European Privacy & Cybersecurity

Overview

European laws and regulations around the collection, use, disclosure, and security of data – both personal and regulated non-personal data – are among the most stringent in the world.

Noncompliance with these laws may give rise to significant administrative fines (of up to 10% of an undertaking’s worldwide annual revenues in some cases) or alternative sanctions such as a ban on certain commercial activities. Noncompliance may lead to reputational damage, which can have a substantial impact on a company’s operations and business growth.

Alston & Bird's European Privacy & Cybersecurity Team provides global regulatory advice to market-leading enterprises worldwide, of all sizes, and in diverse sectors, including at least 10 companies in the Fortune 100, three of the world’s 10 largest companies (as ranked by Fortune), and major cloud and analytics service providers. We have designed and are conducting comprehensive review programs specifically focused on privacy compliance for some of the world’s leading multijurisdictional businesses.

We bring value by looking beyond legal compliance to consider business risks that may result from the privacy, cybersecurity, and data-related issues you face. Our approach is always to balance the compliance considerations in a way that makes operational sense, is cost-effective, and provides an appropriate and comfortable level of risk. We pride ourselves in adopting a client-centric approach to providing legal counsel. Our guidance blends industry best practices and decades of experience working with global clients on similar matters, with customized, creative, and practical solutions.

With teams based in Brussels, London, and both U.S. coasts, we are on call to tackle virtually any issue, anywhere, any time. You want to be proactive, stay ahead of the competition, and be compliant with the changing landscape. Alston & Bird is your guide.

Our Capabilities

Capabilities

Compliance

Compliance Development

• Preparing and reviewing privacy notices and policies to ensure compliance with the EU and UK GDPR.
• Performing data protection impact assessments (DPIAs) and legitimate interest assessments (LIAs).
• Providing data protection officer (DPO) support services.
• Drafting procedures and plans to ensure that cybersecurity controls are in line with the developing standards, service terms, and conditions complying with online safety and consumer rights requirements and procedures concerning supply chain management. 

Compliance Assessment

We work with companies that have already implemented compliance programs to assess and evaluate their compliance status in light of the rapidly developing regulatory environment. We can provide them with a second pair of eyes—under privilege—to ensure that no compliance requirements were missed and that the compliance measures that they have implemented are (still) in line with the most recently issued regulatory guidance. When we find possible shortcomings in a compliance program, we are happy to propose and help implement appropriate remedial steps.

Compliance and Literacy Training

We provide companies with compliance training modules for different target groups within their organization. This can include:

• General and bespoke training for employees engaged in activities involving personal data (e.g., HR staff, data protection officers);
• Cybersecurity compliance training for information security and legal teams;
• AI literacy training for staff dealing with the operation and use of AI systems;
• Cybersecurity risk-management training for management teams for the purposes of the NIS2 Directive;

Back to Top

Transactions

Transactional Counseling

We advise companies on transactions that involve the collection and sharing of personal data and regulated non-personal data, or the purchase of (AI-enhanced) technologies, and prepare appropriate compliance documentation required to facilitate the transaction. We also advise on and assist with the implementation of suitable data transfer mechanisms for sharing personal data with recipients outside the EEA/UK, including binding corporate rules (BCRs), the European Commission’s standard contractual clauses (SCCs), and the derogations in Article 49 of the GDPR. We also help clients prepare transfer impact assessments (TIAs) and transfer risk assessments (TRAs) to support their use of BCRs and standard contractual clauses both in the EEA and the UK.

M&A Due Diligence Review

When companies merge with or acquire other companies, it is critical as part of the due diligence to identify any privacy, cybersecurity, or other data-related concerns in the pre-acquisition phase and take remedial actions following the acquisition (e.g., by enhancing the target’s compliance program). Identifying any potential for successor liability and addressing noncompliance issues at the target level will mitigate privacy, cybersecurity, and data-related risks for both the selling and acquiring companies. We help clients ensure that compliance risks relating to an acquisition or merger are identified and properly managed. When needed, we will also recommend appropriate compliance steps for a robust post-acquisition integration.

Back to Top

Cybersecurity

Cybersecurity Preparation

We work with companies to prepare incident response plans and playbooks consistent with European and other global regulatory requirements. We also carry out internal cybersecurity governance assessments to ensure compliance with developing laws in this area. We provide operational and board-level training on cybersecurity. As part of this training, we conduct cybersecurity tabletop exercises to help prepare companies for a cybersecurity incident and identify enhancements to their incident response processes. This exercise draws from actual events and applies the facts to a complex but client-specific cybersecurity hypothetical situation. Our tabletop exercises are designed to assist in preparing companies to take a multifunctional, coordinated approach to cybersecurity.

Cybersecurity Incident / Data Breach Support

We provide companies with legal support and crisis management following a cybersecurity incident or personal data breach, including assessing and preparing breach notifications to the relevant supervisory authorities and, where needed, affected data subjects, globally. We also advise on possible remedial action in response to the incident/breach and can conduct internal investigations into the company’s breach response in the wake of a cybersecurity incident.

Back to Top

Enforcement

Dealing with Complaints and Regulators

We represent clients before European supervisory authorities, including EU Member State and UK data protection authorities (DPAs) that have initiated an investigation into our clients’ practices and compliance with applicable law. We help our clients prepare for and participate in meetings with regulators, answer questions posed, and draft position papers on their behalf. We also assist companies in assessing and responding to complaints from individuals related to data protection and use of confidential information. 

Investigations

We advise companies on all privacy and data protection aspects of the internal investigations they conduct, focusing on ensuring that personal data collected for the purposes of these investigations are handled in compliance with European rules, including the EU and UK GDPR, as well as other relevant laws such as blocking statutes. This includes advising on the use of whistleblower hotlines and the processing of personal data collected through them.

Individual Rights Request Support

We assist companies with handling and responding to individuals who want to exercise their rights under privacy, cybersecurity, and data-related laws, including the right to access, the right to be forgotten, and the right to data portability under the EU and UK GDPR. This includes providing internal guidance and training on dealing with such requests, assessing whether the requests are valid, and preparing appropriate responses to the requests. 

Back to Top