Gretchen Ramos

Ramos went to law school in the 1990s. “Cyber was hardly a hot topic then,” said the Greenberg Traurig shareholder, who now advises clients on privacy, cybersecurity and information management. “In fact, I started out doing insurance coverage work.”

Then, a dozen years ago, she suffered a personal identity theft incident after falling for a phishing email that led to someone obtaining bank checks under her name.

“What do I do? It was my intro to cyber,” she said.

She was able to freeze her account before significant losses occurred.

“It gave me perspective. Suddenly I understood the importance of data protection.”

Ramos is pioneering in the cybersecurity arena of genetic privacy, representing genomics and biotech test kit maker 23andMe Inc. and genetic disorders tester Invitae Corp.

“23andMe brought me on as privacy officer four years ago,” she said. “Five or six years ago these tests would have cost thousands of dollars; now it’s about $100. But with these services come issues of genetic privacy.”

The direct-to-consumer company valued at $2.5 billion operates globally, leading to compliance questions for Ramos arising from the European Union’s General Data Protection Regulation, which went into effect in May 2018. She prepares and revises her client’s online privacy policy to account for necessary changes under the GDPR. She drafts and reviews data protection addendums and contract provisions related to data sharing, use and ownership. She provides guidance on existing and new data protection laws in other countries where 23andMe sells kits, and she assists the client in responding to federal and state regulatory requests concerning data privacy issues and data sharing with third parties.

Ramos also serves as primary data privacy and cybersecurity counsel for Invitae. There, GDPR compliance questions arise related to the personal data the client collects from individuals located in the European Economic Area and in Switzerland. She advises on strategy for using contact information for analytics and e-marketing. Editing external and internal facing privacy policies and procedures are some of her other tasks as are drafting and revising terms of services and providing guidance on cookie compliance.

Talent recruiting software maker Lever is another client. Lever’s extensive and complex data processing activities allow customers to integrate publicly available data about potential candidates from third-party internet sources. For Lever, Ramos counsels on data protection issues and on obtaining EU-US Privacy Shield certification, a framework for regulating the transatlantic exchanges of personal data for commercial purposes.

“We’ve had no consumer privacy issues so far,” Ramos said. “My clients try to be very clear about choice. There’s been a lot of effort put into this. It’s privacy by design.”

She said the job is challenging.

“A lot of attorneys would not enjoy this. There’s a lot of gray area, but I love it when there’s no concrete law to fall back on. Problem solving is fun.”

– John Roemer