When negotiating a contract which involves personally identifiable information (PII) or other types of confidential data, it is essential to consider a multitude of privacy and data security controls. First, what is the collection, processing, sharing, retention, and destruction of data procedure; and how these procedures may be subject to federal, state, and/or international legal obligations. Second, how to reduce legal and regulatory risks surrounding the collection and generation of data, and accessing and sharing of data.