Overview
Pilar Arzuaga has over a decade of experience advising companies across various industries on cybersecurity governance, data protection, artificial intelligence, and digital regulation. She works with clients in sectors such as telecommunications, media, IoT, cloud services, health, life sciences, robotics, ad tech, retail, and finance, providing strategic guidance to navigate complex regulatory landscapes and manage risks effectively.
Pilar’s expertise is enriched by her significant in-house experience at leading global companies, where she focused on privacy, product compliance, and cybersecurity. Her practical, business-oriented approach ensures that legal requirements are aligned with operational goals, bridging the gap between compliance and business strategy.
Pilar advises on a wide range of issues, including:
- Online Safety Act / DSA governance: Recently advised on cross-jurisdictional assessments for major digital platforms (including large social and immersive-content providers) on the UK Online Safety Act and EU Digital Services Act, focusing on practical implementation and regulator-readiness.
- Management-body accountability: Advised on Board and senior-leadership responsibility frameworks, including Ofcom-style “duty of care” mapping, internal reporting structures, and accountability statements for global tech companies.
- Risk-assessment frameworks: Designed and operationalized systemic risk-assessment models integrating OSA and DSA transparency-law obligations, ensuring interoperability and proportionality across jurisdictions.
- Content governance and safety management: Supported the creation of safety management plans, risk registers, and escalation workflows aligned with both Ofcom and DSA transparency expectations.
- Cross-regulatory insight: Experience bridging privacy, online safety, and AI governance to align compliance strategies multiple jurisdictions
- Cybersecurity Governance: Developing and implementing frameworks to comply with international regulations and protect critical assets.
- Incident and Data Breach Management: Guiding organizations through data security incidents, from investigation to reporting and mitigation.
- Privacy and Product Compliance: Ensuring data protection by design in new product launches and ongoing operations.
- Artificial Intelligence (AI): Providing comprehensive advice on AI governance, risk assessment, and compliance with evolving regulations.
- Digital Regulation Compliance: Offering strategic counsel on compliance with the Digital Services Act, Data Act, NIS 2 Directive, and other key regulations.
Pilar could also cover:
- Initial legal and governance assessment of VRChat’s obligations under the UK OSA and DSA frameworks
- Evaluation of management-body oversight and accountability, including Board-level duties and internal governance structures.
- Design of a cross-jurisdictional risk-analysis and mitigation framework, covering systemic risk, content moderation, child safety, and transparency.
- Development or refinement of core compliance documentation (risk registers, accountability statements, transparency reports, Board briefings and training to management bodies).
- Gap analysis and enhancement recommendations for existing online-safety and trust-and-safety processes.
- Executive workshop or tabletop exercise to prepare for Ofcom or EU regulator engagement.
Before joining McDermott, Pilar gained invaluable experience at a top-tier international law firm specializing in data and technology, further strengthening her ability to deliver practical solutions to her clients.
Pilar also maintains an active pro bono practice, assisting organizations with their cybersecurity, data protection, AI, and broader compliance needs.
Results
- Led the development and implementation of a comprehensive cybersecurity governance framework for a global telecommunications company, ensuring compliance with international standards and reducing the risk of cyber threats. The framework has been adopted across multiple regions, resulting in enhanced security posture and regulatory compliance.
- Successfully managed a complex data breach for a multinational financial services firm, coordinating the investigation and response across Europe and the UK. Provided guidance on reporting duties to regulators, customers, and impacted data subjects, which helped mitigate potential fines and maintain the firm’s reputation.
- Provided strategic counsel to a leading e-commerce company during a regulatory investigation following a data security incident. Expertly navigated the investigation process and engaged with regulators, resulting in a favourable outcome, avoiding severe penalties, and ensuring future compliance.
- Advised a major cloud services provider on a multijurisdictional data breach, leading the incident response and ensuring timely and compliant notifications to regulators and affected individuals in over 20 countries. This coordination was crucial for consistency in minimizing operational disruption and legal exposure.
- Counseled a multinational AI company on the development of governance frameworks and risk assessments for its AI solutions, ensuring compliance with the latest EU and UK AI regulations. Guided the company to integrate AI technologies responsibly and in line with regulatory expectations.
- Conducted comprehensive PCI DSS (Payment Card Industry Data Security Standard) training for a China-based payment processor, equipping their teams with the necessary knowledge and tools to achieve compliance. This training was instrumental in strengthening the company’s payment data security and avoiding potential penalties.
- Assisted a global pharmaceutical company in ensuring data protection compliance across multiple jurisdictions during clinical trials. Developed and reviewed informed consent forms, ensured GDPR compliance, and advised on data sharing agreements, facilitating smooth trial processes and compliance with complex regulatory requirements.
- Provided strategic advice on international data transfers, including drafting and negotiating international data transfer agreements to ensure compliance with GDPR and other international data protection laws.
- Assisted in the transfer of patient records during the sale of a hospital, ensuring that the data was handled securely and in full compliance with GDPR and other relevant regulations, safeguarding patient privacy throughout the transaction.
- Developed and implemented global data retention policies and frameworks for a multinational corporation, ensuring compliance with various international regulations while optimizing data management and reducing legal risks.
- Provided strategic advice to medical device manufacturers on data protection for sensitive health data, including drafting robust privacy policies and managing regulatory communications to ensure compliance with global privacy laws.
Community
- Argentinian Bar Association, Member
- International Association of Privacy Professionals, Member
Credentials
Education
International Association of Privacy Professionals, CIPP/E
Universidad Blas Pascal, Law
University of Edinburgh, Law and Medical Ethics
Admissions
Argentina
England and Wales (Registered Foreign Lawyer)
Languages
English
Spanish
Italian
French
Portuguese