The GDPR has been in force since May 25th, 2018
How compliant are you?
What Is GDPR ?
GDPR stands for General Data Protection Regulation, the EU legislative instrument that has, since May 25, 2018, replaced the European directive on data privacy of 1995. Because it is a Regulation – and no longer a Directive – it is, subject to a limited number of “national derogations”, automatically applicable across all 27 Member States of the EU, and aims to simplify the legislative European framework on data privacy, which under the directive was a patchwork of European and of 28 (at the time) national laws and regulations.
The GDPR does not however reach the level of uniformity it had set out to achieve, a number of areas remaining matters for Member States to regulate at the national level, those famous “national derogations“. As a result, since May 25th, 2018, companies processing the personal data of European residents need to comply with the GDPR, but also with any applicable EU countries’ privacy laws and regulations in those areas that remain discretionary matters for Member States to regulate.
Our GDPR Compliance Program will do just that: ensure that you comply not only with the GDPR but also with the evolving landscape of applicable national EU Member States’ privacy laws and regulations.
For more information, please download our GDPR brochure here. You can also view our Glossary of GDPR-related terms here. And here is an article we wrote on the importance to hire EU counsel to assist with your GDPR compliance.
Why You Will Want to Comply
Heavy Fines
Accountability
Data Breaches
Data Protection Officer
Standing to Sue
Data transfers
National Derogations
Heavy Fines
BEFORE: Some countries had fines for violations of privacy laws but these were relatively low.
SINCE MAY 25TH, 2018: The GDPR imposes fines up to the greater of: 2% of the company’s worldwide revenue or €10 million; OR 4% of the company’s worldwide revenue or €20 million.
The above thresholds will vary depending on the nature of the breach.
Accountability
BEFORE: Only the person responsible for the processing was accountable.
SINCE MAY 25TH, 2018: The GDPR provides for the accountability of every company processing personal data, whether for itself or on behalf of another entity. Everyone who processes personal data will have to keep a record of every processing operations and security breaches.
Data Breaches
BEFORE: Some European countries had rules on data breaches but it was not harmonized across the EU.
SINCE MAY 25TH, 2018:
The controller has a dual notification:
- to the national Data Protection Authority,
- to persons concerned by the processing of their data
The processor must notify the person for whom data are being processed of any security breach
Data Protection Officer
BEFORE: Some European countries required companies to hire a privacy officer but it was not consistent throughout the EU.
SINCE MAY 25TH, 2018: The appointment of a Data Protection Officer (DPO) is mandatory in the following 3 scenarios:
- Government entities processing personal data,
- Processing operations requiring regular and systematic monitoring of individuals on a large scale,
- Processing operations of special categories of personal data, data relating to criminal convictions and offenses on a large scale
For other companies, having a DPO can prove a valuable compliance tool. For more information on what is a DPO, please read our article. For more information on our DPO Services, please see our page.
Standing to Sue
HISTORICALLY: European nationals had limited standing to sue U.S. based processors before U.S. courts.
NOW: The Judicial Redress Act, which was adopted in 2015, followed by Executive Order 14086 of October 7, 2022 on Enhancing Safeguards for United States Signals Intelligence Activities, allow EU nationals to sue U.S. processors processing EU personal data before U.S. courts. You can now be sued before U.S. courts and before a EU court if you have offices in Europe. U.S. corporations with a physical presence in the EU can be sued before EU courts. Under the GDPR, even companies with no presence in the EU could be sued before EU courts
Data transfers
BEFORE: Since the invalidation of the E.U.-U.S. Privacy Shield Framework by the European Court of Justice on July 16, 2020, U.S.-based companies that wanted to transfer EU personal data to the U.S. needed to rely on another mechanism, such as the EU Commission’s Standard Contractual Clauses (SCCs), to comply with the GDPR. For more on the SCCs, please read our article.
SINCE JULY 10, 2023: Companies self-certified under the Privacy Shield (provided they update their privacy policies by no later than October 10, 2023) or the new EU-U.S. Data Privacy Framework (DPF) can freely transfer EU personal data to the U.S. However, please note that neither the Privacy Shield nor the DPF will be enough for the self-certifying entity to be considered compliant with the GDPR.
National Derogations
BEFORE: Under the pre-GDPR EU Privacy Directive companies collecting or using the personal data of EU residents had to comply with not only the Directive but also 28 different EU member states’ national privacy legislations implementing the Directive into national law.
SINCE MAY 25TH, 2018: The GDPR has become the law of the land in all member states of the EU EXCEPT THAT, in over 50 areas of the GDPR, the so-called “national derogations“, EU member states retain the right to provide for exceptions or supplemental provisions to those of the GDPR, i.e., companies processing the personal data of EU residents will need to ensure that. in those areas, they comply not only with GDPR but also with applicable member state legislation.
Compliance Plan: How to Comply in Two Steps
Pre-Audit Assessment of Your Company
Audit & Ongoing Compliance
Pre-Audit Assessment of Your Company
At the end of this review, we would have conducted a pre-audit assessment of your company’s processing practices, the types of processing performed, the purposes of the processing, and determined know how much of the processing is done internally versus outsourced to third-party processors. We will then be able to give you an estimate of the budget necessary to pursue with our compliance plan.
This assessment will give us a picture/an overview of :
What:
- Your current privacy practices are
- Your current level of privacy compliance is
- Your data flows are
- Your company’s internal and external data flows are
- Level of data security you have implemented
Who:
- Your company’s decision makers in terms of privacy are
- Is responsible to manage the company’s information governance program
- Your third-party processors are and the level of their involvement in your overall processing activity
How:
- Information governance is managed
- You secure the data
- You keep track of your internal and external data processing
Where:
- The data you process is going, both internally and externally
This step is very interactive. We need to get a better understanding of your company and its privacy practices INCLUDING who processes what, for what purposes, where, and for how long.
Audit & Ongoing Compliance
Based on the initial assessment and surveys, we will conduct a more thorough audit of your company’s processing operations. At the end of this review we will draw up a privacy compliance program for your company that fits your needs.
Our work will consist of assessing your compliance against EU privacy laws and regulations. As part of this audit we will do one or more of the following task:
- PERFORM privacy impact assessments
- MAKE AN INVENTORY of all contracts with vendors and customers that involve data processing and assess their compliance with EU privacy laws and regulations
- CREATE EU-compliant policies (including drafting a GDPR compliant privacy policy) and procedures
- MAKE AN INVENTORY OF & CORRECT all your privacy notices
- PROVIDE you with one or more internal privacy compliance playbooks containing what you should include in your future contracts, and templates of contracts you can use with your subcontractors
- PROVIDE you and your teams training on various aspects of EU data privacy laws
- ASSURE THAT YOU COMPLY with any regulatory filing or declarative requirements, if any
- ASSURE that your international data transfers are compliant with European laws and regulations
- PREPARE YOU to handle an individual’s access request for information
- If applicable, ESTABLISH internal processes for security breaches or MAP your current data breach and incident response policies and procedures against the GDPR requirements, and CREATE an action plan to fill the gaps
Going Further
If you need more assistance, we can provide you with ad-on modules to comply with EU laws on an on-going basis, including:
- Various trainings on several parts of the regulation: these trainings can be adapted to your company, industry sector, business activity, and processing practices. They could be delivered on a monthly, bi monthly or another regular basis to be agreed with your team.
- Data Protection Officer (DPO) services: We are able to act as your externalized DPO. This service will help you comply with EU privacy laws from both the U.S. and the EU.
We provide our services on a subscription basis. Please be aware that these optional services are only available to companies that went through steps 1 and 2, whether with us or independently.
Our Key Differentiators
- Our dual admission as lawyers in both Europe (the EU and the UK) and North America (the U.S. and Canada), combined with our professional experience gained on both continents, allows us to be best positioned to advise U.S.and Canada-based companies in their operations in the EU and the UK, including on how to comply with local laws within the EU
- Our expertise in both EU/UK and U.S./Canadian privacy laws and regulations allows us to help U.S. and Canadian clients comply with their obligations in both the EU/UK and the U.S./Canada
- Our combined physical presence in both Europe and the U.S. allows us to be located in close proximity to our clients and their local operations, and to advise them both in the U.S./Canada and within the EU/UK