01 May 2018

The GDPR will apply from 25 May 2018 and will bring with it eye watering financial penalties for non-compliance of up to €20 million or 4% global turnover (whichever is higher).

The UK government has also proposed its own legislation (the draft Data Protection Bill) which sets out the UK specific derogations and will ensure that the GDPR continues to apply after the UK leaves the EU. The core data protection principles remain largely unchanged. However, the GDPR will introduce significant new obligations for organisations and rights for individuals. Organisations must prepare for the changes now to avoid facing the new regime of penalties and sanctions.

Together with our colleagues in the US, we have produced a series of short alerts covering the main issues that organisations will need to consider.

Our national team of experienced data protection specialists can assist your organisation with a wide range of GDPR compliance projects. Please contact a member of our team to discuss how we can help you with your specific needs.

Ten months to go - does GDPR apply to your company?

Follow our three-question flowchart to see if GDPR applies to you.

Does GDPR Apply Flow Chart

Nine months to go - should you designate a data protection officer?

Follow our five-step flowchart below to see if you need to designate a DPO:

GDPR Designate DPO

Eight months to go - data processor GDPR checklist

A major change with the GDPR is that data processors now have direct legal obligations under EU privacy law. This is a significant shift from the current EU Directive which only directly obligates the data controllers. Non-compliant data processors face significant fines of up to 4% of global annual turnover or €20 million, whichever is higher and may be directly liable to individuals for damages.

If the GDPR applies to you, review our checklist below summarizing the data processor’s obligations:

GDPR Checklist

Seven months to go - do your vendor contracts comply with GDPR?

Any entity processing personal data on your behalf (i.e., your vendors) must have a written contract in place. The GDPR requires specific language in your vendor contracts. 

GDPR Vendor checklist

Six months to go - GDPR breach notification checklist

U.S. companies already face a panoply of data breach notification laws enacted by 48 States and numerous regulators. Those subject to the GDPR may soon have yet another breach notification requirement to worry about.

Follow our chart below to determine if and when you must provide notice, who you must notify, and what your notice should include.

GDPR Breach Notification Table 1

This text leaves open plenty of questions. However, on 3 October 2017, the Article 29 Working Party issued guidelines interpreting these data breach notification requirements. Here are some of the answers:

GDPR Breach Notification Table 2

Five months to go - rights of individuals under the GDPR

The GDPR provides enhanced rights for individuals. Below we summarize the general principles companies must follow when interacting with individuals and we identify the specific rights granted to individuals under the GDPR. We also suggest some practical steps to assist your company’s compliance with this portion of the GDPR.

GDPR_General_Principles_5mo

GDPR_Individual_Rights_5mo

GDPR_Practical_Steps_5mo

For a pdf version of this alert, click here.

Four months to go - GDPR and cross-border data transfers

If your company is a controller or processor under the GDPR (for US companies, review this flowchart), then your company must comply with the GDPR’s requirements regarding the transfer of personal data of EU individuals to any country outside of the EU/EEA.

In the absence of an adequacy decision (explained below) and subject to very limited exceptions, controllers and processors are required to ensure that an “appropriate safeguard” or another GDPR-approved mechanism is in place before sending personal data of EU individuals outside of the EU/EEA.

The table below describes the mechanisms commonly used to lawfully transfer personal data of EU individuals outside of the EU/EEA. A full list of the transfer mechanisms can be found in Article 46.

GDPR_FlagsWeb.png

 

 GDPR_Table_Jan2018_4mo

 

For a pdf version of this alert, click here.

Three months to go - GDPR privacy policy checklist

If your company is a data controller under the GDPR (for US companies, follow this flowchart), then your company will need to update its privacy policy or privacy notice. Under the GDPR privacy policies must contain more detailed disclosures, while also being understandable and accessible. Even under the current privacy laws, EU regulators have demonstrated they will enforce rules on transparency in privacy disclosures. On 16 February 2018, a Belgian court threatened to fine Facebook US $125 million for failure to disclose its personal data collection practices. These fines may be steeper after 25 may since the GDPR increases the maximum penalties.

GDPR Privacy Checklist

For a pdf version of this alert, click here.

Two months to go - how will Brexit affect data privacy law & the GDPR in the UK?

Brexit, an unprecedented event

Whether Brexit takes place on 29 March 2019 or is effectively deferred until the end of a transitional period (31 December 2020) the UK will likely adopt data protection legislation which largely tracks the GDPR. There is no precedent for Brexit and it is impossible for companies to foresee every scenario that may arise and the impact it may have on data protection law in the UK. Companies which process the personal data of citizens of the UK or have operations in the UK will need to keep a close watch on the law over the coming months.

How will Brexit Affect Data Privacy Law

For a pdf version of this alert, click here.

One month to go - enforcing the GDPR on US companies

At this point, it is no secret that many US companies will be subject to the GDPR. Under the GDPR, EU regulators will have the authority to punish noncompliance by imposing hefty fines, issuing injunctions, assessing bans on processing, and suspending international data transfers.

The practical impact of such enforcement measures is the ability to devastate a product, service, or business.

Many US companies may still be wondering:

Enforcing the GDPR on US companies

For a pdf version of this alert, click here.

Top five takeaways on the GDPR

We live in a new world of EU privacy rules shaking US businesses. As of 10 months ago, many of you had not heard about the GDPR when we explained how the GDPR applies to US companies. By now your company may be on its way to GDPR compliance (but beware: see takeaway #3 below).

For those of us who have been immersed in GDPR compliance projects over the last year, it was refreshing to hear so many of our colleagues, family members and news outlets around the world pay attention to the GDPR on 25 May. But we also heard a lot of misunderstandings about the GDPR. Here are our five takeaways from the past year:

GDPR Take aways

For a pdf version of this alert, click here.

 

We are available to assist and advise clients in efficiently addressing GDPR-related issues.