The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and many projections still say American firms are not prepared – with some polls finding that upwards of two-thirds still have a long way to go. While some organizations may need more significant policy or structure changes than others, studies show EU and U.S. firms share similar concerns when it comes to GDPR-readiness. Our attorneys have the experience and knowledge necessary to assist both U.S. and EU clients with reaching and maintaining compliance, avoiding the penalties GDPR puts in place for non-compliance. For a quick review of GDPR and who it affects, read our alert.
Our team of privacy + data security attorneys, which includes an IAPP-Certified Information Privacy Manager, understands the thoroughness required for proper compliance readiness and information security. They stay current on both the business and legal requirements companies must meet, as well as the strategies to meet them domestically and internationally. With diverse skills and sets of knowledge, our team is not only well-equipped to analyze the various ways your business may be at risk when it comes to compliance, but also to assist with the creation and implementation of solutions that lower the likelihood of data breaches and protect your business should a breach occur.
Companies must navigate the nuanced requirements GDPR puts on privacy + data security or face penalties and fines up to €20 million, or 4% of global turnover (whichever is greater), for non-compliance. For some companies, this may require more than new policies; some may need new or updated business operations and technology. Working from that perspective, our firm provides counsel to clients to create and enact strong, individualized privacy policies and manage both liability risk and customer and public relations risk so that they are able to continue operating, continue growing, and start feeling confident in their compliance and information security programs.
Kegler Brown’s Privacy + Data Security team has created a practical approach for dealing with data security issues in global business operations that details necessary actions in the preparation for and continued compliance with GDPR. View it here.
- Governance + Design: analysis and guidance with designing a compliance program based on the systems and structures of each client addressing the unique compliance obligations introduced by GDPR.
- Accountability + Processing Records: assisting with the documentation of a compliance program and the required preparation of records of processing activities
- Data Subject Rights + Consent: managing the requirements related to data subjects’ rights, including right to access, being forgotten, to object, and data portability
- Data Breaches + Notices: providing strategies for the avoidance of and preparation for data breaches that occur domestically or abroad in order to reduce their likelihood; responding to customer, client and media inquiries; navigating the entire process for incidents that lead, or have led, to litigation
Companies need to fully understand the reach, obligations and risks related to GDPR. Not only do its rules apply broadly to all organizations established in the EU, but the GDPR also applies to many organizations established outside of the EU. Therefore, we assist businesses, educational institutions and other organizations who:
- Offer goods or services (including online sales) to data subjects in the EU
- Monitor the behavior of data subjects in the EU
- Provide services to these entities, including cloud-based services, which are not exempt from GDPR enforcement