Department of Homeland Security

Admissions

  • New York

Education

  • J.D., Harvard Law School, 2005; Executive Editor, Harvard International Law Journal
  • B.A., Political Science and French Studies, Rice University, 2000

Languages

  • French

Blog

In The Blogs

Previous Next
Blockchain Monitor
Money Laundering Concerns Prompt EU Parliament to Approve Privacy-Reducing Crypto Rules
By Melinda L. McLellan, Veronica Reynolds, Joanna F. Wasick
April 6, 2022
On March 31, 2022, two European Parliament committees – the Committee on Economic and Monetary Affairs and the Committee on Civil Liberties, Justice and Home Affairs (the “Committees”) – voted in favor of new rules (the “Rules”) that would...
Read More ->
Data Counsel
International Data Protection Update
By Andreas T. Kaltsounis, Melinda L. McLellan, Nichole L. Sterling
March 14, 2022
This Update highlights some of the international data protection issues that caught our attention and the attention of our clients over the winter, including updates on European data transfers and cookie compliance, regulatory enforcement...
Read More ->
Data Counsel
International Data Protection Update – Summer 2021
By Andreas T. Kaltsounis, Melinda L. McLellan, Nichole L. Sterling
September 21, 2021
This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer. Asia-Pacific China’s Data Security Law and Personal Information Protection Law – This...
Read More ->
Data Counsel
Updated EU Standard Contractual Clauses Are Finally Here
By Andreas T. Kaltsounis, Melinda L. McLellan, Nichole L. Sterling
June 8, 2021
On June 4, 2021, the European Union’s (EU) executive branch, the European Commission (EC), released their new Standard Contractual Clauses (SCCs) for compliant cross-border data transfers under the EU’s General Data Protection Regulation...
Read More ->
Data Counsel
Privacy Shield Update: A Recap of Recent Developments
By Melinda L. McLellan
May 10, 2016
On April 13, 2016, the Article 29 Working Party (WP29), an influential group of European data protection authorities, issued a non-binding opinion that criticized certain elements of the fledgling Privacy Shield framework. Although the...
Read More ->