The General Data Protection Regulation replaces the EU Data Protection Directive as the framework for EU privacy and data protection. The GDPR goes into effect on May 25, 2018, and for most companies doing business in the EU, coming into compliance will require significant time and resources.
GDPR Compliance Services - How Perkins Coie Can Help
Perkins Coie’s Privacy & Data Security lawyers have a deep understanding of the GDPR requirements for both data controllers and data processors, and regularly counsel companies doing business in the EU to help them meet the GDPR’s requirements. We work with clients to help them:
- Fully understand their current privacy and data protection practices, policies and procedures;
- Identify gaps in compliance and industry best practices and provide recommendations to remediate these gaps;
- Design and implement enhanced privacy and data protection practices, policies and procedures that comply with the GDPR.
Over the last decade, we have acted as the global strategic quarterback for many clients, helping them develop comprehensive privacy and data security programs that protect them from legal exposure in countries around the world.
|WP29 Guidelines and Opinions||Country-Specific Resources|
|Identified resources from the Article 29 Working Party related to the GDPR. More >||Identified resources from EU Member States related to the GDPR. More >|
|Article 28 Checklist||Data Subject Requests|
|Pursuant to Article 28, contracts between controllers and processors must fulfill these requirements. More >||Data Subject Requests Under the GDPR: A Step By Step Guide. More >|
Companies that do not have any physical presence in the EU may be subject to the GDPR. The regulation applies to companies that have an establishment in the EU, but also to companies outside the EU offer goods and services to EU data subjects or monitor the behavior of EU data subjects, and as a result, process personal data of EU data subjects. The GDPR broadly defines “personal data” as any information that relates to an identified or identifiable person, such as names, contact information, location data and online and mobile identifiers (such as cookie IDs, IP addresses and device identifiers).
Under the GDPR, companies are required to provide EU data subjects with greater visibility into and control over how their personal data is processed. The GDPR provides explicit requirements for the type of notice companies must provide to data subjects before processing their personal data. It also grants data subjects broad rights regarding the treatment of their personal data, including the right to be forgotten, the right to access and correct data, the right to data portability, the right to restrict certain processing, the right to object to automated decision making, the right to revoke consent for processing and the right to object to automated decision-making processes, including profiling. Companies need to review, and likely revamp, their data practices, procedures and policies to ensure that they can meet these obligations.
Companies subject to the GDPR are required to institutionalize privacy. Privacy by default requires companies to limit collection, processing and storage of personal data. Privacy by design requires companies to implement appropriate technical and organizational measures when determining the means of processing data and when processing data.
For example, whenever possible, companies are encouraged to implement pseudonymization by processing personal data in a manner such that it can no longer be attributed to a specific data subject. Additionally, the GDPR outlines standards regarding the security of data processing for both data controllers and data processors. Where a type of processing uses new technology or is likely to result in a high risk to data subjects, including profiling or large-scale processing of special categories of data, the data controller is required to carry out a privacy impact assessment. This assessment must be detailed and documented, and where the assessment indicates a “high risk,” prior consultation with a supervisory authority is required.
The way companies ensure and demonstrate compliance with the GDPR will be scrutinized. The GDPR requires companies to keep clear and accurate records of their data processing activities and compliance efforts. Companies must document the flow of data within their organization and provide detailed information in the event of an audit. Companies may be required to designate a data protection officer to advise and monitor their compliance and to determine whether a data protection impact assessment is required.
The GDPR also imposes a high duty of care on data controllers in selecting service providers to process personal data on their behalf. Data processing contracts must be implemented and must include a range of specific information and obligations. Service providers have similar obligations to pass these contractual requirements down to any sub-processors.
The GDPR introduces a new security breach notice requirement. In the event of a breach, companies must provide prompt, detailed notification to the supervisory authority and, if a breach “is likely to result in a high risk to the rights and freedoms of individuals,” to the affected data subjects.
Failure to comply with the GDPR can result in substantial potential liability, including steep penalties imposed by regulators, which can extend to a company’s vendors and service providers. Penalties vary depending on the type of violation, but can be as high as 20 million euros or 4% of a company’s worldwide annual turnover. Additionally, the GDPR grants individuals the ability to sue if harmed by a company’s violations.