Background - Privacy & Cybersecurity

European General Data Protection Regulation

On May 25, 2018, the EU General Data Protection Regulation became effective and enforceable. The GDPR is a comprehensive law empowering individuals to control the collection and use of their personal data. The GDPR is based on the fundamental right to data protection recognized in the EU. This fundamental right is akin to a constitutional right in the US. By empowering individuals to control how their data may be used, GDPR presents companies with significant compliance and operational challenges. The GDPR replaces existing data protection laws throughout Europe, with possible fines for noncompliance of up to the greater of €20 million or 4 percent of organizations' worldwide annual gross revenue.


Crowell & Moring is pleased to offer a guide to help you understand the impacts of GDPR. The guide aims to provide businesses worldwide with a useful tool to further their understanding of the key aspects of the GDPR. It is not, nor is it intended to be, exhaustive. To download a complimentary copy, please click here.

Organizations that process personal data in the framework of their activities within the EU, track behavior of individuals, such as employees and consumers within the EU, or target individuals within the EU for the provision of goods or services are subject to the strict GDPR requirements. Additionally, the regulation requires companies to report data breaches to the relevant EU regulator within 72 hours, a requirement that already exists in the U.S. but is new in the EU; create the role of a Data Protection Officer; enforce stricter record keeping for data processing activities; conduct data protection impact assessments for higher risk processing; take into account data protection when designing new  technologies, systems, or services; and roll out new compliance policies, procedures, and governance controls requirements.

We do not see GDPR compliance as a mere check-the-box exercise or a problem that has a one-size-fits-all, off-the-shelf solution. We understand that compliance needs to be consistent with the risk environment, business needs, and available resources. Enhancing GDPR compliance in a risk-based, business-specific way builds trust, which is a differentiator with true business value.

Our U.S. and European-based team has a wealth of experience advising clients on GDPR, among other U.S. and EU regulations. Our GDPR team’s core offerings include:

  • Reviewing companies operations to determine GDPR applicability and impact.
  • Conducting internal analysis of current data flows and data protection policies and practices to identify potential gaps or compliance risks.
  • Identifying areas of concern and defining best practices via on-site training and GDPR tabletop exercises with key members of the organization.
  • Helping design risk-based compliance frameworks tailored to meet the needs of the business.
  • Drafting policies and procedures and a tailored GDPR action plan.
  • Reviewing existing agreements with third-party suppliers for compliance issues.
  • Enhancing awareness of GDPR via workshops and seminars.
  • Monitoring regulatory developments.
  • Continuing review of existing programs based on regulatory and operational changes.
  • Assisting with communications to stakeholders and potential online defamation related to GDPR violations.
  • Defending class action privacy lawsuits.

For more information on our offerings, please see our GDPR overview [PDF].