EU General Data Protection Regulation

The laws and regulations on the collection and use of personal data in Europe are among the most stringent in the world, with the primary legislation at the EU level being the General Data Protection Regulation (GDPR). 

Noncompliance with the GDPR may give rise to administrative fines of up to 4% of an undertaking’s worldwide annual revenues or alternative sanctions such as a ban on processing activities or data flows. In addition, noncompliance may lead to reputational damage, which can have a significant impact on a company’s operations and business growth. 

Alston & Bird’s privacy and data protection team has been at the forefront of GDPR compliance since it became effective in May 2018. Our dedicated team has advised on every pertinent GDPR issue. 

We provide global privacy and data protection advice to market-leading enterprises worldwide, of all sizes, and in diverse sectors, including at least 10 companies in the Fortune 100, three of the world’s 10 largest companies (as ranked by Fortune), and major cloud and analytics service providers. We have designed and are conducting comprehensive review programs specifically focused on GDPR compliance for some of the world’s leading multijurisdictional businesses.

We bring value by looking beyond legal compliance to consider business risks that may result from the privacy and data protection issues you are facing. Our approach is always to balance the compliance considerations in a way that makes operational sense, is cost-effective, and provides an appropriate and comfortable level of risk. We also pride ourselves in having adopted a client-centric approach to providing legal counsel. Our guidance blends industry best practices and decades of experience working with global clients on similar matters, with customized, creative, and practical solutions.

Based in the European Union’s capital, Brussels, and both U.S. coasts, our team is on call to tackle virtually any issue, anywhere, any time. You want to be proactive, stay ahead of the competition, and be compliant with the GDPR. Alston & Bird is your guide.

We have experience helping our clients in four key areas: regulatory compliance, transactions, cybersecurity, and enforcement.

Regulatory Compliance

GDPR Compliance Development

• We assist companies that are entering the European market or have otherwise become subject to European regulations, including the GDPR, with the development of a GDPR compliance program tailored to their needs. This includes preparing and reviewing privacy notices and policies, standard operating procedures, consent mechanisms, and agreements relating to the collection and transfer of personal data. Where relevant, we also advise on the appointment of data protection officers and EU representatives for data protection purposes, as well as the creation of records of processing activities (ROPAs). In addition to the GDPR, we advise on areas covered by other European or national data protection laws or regulations, for example on electronic marketing under the ePrivacy Directive.

GDPR Compliance Assessment

• We work with companies to deal with project-specific or day-to-day GDPR compliance requirements, for example, preparing legitimate interest assessments (LIAs) and data protection impact assessments (DPIAs), drafting privacy notices/policies and consent forms, and negotiating data protection agreements with third-party vendors. We also assist companies that have implemented a GDPR compliance program with assessing and evaluating their compliance status. We can provide them with a second pair of eyes—under privilege—to ensure that no compliance requirements were missed and that the GDPR compliance measures that they have implemented are (still) in line with the most recently issued regulatory guidance. When we find possible shortcomings in a GDPR compliance program, we are happy to propose and help implement appropriate remedial steps.

GDPR Compliance Training

• We provide companies with GDPR compliance training modules for different target groups within their organization. In addition to general training for all employees who are handling personal data, we develop and provide bespoke training for staff that are tasked with specific activities involving data processing (e.g., sales representatives or HR staff).

Transactions

Transactional Counseling

• We advise companies on transactions that involve the collection and sharing of personal data and prepare appropriate privacy and data protection notices, agreements, and other compliance measures required to facilitate the transaction. We also advise on and assist with the implementation of suitable data transfer mechanisms for sharing personal data with recipients outside the EEA/UK, including binding corporate rules (BCRs), the European Commission’s standard contractual clauses, and the derogations in Article 49 of the GDPR. Since the ruling of the European Court of Justice in the Schrems II case in July 2020, we also help clients prepare transfer impact assessments (TIAs) to support their use of BCRs and standard contractual clauses. 

M&A Due Diligence Review

• When companies merge with or acquire other companies, it is critical as part of the due diligence to identify any privacy or data protection concern in the pre-acquisition phase and take remedial actions following the acquisition (e.g., enhancing the target’s GDPR compliance program). Identifying any potential for successor liability and addressing noncompliance issues at the target level will mitigate the privacy and data protection risk for both the selling and acquiring companies. We help clients ensure that the privacy and data protection compliance risks relating to an acquisition or merger are identified and properly managed. When needed, we will also recommend appropriate compliance steps for a robust post-acquisition integration.