What Is GDPR?
GDPR stands for General Data Protection Regulation, the new EU legislative instrument that has, since May 25, 2018, replaced the European directive on data privacy of 1995. Because it is a Regulation - and no longer a Directive - it is, subject to a limited number of "national derogations", automatically applicable across all 28 Member States of the EU, and aims to simplify the legislative European framework on data privacy, which under the directive was a patchwork of European and of 28 national laws and regulations.
The GDPR does not however reach the level of uniformity it had set out to achieve, a number of areas remaining matters for Member States to regulate at the national level, those famous "national derogations". As a result, since May 25th, companies processing the personal data of European residents need to comply with the GDPR, but also with any applicable EU countries' privacy laws and regulations in those areas that remain discretionary matters for Member States to regulate.
Our GDPR Compliance Program will do just that: ensure that you comply not only with the GDPR but also with the evolving landscape of applicable national EU Member States' privacy laws and regulations.
For more information, please download our GDPR brochure here. You can also view our Glossary of GDPR-related terms here. And here is an article we wrote on the importance to hire EU counsel to assist with your GDPR compliance.
Why You Will Want to Comply
- Heavy Fines
- Data Breach
- Data Protection Officer
- Standing to Sue
- Privacy Shield
- National Derogations
BEFORE: Some countries had fines for violations of privacy laws but these were relatively low.
SINCE MAY 25TH, 2018: The GDPR imposes fines up to the greater of: 2% of the company’s worldwide turnover or €10 million OR 4% of the company’s worldwide turnover or €20 million.
The above thresholds will vary depending on the nature of the breach.
BEFORE: Only the person responsible for the processing was accountable.
SINCE MAY 25TH, 2018: The regulation provides for the accountability of every company processing personal data, whether for itself or on behalf of another entity. Everyone who processes personal data will have to keep a record of every processing operations and security breaches.
BEFORE: Some European countries had rules on data breaches but it was not harmonized across the EU.
SINCE MAY 25TH, 2018:
The controller has a dual notification:
- to the national Data Protection Authority,
- to persons concerned by the processing of their data
The processor must notify the person for whom data are being processed of any security breach
BEFORE: Some European countries required companies to hire a privacy officer but it was not consistent throughout the EU.
SINCE MAY 25TH, 2018: The appointment of a Data Protection Officer (DPO) is mandatory in the following 3 scenarios:
- Government entities processing personal data,
- Processing operations requiring regular and systematic monitoring of individuals on a large scale,
- Processing operations of special categories of personal data, data relating to criminal convictions and offenses on a large scale
For other companies, having a DPO can prove a valuable compliance tool.
HISTORICALLY: European nationals had limited standing to sue U.S. based processors before U.S. courts.
NOW: The Judicial Redress Act was adopted in 2015 to allow EU nationals to sue U.S. processors processing EU personal data before U.S. courts. You can now be sued before U.S. courts and before EU court if you have offices in Europe. U.S. corporations with a physical presence in the EU can be sued before EU courts. Under the GDPR, even companies with no presence in the EU could be sued before EU courts
BEFORE: A company self-certified under the Privacy Shield was able to receive and process EU personal data in the U.S. without further requirements.
SINCE MAY 25TH, 2018: Companies self-certified under the Privacy Shield have to take additional measures to comply with EU laws and regulations. The Privacy Shield will not be enough for the self-certifying entity to be considered compliant with EU regulation.
BEFORE: Under the pre-GDPR EU Privacy Directive companies collecting or using the personal data of EU residents had to comply with not only the Directive but also 28 different EU member states' national privacy legislations implementing the Directive into national law.
SINCE MAY 25TH, 2018: The GDPR has become the law of the land in all member states of the EU EXCEPT THAT, in over 50 areas of the GDPR, the so-called "national derogations", EU member states retain the right to provide for exceptions or supplemental provisions to those of the GDPR, i.e., companies processing the personal data of EU residents will need to ensure that. in those areas, they comply not only with GDPR but also with applicable member state legislation.
Compliance Plan: How to Comply in Two Steps
At the end of this review, we would have conducted a pre-audit assessment of your company's processing practices, the types of processing performed, the purposes of the processing, and determined know how much of the processing is done internally versus outsourced to third-party processors. We will then be able to give you an estimate of the budget necessary to pursue with our compliance plan.
This assessment will give us a picture/an overview of:
This step is very interactive. We need to get a better understanding of your company and its privacy practices INCLUDING who processes what, for what purposes, where, and for how long.
Based on the initial assessment and surveys, we will conduct a more thorough audit of your company's processing operations. At the end of this review we will draw up a privacy compliance program for your company that fits your needs.
Our work will consist of assessing your compliance against EU privacy laws and regulations. As part of this audit we will do one or more of the following task:
- PERFORM privacy impact assessments
- MAKE AN INVENTORY of all contracts with vendors and customers that involve data processing and assess their compliance with EU privacy laws and regulations
- CREATE EU-compliant policies and procedures
- MAKE AN INVENTORY OF & CORRECT all your privacy notices
- PROVIDE you with one or more internal privacy compliance playbooks containing what you should include in your future contracts and a template of a contract
- PROVIDE you and your teams training on various aspects of EU data privacy laws
- ASSURE THAT YOU COMPLY with any filing or declarative requirements, if any
- ASSURE that your international data transfers are compliant with European laws and regulations
- PREPARE YOU to handle an individual's access request for information
- If applicable, ESTABLISH internal processes for security breaches or MAP your current data breach and incident response policies and procedures against the GDPR requirements, and CREATE an action plan to fill the gaps
If you need more assistance, we can provide you with ad-on modules to comply with EU laws on an on-going basis, including:
- Various trainings on several parts of the regulation: these trainings can be adapted to your company, industry sector, business activity, and processing practices. They could be delivered on a monthly, bi monthly or another regular basis to be agreed with your team.
- Data Protection Officer (DPO) services: We are able to act as your externalized DPO. This service will help you comply with EU privacy laws from both the U.S. and the EU.
We provide our services on a subscription basis. Please be aware that these optional services are only available to companies that went through steps 1 and 2, whether with us or independently.
Our Key Differentiators
- Our dual admission as lawyers in both the EU and the U.S., combined with our professional experience gained on both continents, allows us to be best positioned to advise U.S.-based companies in their operations in the EU
- Our expertise in both EU and U.S. privacy laws and regulations allows us to help U.S. clients comply with their obligations in both the EU and the U.S.
- Our combined physical presence in both the EU and the U.S. allows us to be located in close proximity to our clients and their local operations, and to advise them both in the U.S. and within the EU