Esq.  ·  CIPP/US  ·  CIPP/E  ·  CIPM  ·  AIGP  ·  FIP

James Morris Privacy, Cybersecurity & AI Counsel

Attorney specializing in data privacy, cybersecurity, and artificial intelligence.

Thirteen-plus years helping global organizations turn shifting privacy, cybersecurity, and AI obligations into a structured path — from an identified risk to a confident “yes.”

Connect on LinkedIn
James Morris, Esq.
Based in Richmond, VA
13+
Years in practice
5
Privacy & AI certifications
3
Bar & USPTO admissions
20+
Global frameworks advised
01 The Approach

A structured path from risk to “yes.”

Compliance shouldn't be the department that says no. My work is built around moving stakeholders deliberately from an identified risk toward a defensible, business-enabling outcome — with the documentation and controls to back it up.

Step 01

Identify the risk

Pinpoint the legal, regulatory, and contractual exposure across privacy, security, and AI.

Step 02

Educate stakeholders

Translate obligations into plain language so business owners understand what's actually at stake.

Step 03

Build cooperation

Align legal, engineering, product, and security around a shared, cross-functional plan.

Step 04

Implement controls

Stand up pragmatic processes, documentation, and technology that make the path repeatable.

Outcome

Yes.

A defensible decision that reduces risk while letting the business move forward.

“Strives to educate stakeholders, increase cross-functional cooperation, and implement pragmatic processes, documentation, technology, and controls — to provide a structured path from an identified risk to a yes.

02 Focus Areas

Where I spend my expertise.

Six core practice areas, refined across in-house counsel, federal advisory, and consulting engagements for global organizations.

i. 10 yrs

Global Privacy, Cybersecurity & AI Compliance

Leading enterprise-wide compliance with a fast-moving global landscape — monitoring the law, interpreting it, and aligning growth with regulatory reality.

GDPRCCPA / CPRAHIPAAEU AI ActU.S. state laws
ii. 13 yrs

Contract Review & Negotiation

Drafting and negotiating complex client, vendor, and data-provider agreements — DPAs, cybersecurity addendums, and SaaS / DaaS contracts that mitigate risk.

DPAsVendor agreementsSaaS / DaaSCyber addendums
iii. 13 yrs

Comprehensive Risk Management & Assessment

Executing DPIAs, PIAs, TIAs, and AI assessments, then mapping right-sized mitigation to recognized industry standards and audit-ready documentation.

DPIA / PIA / TIANIST SP 800-53ISO 27001 / 27701CIS Top 18
iv. 10 yrs

Privacy-by-Design & Product Counseling

Serving as primary legal authority for engineering, product, and marketing — embedding privacy and AI development standards into the build, not bolting them on after.

Privacy by designProduct counselDevOps integration
v. 10 yrs

Data Governance & Lifecycle Management

Building governance frameworks for sensitive assets — PII, PHI, PCI — and operationalizing rights requests with enabling privacy technology.

Data mappingOneTrustBigIDKetch
vi. 11 yrs

Program Governance & Strategic Leadership

Operationalizing compliance through policies, playbooks, and role-based training — and maturing privacy functions while managing outside counsel cost-effectively.

Policy & playbooksTrainingProgram maturityIncident response
03 Experience

Thirteen years, in practice.

From a federal nuclear-security policy team to senior in-house privacy counsel — a progression toward broader programs and higher-stakes decisions.

The Nielsen Company

Mar 2023 — Present
Senior Counsel, Privacy / Remote
  • Commercial & vendor contracting — drafts and negotiates complex client, vendor, and data-provider agreements, including DPAs, cybersecurity addendums, and SaaS / DaaS contracts.
  • Global privacy, cybersecurity & AI compliance — leads enterprise-wide compliance with evolving regulation, from CCPA/CPRA and U.S. state laws to GDPR, PIPEDA, LGPD, PIPL, COPPA, HIPAA, MHMDA, PCI DSS, and the EU AI Act.
  • Privacy-by-design — serves as primary legal authority for engineering, product, and marketing, ensuring services are built on privacy-by-design principles and AI development standards.
  • Risk management — executes DPIAs, PIAs, TIAs, and AI assessments while managing regulatory relationships, maintaining registrations, and responding to inquiries and audits.
  • Program governance & incident response — operationalizes compliance through internal policies, playbooks, and role-based training; advises the incident response team and supports resolution.

CrossCountry Consulting

Sep 2021 — Mar 2023
Managing Consultant / Remote
  • Compliance program build — built comprehensive programs tailored to GDPR, PIPEDA, LGPD, U.S. state laws (CCPA, CPRA, VCDPA), and industry rules including HIPAA, PCI DSS, and SOX.
  • Data governance & lifecycle — developed governance frameworks for PII, PHI, and PCI data; operationalized rights-request processes with OneTrust, BigID, and Ketch.
  • Risk management — implemented right-sized mitigation mapped to NIST SP 800-53, ISO 27001/27701, and CIS Top 18, formalized through audit-ready documentation.
  • Privacy-by-design & trust — integrated privacy into the DevOps lifecycle and established ESG reporting standards to communicate program maturity to investors.

Booz Allen Hamilton

Aug 2017 — Sep 2021
Associate / Remote
  • Global compliance oversight — provided strategic oversight for enterprise compliance programs aligned with GDPR, HIPAA, COPPA, FISMA, and the Privacy Act of 1974.
  • Program governance — authored enterprise-wide privacy policies and procedures, integrating best practice with real organizational resource constraints.
  • Data governance — developed repeatable data-cataloging processes and comprehensive PII inventories across structured and unstructured environments.
  • Risk & incident response — supported vendor and third-party risk management and executed privacy incident monitoring across the information lifecycle.

IntePros Federal

Sep 2016 — Aug 2017
Privacy & Cybersecurity Policy Lead / Washington, DC
  • Managed the policy team supporting the CISO for the National Nuclear Security Administration (NNSA) — drafting and maintaining privacy, cybersecurity, mobile device, business continuity, and acquisition policy.
  • Delivered daily executive-level briefings on emerging law, regulation, and guidance, and managed responses to federal regulatory and investigatory audits.

Independent Practice

Jun 2015 — Aug 2016
Contract Attorney / Washington, DC
  • Provided analytical support to firms preparing for litigation — reviewing prior art, public disclosures, infringement claims, and disclosures of personal information and trade secrets.

Law Office of Thomas Lester

May 2012 — Aug 2014
Law Clerk / Washington, DC
  • Drafted motions, complaints, and answers; conducted legal research and writing; and prepared for court appearances, depositions, and settlement negotiations.
04 Credentials

Certified, admitted, & trained.

A multidisciplinary foundation — privacy and AI governance certifications layered onto a legal career and a scientific background in emerging threats.

Certifications i.

CIPP/US
Certified Information Privacy ProfessionalUnited States
CIPP/E
Certified Information Privacy ProfessionalEurope
CIPM
Certified Information Privacy ManagerIAPP
AIGP
Artificial Intelligence Governance ProfessionalIAPP
FIP
Fellow of Information PrivacyIAPP
OneTrust
OneTrust Certified Privacy ProfessionalPlatform certification

Bar & Admissions ii.

VA
Commonwealth of VirginiaState Bar
DC
District of ColumbiaBar
USPTO
U.S. Patent & Trademark OfficeRegistered practitioner

Education iii.

Juris Doctor
American University, Washington College of Law
Washington, DC · 2014
M.S., Biohazardous Threat Agents & Emerging Infectious Disease
Georgetown University
Washington, DC · 2010
B.S., Microbiology — minor in Chemistry
Clemson University
Clemson, SC · 2009