Michael Rossi

Michael is a Director in the Cyber Security Strategy and Governance practice that specializes in data privacy and third-party risk management. Michael has experience helping to build and manage data privacy programs in compliance with regulatory obligations and in alignment with risk-based leading practices. He also has experience in supporting regulatory related assessments/audits as well as conducting audit readiness initiatives. Further, Michael has substantial experience building and managing third party risk programs including the performance of risk assessments of varying levels of scope on entities large and small. Michael’s current and past clients include some of the largest technology companies, financial institutions, healthcare and retail/consumer goods companies in the country. Michael is an effective client engagement and project manager with experience managing concurrent projects with multiple resources and regular reporting relationships with senior stakeholders including CPOs and CISOs.

Professional and Industry Experience

• Regulatory Readiness: Supported a Big Tech company in the remediation of audit findings and European investigation findings into Article 5 and Article 6(1) of the GDPR. Assisted in building out a capability to document the organization’s legal basis of processing for each privacy impacting change to its products.
• Privacy Compliance: Supported the Privacy Compliance Team at a Big Tech Company on numerous initiatives spanning 2nd line audits of privacy controls, audit readiness for an upcoming external audit, building of a Privacy Controls Framework, privacy metrics and other strategic priorities.
• Third Party Oversight: Acted as a project manager for the Privacy Legal team at one of the world’s largest social media companies supporting the Third-Party Privacy Oversight Management workstream in support of an FTC Consent Order. Performed in a hybrid capacity focusing on project management as well as Privacy SME. Developed detailed proposals for operationalizing an external diligence program and helped design and build the privacy risk scoring model used to score the privacy risks associated with third party service providers. Worked with a variety of stakeholder groups including product, engineering, legal (product counsel, privacy legal, commercial legal) risk and compliance, and privacy.
• CCPA: Led a 6 person team at a large healthcare & life sciences company that performed a data inventory of all the business processes and IT assets that collected, used/stored and/or transferred consumer personal information and built a master privacy data inventory within OneTrust. Leveraged the data inventory created to prepare the organization for the CCPA effective date by standing up unique data subject request processes for each of the company’s business divisions and facilitated the processes using the OneTrust Data Subject Request module. Coordinated with several key stakeholder groups including engineering, privacy, legal, compliance, product, marketing, sales. Led status reporting to CPO and his leadership team.
• CAN-SPAM/COPPA Compliance: Managed a privacy opt-in/opt-out data inventory and data flow mapping project for one of the world’s largest retail companies. Drafted and presented three gap analysis reports featuring gaps against CAN-SPAM and COPPA to the Chief Privacy Officer of the retailer and two of its wholly owned subsidiaries. Worked primarily with engineering teams to understand the flow of consent data.
• GLBA: Determined the inherent and residual risk to applications that stored, processed, and/or transmitted Non-Public Personal Information (NPI) by interviewing the IT and business owners for a large online brokerage. Presented the results of the assessment to the Chief Privacy Officer and the Director of Enterprise Risk Management to illustrate the process the company should use to comply with GLBA moving forward.