Noncompliance with the GDPR may give rise to administrative fines of up to 4% of an undertaking’s worldwide annual revenues or alternative sanctions such as a ban on processing activities or data flows. In addition, noncompliance may lead to reputational damage, which can have a significant impact on a company’s operations and business growth.
Alston & Bird’s privacy and data protection team has been at the forefront of GDPR compliance since it became effective in May 2018. Our dedicated team has advised on every pertinent GDPR issue.
We provide global privacy and data protection advice to market-leading enterprises worldwide, of all sizes, and in diverse sectors, including at least 10 companies in the Fortune 100, three of the world’s 10 largest companies (as ranked by Fortune), and major cloud and analytics service providers. We have designed and are conducting comprehensive review programs specifically focused on GDPR compliance for some of the world’s leading multijurisdictional businesses.
We bring value by looking beyond legal compliance to consider business risks that may result from the privacy and data protection issues you are facing. Our approach is always to balance the compliance considerations in a way that makes operational sense, is cost-effective, and provides an appropriate and comfortable level of risk. We also pride ourselves in having adopted a client-centric approach to providing legal counsel. Our guidance blends industry best practices and decades of experience working with global clients on similar matters, with customized, creative, and practical solutions.
Based in the European Union’s capital, Brussels, and both U.S. coasts, our team is on call to tackle virtually any issue, anywhere, any time. You want to be proactive, stay ahead of the competition, and be compliant with the GDPR. Alston & Bird is your guide.
We have experience helping our clients in four key areas: regulatory compliance, transactions, cybersecurity, and enforcement.
GDPR Compliance Development
- We assist companies that are entering the European market or have otherwise become subject to European regulations, including the GDPR, with the development of a GDPR compliance program tailored to their needs. This includes preparing and reviewing privacy notices and policies, standard operating procedures, consent mechanisms, and agreements relating to the collection and transfer of personal data. Where relevant, we also advise on the appointment of data protection officers and EU representatives for data protection purposes, as well as the creation of records of processing activities (ROPAs). In addition to the GDPR, we advise on areas covered by other European or national data protection laws or regulations, for example on electronic marketing under the ePrivacy Directive.
GDPR Compliance Assessment
- We work with companies to deal with project-specific or day-to-day GDPR compliance requirements, for example, preparing legitimate interest assessments (LIAs) and data protection impact assessments (DPIAs), drafting privacy notices/policies and consent forms, and negotiating data protection agreements with third-party vendors. We also assist companies that have implemented a GDPR compliance program with assessing and evaluating their compliance status. We can provide them with a second pair of eyes—under privilege—to ensure that no compliance requirements were missed and that the GDPR compliance measures that they have implemented are (still) in line with the most recently issued regulatory guidance. When we find possible shortcomings in a GDPR compliance program, we are happy to propose and help implement appropriate remedial steps.
GDPR Compliance Training
- We provide companies with GDPR compliance training modules for different target groups within their organization. In addition to general training for all employees who are handling personal data, we develop and provide bespoke training for staff that are tasked with specific activities involving data processing (e.g., sales representatives or HR staff).
- We advise companies on transactions that involve the collection and sharing of personal data and prepare appropriate privacy and data protection notices, agreements, and other compliance measures required to facilitate the transaction. We also advise on and assist with the implementation of suitable data transfer mechanisms for sharing personal data with recipients outside the EEA/UK, including binding corporate rules (BCRs), the European Commission’s standard contractual clauses, and the derogations in Article 49 of the GDPR. Since the ruling of the European Court of Justice in the Schrems II case in July 2020, we also help clients prepare transfer impact assessments (TIAs) to support their use of BCRs and standard contractual clauses.
M&A Due Diligence Review
- When companies merge with or acquire other companies, it is critical as part of the due diligence to identify any privacy or data protection concern in the pre-acquisition phase and take remedial actions following the acquisition (e.g., enhancing the target’s GDPR compliance program). Identifying any potential for successor liability and addressing noncompliance issues at the target level will mitigate the privacy and data protection risk for both the selling and acquiring companies. We help clients ensure that the privacy and data protection compliance risks relating to an acquisition or merger are identified and properly managed. When needed, we will also recommend appropriate compliance steps for a robust post-acquisition integration.
- We work with companies to prepare incident response plans and playbooks consistent with European regulatory requirements, including the GDPR. We also carry out internal cybersecurity governance assessments and provide both operational and board-level training on cybersecurity. As part of this training, we conduct cybersecurity tabletop exercises to help prepare companies for a cybersecurity incident and identify enhancements to their incident response processes. This exercise draws from actual events and applies the facts to a complex but client-specific cybersecurity hypothetical situation. Our tabletop exercises are designed to assist in preparing companies to take a multifunctional, coordinated approach to cybersecurity.
Cybersecurity Incident / Data Breach Support
- We provide companies with legal support and crisis management following a cybersecurity incident or personal data breach, including assessing and preparing breach notifications to the relevant supervisory authorities and, where needed, affected data subjects. We also advise on possible remedial action in response to the incident/breach and can conduct internal investigations into the company’s breach response in the wake of a cybersecurity incident.
Dealing with Complaints and DPAs
- We represent clients before European data protection authorities (DPAs) that have initiated an investigation into our clients’ data protection practices and compliance with applicable data protection law (e.g., following a cybersecurity incident or an individual’s complaint to a DPA). We help our clients prepare for and participate in meetings with a DPA and draft position papers on their behalf. We also assist companies in assessing and responding to complaints from individuals related to data protection and use of confidential information.
- We advise companies on all privacy and data protection aspects of the internal investigations they conduct, focusing on ensuring that personal data collected for the purposes of these investigations are handled in compliance with European rules, including the GDPR, as well as other relevant laws such as blocking statutes. This includes advising on the use of whistleblower hotlines and the processing of personal data collected through them.
Data Subject Request Support
- We assist companies with handling and responding to data subjects who want to exercise their data protection rights, including the right to access, the right to be forgotten, and the right to data portability. This includes providing internal guidance and training on dealing with such requests, assessing whether the requests are valid, and preparing appropriate responses to the requests.