1. Home
  2. |Experience
  3. |Brussels Practice
  4. |European General Data Protection Regulation (GDPR) — Brussels Practice

European General Data Protection Regulation (GDPR)

Overview

Our Services

Crowell & Moring’s U.S. and European-based team has a wealth of experience advising clients on the European Union’s General Data Protection Regulation (GDPR), along with many other U.S. and related EU Member State-specific regulations. Our GDPR team’s core offerings include:

  • Reviewing organizations’ operations to determine GDPR applicability and impact.
  • Conducting internal analysis of current data flows and data protection policies and practices to identify potential gaps or compliance risks.
  • Identifying areas of concern and defining best practices via on-site training and GDPR tabletop exercises with key members of the organization.
  • Helping design risk-based compliance frameworks tailored to meet the needs of the business.
  • Drafting policies and procedures and a tailored GDPR action plan.
  • Reviewing existing agreements with third-party suppliers for compliance issues.
  • Enhancing awareness of GDPR via workshops and seminars.
  • Monitoring regulatory developments.
  • Continuing review of existing programs based on regulatory and operational changes.
  • Assisting with communications to stakeholders and potential online defamation related to GDPR violations.
  • Defending class action privacy lawsuits.

Background

GDPR is a comprehensive EU-wide law that gives individuals the ability to control the collection and use of their personal data. The GDPR is based on the fundamental right to data protection enshrined in the EU Treaties and in the EU Charter of Fundamental Rights. This fundamental right is akin to a constitutional right in the U.S. By empowering individuals to control how their data may be used, the GDPR presents companies doing business in Europe with significant compliance and operational challenges. With significant possible fines for noncompliance – up to the greater of €20 million or four percent of organizations' worldwide annual gross revenue – it is legislation that cannot be ignored.

GDPR’s strict requirements apply to organizations that collect or process the personal data of individuals in the EU. A company does not have to have a physical presence in the EU to be subject to GDPR; as long at the company collects data on EU EU residents, it must comply with the law’s requirements.

Additionally, the regulation requires that organizations:

  • Hire a Data Protection Officer to oversee GDPR compliance;
  • Report data breaches to the relevant EU regulator within 72 hours
  • Enforce strict record keeping for data processing activities;
  • Conduct data protection impact assessments for higher risk processing;
  • Take into account data protection when designing new technologies, systems, or services; and
  • Roll out new compliance policies, procedures, and governance controls requirements.

GDPR compliance is not a mere check-the-box exercise or a problem that has a one-size-fits-all, off-the-shelf solution. Compliance needs to be consistent with the risk environment, business needs, and available resources.

Insights

Client Alert | 3 min read | 03.07.23

The EDPB's Opinion on EU-U.S. Data Privacy Framework

On February 28, 2023, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2023 (the “Opinion”) on the draft adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework (“DPF”). The DPF aims to ensure that personal data transferred from the European Union to the U.S. receives an adequate level of protection. The framework is based on the principles of transparency, accountability, and oversight, and it includes safeguards to protect the data privacy rights of individuals....

|

Insights

Client Alert | 3 min read | 03.07.23

The EDPB's Opinion on EU-U.S. Data Privacy Framework

On February 28, 2023, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2023 (the “Opinion”) on the draft adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework (“DPF”). The DPF aims to ensure that personal data transferred from the European Union to the U.S. receives an adequate level of protection. The framework is based on the principles of transparency, accountability, and oversight, and it includes safeguards to protect the data privacy rights of individuals....

Insights

Client Alert | 3 min read | 03.07.23

The EDPB's Opinion on EU-U.S. Data Privacy Framework

On February 28, 2023, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2023 (the “Opinion”) on the draft adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework (“DPF”). The DPF aims to ensure that personal data transferred from the European Union to the U.S. receives an adequate level of protection. The framework is based on the principles of transparency, accountability, and oversight, and it includes safeguards to protect the data privacy rights of individuals....