May 21, 2018

GDPR: The EU’s New Data Protection Laws — Are You Ready?

配信申込

ジャンプリンクテキスト

 

The EU’s General Data Protection Regulation[1] Comes Into Effect on 25 May 2018.

Any company anywhere in the world which holds personal identifying information about EU resident private individuals will be impacted. Individuals covered by the regime may include prospective, existing and former customers, employees, contractors, contacts at suppliers or customers and marketing contacts.

The steps needed for any organization to comply with GDPR will always be particular to it. However, with only a few days to go before the implementation deadline, the aim of this short communication is to remind our clients of the deadline and provide a checklist of some of the common themes that have emerged in our advice with clients to date.

  • Updating employee privacy policies and distributing them / making them available on an intranet.
  • Reviewing standard-form employment contracts to consider whether consent as a lawful basis for processing employee data is sustainable or whether other lawful bases should be established.
  • Updating customer privacy policies and making them available online.
  • Considering need for customer consents (depending on the types of processing applied to customers’ data) and how to capture this.
  • Ensuring intra-group data transfer agreements are governed by the EU’s model terms or other appropriate arrangements for lawful transfer.
  • Reviewing contracts with suppliers where personal data is exchanged.
  • Updating and reviewing IT, data security and data protection policies, as well procedures governing data breaches.
  • Making sure you have in place procedures to respond to customers and employees’ requests (e.g. access to data, “right to be forgotten,” portability).
  • Assessing IT, data storage and security systems against the new standards.
  • Analyzing how data is controlled, processed and transferred, the availability of “legitimate interests” or other acceptable reasons as a basis for processing, and the need for consent.
  • Considering the extent to which customer or employee consent or notices are required concerning the sharing of information with third parties, such as third-country regulators, suppliers and business partners.
  • Considering the extent to which the company is able to satisfy data subjects' rights under the GDPR (e.g. rights to access, amend and delete personal data) especially in relation to data that the company has transferred to third parties. 

Other steps may be needed, depending on the company’s usage and transfer of personal data.

The Shearman & Sterling team below was supported by associate Jerry Healy (Litigation-London) and consultant Mark Robinson (Mergers & Acqusitions-London).

著者等

Thomas Donegan

パートナー

金融機関助言・金融規制

+44 20 7655 5566

+44 20 7655 5566

ロンドン

Barnabas Reynolds

パートナー

金融機関助言・金融規制

+44 20 7655 5528

+44 20 7655 5528

ロンドン

John Adams

パートナー

ファンド

+44 20 7655 5740

+44 20 7655 5740

ロンドン

Sam Whitaker

カウンセル

報酬・ガバナンス・従業員退職所得保証法(ERISA)

+44 20 7655 5954

+44 20 7655 5954

ロンドン

Oliver Linch

シニア・アソシエイト

金融機関助言・金融規制

+44 20 7655 5715

+44 20 7655 5715

ロンドン