European Privacy & Cybersecurity

• Preparing and reviewing privacy notices and policies to ensure compliance with the EU and UK GDPR.
• Performing data protection impact assessments (DPIAs) and legitimate interest assessments (LIAs).
• Providing data protection officer (DPO) support services.
• Drafting procedures and plans to ensure that cybersecurity controls are in line with the developing standards, service terms, and conditions complying with online safety and consumer rights requirements and procedures concerning supply chain management.

We work with companies that have already implemented compliance programs to assess and evaluate their compliance status in light of the rapidly developing regulatory environment. We can provide them with a second pair of eyes—under privilege—to ensure that no compliance requirements were missed and that the compliance measures that they have implemented are (still) in line with the most recently issued regulatory guidance. When we find possible shortcomings in a compliance program, we are happy to propose and help implement appropriate remedial steps.

We provide companies with compliance training modules for different target groups within their organization. This can include:

• General and bespoke training for employees engaged in activities involving personal data (e.g., HR staff, data protection officers);
• Cybersecurity compliance training for information security and legal teams;
• AI literacy training for staff dealing with the operation and use of AI systems;
• Cybersecurity risk-management training for management teams for the purposes of the NIS2 Directive;

We advise companies on transactions that involve the collection and sharing of personal data and regulated non-personal data, or the purchase of (AI-enhanced) technologies, and prepare appropriate compliance documentation required to facilitate the transaction. We also advise on and assist with the implementation of suitable data transfer mechanisms for sharing personal data with recipients outside the EEA/UK, including binding corporate rules (BCRs), the European Commission’s standard contractual clauses (SCCs), and the derogations in Article 49 of the GDPR. We also help clients prepare transfer impact assessments (TIAs) and transfer risk assessments (TRAs) to support their use of BCRs and standard contractual clauses both in the EEA and the UK. 

When companies merge with or acquire other companies, it is critical as part of the due diligence to identify any privacy, cybersecurity, or other data-related concerns in the pre-acquisition phase and take remedial actions following the acquisition (e.g., by enhancing the target’s compliance program). Identifying any potential for successor liability and addressing noncompliance issues at the target level will mitigate privacy, cybersecurity, and data-related risks for both the selling and acquiring companies. We help clients ensure that compliance risks relating to an acquisition or merger are identified and properly managed. When needed, we will also recommend appropriate compliance steps for a robust post-acquisition integration.

We work with companies to prepare incident response plans and playbooks consistent with European and other global regulatory requirements. We also carry out internal cybersecurity governance assessments to ensure compliance with developing laws in this area. We provide operational and board-level training on cybersecurity. As part of this training, we conduct cybersecurity tabletop exercises to help prepare companies for a cybersecurity incident and identify enhancements to their incident response processes. This exercise draws from actual events and applies the facts to a complex but client-specific cybersecurity hypothetical situation. Our tabletop exercises are designed to assist in preparing companies to take a multifunctional, coordinated approach to cybersecurity.

We provide companies with legal support and crisis management following a cybersecurity incident or personal data breach, including assessing and preparing breach notifications to the relevant supervisory authorities and, where needed, affected data subjects, globally. We also advise on possible remedial action in response to the incident/breach and can conduct internal investigations into the company’s breach response in the wake of a cybersecurity incident.

We represent clients before European supervisory authorities, including EU Member State and UK data protection authorities (DPAs) that have initiated an investigation into our clients’ practices and compliance with applicable law. We help our clients prepare for and participate in meetings with regulators, answer questions posed, and draft position papers on their behalf. We also assist companies in assessing and responding to complaints from individuals related to data protection and use of confidential information. 

We advise companies on all privacy and data protection aspects of the internal investigations they conduct, focusing on ensuring that personal data collected for the purposes of these investigations are handled in compliance with European rules, including the EU and UK GDPR, as well as other relevant laws such as blocking statutes. This includes advising on the use of whistleblower hotlines and the processing of personal data collected through them.

We assist companies with handling and responding to individuals who want to exercise their rights under privacy, cybersecurity, and data-related laws, including the right to access, the right to be forgotten, and the right to data portability under the EU and UK GDPR. This includes providing internal guidance and training on dealing with such requests, assessing whether the requests are valid, and preparing appropriate responses to the requests.