European General Data Protection Regulation (GDPR)

Overview

Our Services

Crowell & Moring’s U.S. and European-based team has a wealth of experience advising clients on the European Union’s General Data Protection Regulation (GDPR), along with many other U.S. and related EU Member State-specific regulations. Our GDPR team’s core offerings include:

Reviewing organizations’ operations to determine GDPR applicability and impact.
Conducting internal analysis of current data flows and data protection policies and practices to identify potential gaps or compliance risks.
Identifying areas of concern and defining best practices via on-site training and GDPR tabletop exercises with key members of the organization.
Helping design risk-based compliance frameworks tailored to meet the needs of the business.
Drafting policies and procedures and a tailored GDPR action plan.
Reviewing existing agreements with third-party suppliers for compliance issues.
Enhancing awareness of GDPR via workshops and seminars.
Monitoring regulatory developments.
Continuing review of existing programs based on regulatory and operational changes.
Assisting with communications to stakeholders and potential online defamation related to GDPR violations.
Defending class action privacy lawsuits.

Background

GDPR is a comprehensive EU-wide law that gives individuals the ability to control the collection and use of their personal data. The GDPR is based on the fundamental right to data protection enshrined in the EU Treaties and in the EU Charter of Fundamental Rights. This fundamental right is akin to a constitutional right in the U.S. By empowering individuals to control how their data may be used, the GDPR presents companies doing business in Europe with significant compliance and operational challenges. With significant possible fines for noncompliance – up to the greater of €20 million or four percent of organizations' worldwide annual gross revenue – it is legislation that cannot be ignored.

GDPR’s strict requirements apply to organizations that collect or process the personal data of individuals in the EU. A company does not have to have a physical presence in the EU to be subject to GDPR; as long at the company collects data on EU EU residents, it must comply with the law’s requirements.

Additionally, the regulation requires that organizations:

Hire a Data Protection Officer to oversee GDPR compliance;
Report data breaches to the relevant EU regulator within 72 hours
Enforce strict record keeping for data processing activities;
Conduct data protection impact assessments for higher risk processing;
Take into account data protection when designing new technologies, systems, or services; and
Roll out new compliance policies, procedures, and governance controls requirements.

GDPR compliance is not a mere check-the-box exercise or a problem that has a one-size-fits-all, off-the-shelf solution. Compliance needs to be consistent with the risk environment, business needs, and available resources.