Shearman & Sterling LLP multinational law firm headquartered in New York City, United States.

data privacy, cloud, circuit board

May 21, 2018

GDPR: The EU’s New Data Protection Laws — Are You Ready?

Subscribe

Jump to...

 

The EU’s General Data Protection Regulation[1] Comes Into Effect on 25 May 2018.

Any company anywhere in the world which holds personal identifying information about EU resident private individuals will be impacted. Individuals covered by the regime may include prospective, existing and former customers, employees, contractors, contacts at suppliers or customers and marketing contacts.

The steps needed for any organization to comply with GDPR will always be particular to it. However, with only a few days to go before the implementation deadline, the aim of this short communication is to remind our clients of the deadline and provide a checklist of some of the common themes that have emerged in our advice with clients to date.

  • Updating employee privacy policies and distributing them / making them available on an intranet.
  • Reviewing standard-form employment contracts to consider whether consent as a lawful basis for processing employee data is sustainable or whether other lawful bases should be established.
  • Updating customer privacy policies and making them available online.
  • Considering need for customer consents (depending on the types of processing applied to customers’ data) and how to capture this.
  • Ensuring intra-group data transfer agreements are governed by the EU’s model terms or other appropriate arrangements for lawful transfer.
  • Reviewing contracts with suppliers where personal data is exchanged.
  • Updating and reviewing IT, data security and data protection policies, as well procedures governing data breaches.
  • Making sure you have in place procedures to respond to customers and employees’ requests (e.g. access to data, “right to be forgotten,” portability).
  • Assessing IT, data storage and security systems against the new standards.
  • Analyzing how data is controlled, processed and transferred, the availability of “legitimate interests” or other acceptable reasons as a basis for processing, and the need for consent.
  • Considering the extent to which customer or employee consent or notices are required concerning the sharing of information with third parties, such as third-country regulators, suppliers and business partners.
  • Considering the extent to which the company is able to satisfy data subjects' rights under the GDPR (e.g. rights to access, amend and delete personal data) especially in relation to data that the company has transferred to third parties. 

Other steps may be needed, depending on the company’s usage and transfer of personal data.

The Shearman & Sterling team below was supported by associate Jerry Healy (Litigation-London) and consultant Mark Robinson (Mergers & Acqusitions-London).

Authors and Contributors

Thomas Donegan

Partner

Financial Institutions Advisory & Financial Regulatory

+44 20 7655 5566

+44 20 7655 5566

London

Barnabas Reynolds

Partner

Financial Institutions Advisory & Financial Regulatory

+44 20 7655 5528

+44 20 7655 5528

London

John Adams

Partner

Investment Funds

+44 20 7655 5740

+44 20 7655 5740

London

Paolisa (Paola) Nebbia

Counsel

Antitrust

+39 06 697 679 231

+39 06 697 679 231

Rome

Sam Whitaker

Counsel

Compensation, Governance & ERISA

+44 20 7655 5954

+44 20 7655 5954

London

Susanna Charlwood

Partner

Litigation

+44 20 7655 5907

+44 20 7655 5907

London

Oliver Linch

Associate

Financial Institutions Advisory & Financial Regulatory

+44 20 7655 5715

+44 20 7655 5715

London