IP, Information and Innovation

Data Protection

GDPR: Preparing for the European General Data

Protection Regulation

The Background: from Directive to Regulation 1

Data Protection Principles 2

Accountability and Governance 3

Rights of Individuals 5

Embedding Data Protection in Your Organisation 7

Data Protection: by Design or by Default? 8

Supply Chain 9

International Data Transfers 10

Data Protection Officers 11

Data Breach Notifications 12

Supervisory Authorities and Sanctions 13

Putting the Theory into Practice: What Next? 14

Our European Team 15

Contents

RePrmacdis

It tGDJoupefo

ThThplawh

•

•

Orto re

T

FocoEuDst

HBab

Wot

eform begarotection Rember sta

ccount for tsposal. Ne

took nearlyDPR or Reg

ournal of theriod of twr 25 May 2

he long ahe GDPR apace in the hen:

goods or

the behav

rganisation operate ogulation p

The Ba

or a little ollection,urope byirective), tates.

How doeBy the time and processbeen assess

We have preorder for yohe data you

an in 2012Regulation,

tes. This rethe rise of w technolo

y four yeargulation) a

he Europeao years wa

2018, when

arm of thpplies to cEuropean

services ar

viour of EU

ns which doutside theursuant to

ackgr

over 20 use and

y the Data adopted

es this af the GDPR ises relatingsed and bro

epared thisou to betteru hold, whe

GDPR: P

aimed at which, as eform alsof personal togy means

rs of consund it was f

an Union oas then agrn the Regu

he law ontrollers Union or n

re offered

U citizens is

o not havee scope of o the GDPR

ound

years, thd processa Protectd and im

ffect yous applied in

g to the colleought into a

publication understan

ether it relat

Preparing for t

harmonisian EU reg

o sought totechnologys new risks

ultation to formally adon 4 May 2reed, durin

ulation bec

and procenot”. The e

to EU citiz

s monitore

e an estabEU data pr

R.

d: from

he protecsing of thtion Direplement

r businen May 2018ection and alignment w

n to lay out d what the tes to your

the European

ng data prulation, wo

o ensure thy and the vs as well as

agree the dopted on 016, enterng which oomes enfo

essors “regextra-territ

zens; or

ed or track

lishment inrotection l

m Dire

ction of iheir persoective (95ed in nat

ess? , you will neuse of pers

with the req

the new ob Regulationemployees

General Data

rotection aould have dhat the govvast array s new ways

General D 27 April 2ring into foorganisatioorceable.

gardless oftorial appli

ked throug

n the EU – aw – are n

ective

ndividuaonal data

5/46/EC) (tional law

eed to makeonal data auirements

bligations b expects fro, customers

Protection Re

across the direct effeverning lawof devices s of collect

Data Protec016 and p

orce 20 dayns would h

f whether tcation of t

h the use o

and whichnow subjec

e to R

als in relaa has bee(the Dataw by all 2

e sure that across your of the new

eing ushereom your bus or supplie

egulation Ree

EU via a Gct across a

w was upda now at thting and us

ction Reguublished inys later. A thave time t

the proceshe GDPR is

of technolo

h consider ct to data p

Regula

ation to ten govera Protect28 EU me

all practice organisatio Regulation

ed in by theusiness in reers.

ed Smith LLP

eneral Datall EU ated to e EU’s sing data.

ulation (then the Offictransitionato prepare

ssing takess triggered

ogy.

themselveprotection

ation

he rned in tion ember

es, policies on have .

e GDPR, in elation to

01

ta

e cial al e

d

es

D

Arre

Data P

rticle 5 ofequired t

Protec

f the GDo comply

GDPR: P

ction

PR sets oy with wh

Preparing for t

Princ

out the mhen they

the European

ciples

major priy process

General Data

nciples ts persona

Protection Re

hat all oral data.

egulation Ree

rganisati

ed Smith LLP

ons are

02

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 03

What will Accountability actually look like under the Regulation? Under the GDPR, there is no change in the definitions of the two key roles of data controller and data processor but how liabilities are negotiated—we expect increased complexity (at least initially)—to change. Why? Simply stated, for the first time data processors will take on a direct regulatory responsibility and, therefore, liability. Supervisory authorities may develop a new ‘contributory negligence’ approach to enforcement and sanctions.

Controller A data controller can be an individual or an entity. Data controllers determine the purposes for and means of processing personal data, and are accountable for compliance with the GDPR principles.

Processor A data processor is an individual or entity which processes personal data on behalf of a controller.

The concept of the data processor is well known from the Data Protection Directive. For the first time, data processors are subject to direct regulation by supervisory authorities under the GDPR. Although processors have several obligations, two of the most notable are:

• Implementation of sufficient security measures, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing.

• Maintenance of records of all categories of processing activities carried out on behalf of a data controller, including details of any international data transfers.

Accountability in practice Data controllers will continue to be responsible and accountable for compliance and governance, with the GDPR elevating the significance of their role.

Data processors will be in line for greater liability now that they will be directly regulated. As a result, we expect to see a significant impact on contracts with service providers.

Data Protection Officers (DPOs) will assume a vital and powerful role. We may see increasingly the voluntary appointment of DPOs as a means of centralising the accountability function.

Governance Accountability means that governance structures must have the spotlight shone on them. With the requirement for some organisations to appoint a DPO – as a minimum governance

Accountability and Governance

Some of the most important new requirements under the GDPR are those pertaining to accountability. Accountability means that organisations must demonstrate compliance with the GDPR.

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 04

requirement – some aspects of governance may become more prescriptive, with some decisions taken out of the hands of business. In practice, organisations will be expected to put into place comprehensive but proportionate governance measures, including: • Appropriate technical and organisational

measures • Recording of processing activities • Appointment of a Data Protection Officer

(where appropriate)

• Implementation of Data Protection by Design and by Default

• Development and use of Data Protection Impact Assessments

Demonstrating Compliance

As part of accountability, organisations must be able to demonstrate not only that they have a compliance framework in place but also that they implement and adhere to these measures.

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 05

Right Requirement

New Rights

Right to restrict processing

Controller to cease processing where: (i) accuracy is contested by the data subject; (ii) processing is unlawful but the data subject does not request erasure; (iii) processing is no longer necessary; or (iv) data subject has objected to the processing and controller determines that no overriding legitimate grounds exist. If data disclosed to third party, controller to inform them of restriction unless this is impossible or involves disproportionate effort.

Rights against automated decision making and profiling

Controller to identify whether operations constitute automated decision making and update such operations so as to ensure process allows for human intervention. Exemptions available to controller.

Right to data portability

Controller to provide the personal data (that are processed in an automated way) in a structured, commonly used and machine-readable format and, where requested and technically feasible, transmit them directly to another controller.

Rights of Individuals

The GDPR preserves a number of existing rights of data subjects to access their personal data but importantly, as well as providing further obligations on those existing rights, it also creates new rights. The below table summarises the impact and key obligations as regards controllers receiving requests from data subjects.

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 06

Right Requirement Changes to existing law(s)

Existing Rights

Right to be informed

Controller to provide data subjects with information relating to the processing of their personal data in a concise, clear and intelligible manner.

More detailed information to be provided and depends on whether data obtained directly from data subject.

Right of access Controllers to confirm whether personal data are being processed, and if so, provide access.

Information to be provided free of charge and within one month of receipt. Where request made electronically, information to be provided in a “commonly used electronic format”.

Right to rectification

Controller to rectify inaccurate or incomplete personal data without undue delay.

Where controller has disclosed personal data to third party, controller to inform them of rectification.

Right to object Controller to cease processing where data subject objection to processing is: (i) based on certain grounds (public interest or legitimate interest); or (ii) for certain purposes (research or statistics). Some exemptions may be available to controller. Data subject has absolute right to object to data processed for direct marketing purposes. No exemptions are available to controller.

Right to object to personal data being used for statistical or research purposes.

Right to erasure (‘right to be forgotten’)

Controller to erase personal data when: (i) no longer necessary; (ii) consent is withdrawn; (iii) data subject objects and controller has no overriding legitimate grounds to hold data; (iv) data is unlawfully processed; (v) necessary to comply with a legal obligation; or (vi) processed in connection with an online service offered to a child.

Broader, more specific rights created. If data disclosed to third party, controller must inform them of erasure unless it is impossible or involves disproportionate effort.

DaDPind• • • •

On•

•

•

•

•

•

PrIn co

E

Daid

W•

ata ProtecPIAs are mdividuals.

New techProfiling ProcessinSystemat

nce the neDescript– Descr– What

Assessme– How m

Identifica– What

Identifica– Evalua– What

Approval– Ensur– Recor

compIntegratio– Imple

projec

rior consu the absen

onsult the

mbed

ata Proteentificat

Worth coOrganisato use fo

ction Impaandatory wExamples

hnologies or automang sensitivtic monitor

eed for a Dtion of proribe how p legitimateent of necmany indivation and steps are ation and ate propos level of risl and recore DPIA recrd decision

pliance on of DPIA

ement, monct and whe

ltation wince of mea superviso

dding

ection Imion, asse

onsiderinations shouor any new

GDPR: P

act Assesswhen proc of “high r ated proceve data (spering of pub

PIA has beocessing oersonal da

e interest iscessity anviduals are assessmetaken to a evaluatiosed measusk is accepording ceives signns taken to

A outcomnitor, re-asen there is

ith lead Dsures to mory autho

Data

mpact Assessment

ng… uld think a process o

Preparing for t

sments cessing posisk” opera ssing ecial categblic areas (

een identifoperationsata is: (i) cos the contrd proport

e likely to bent of dataddress ris

on of data ures and satable?

n-off at theo eliminate

es in the pssess and s a change

ata Protemitigate ris

rity prior

Prote

sessmenand min

bout puttior activity t

the European

ses a “highations incl

gories of dae.g., CCTV/

fied, a nums envisageollected, (ii)roller purstionality oe affecteda protectik to: (i) the protectioafeguards

appropria, mitigate o

project plupdate the of risk

ction Authk where hi to proces

ection

t (DPIA) iimisation

ng a standhat involve

General Data

h risk” to thude:

ata) on a la/video surv

mber of steed and pu) used, anduing?

of process? on risks

e individuaon solution for addres

ate level or accept r

an e DPIA pla

hority gh risk is i

ssing.

n in Yo

is a procn of data

dard temples the proc

Protection Re

he rights an

arge scale veillance)

ps must burposes ofd (iii) delete

ing opera

l, and (ii) thns ssing risk

risk, and d

n over the

dentified, t

our O

ess invola protect

ate in placcessing of

egulation Ree

nd freedom

e taken: f processined

tions

he organis

emonstrat

life-cycle o

the contro

rganis

lving theion risks

ce for theirdata.

ed Smith LLP

ms of

ng

ation?

te

of the

oller must

sation

r business

07

n

DaAnthphApne

It m

• •

DaDacuBypr

Th

• • • •

At• •

D

Dade

ThDepr

F•

ata Protn organisatat complia

hase of anyppropriate ew project,

must be d

Nature, Likelihoo

ata Protata Protectustomer acy default onrocessed.

his applies

Amount Extent oPeriod oAccessib

t what stAt the timAt the co

Data P

ata Proteevelopm

he GDPRefault, wrotection

From theOrganisatmaking it

ection bytion needsance is moy product o technical , service or

emonstrat

scope, cood and sev

ection bytion by Defcquires a nnly person

to:

of personf processin

of time for bility

tage of tme when doncept and

Protec

ection is ent and

R introducwhich, in pn into con

e outset tions must t an integral

GDPR: P

y Designs to show tnitored. Dor service and organr business

ted that su

ntext and verity of r

y Defaulfault mean

new producnal data wh

al data colng storage of

he projeeterminat

d design ph

ction:

set to beorganisa

ces Datapractice, nsiderati

take data p part of the

Preparing for t

n that adequData protecor use of t

nisational m process.

ufficient ac

purposesrisks to rig

lt ns that thect or servic

hich are ne

llection

f personal

ect? ion of the

hase of any

by D

ecome anational st

Protecti means ton from

protection ine project de

the European

uate securiction is batechnologymeasures b

count is ta

s of proceghts and fre

strictest pce. ecessary fo

data

means of y project

Design

n integratructure o

on by Dethat all o the outs

nto considevelopment

General Data

ty measurked in, noty. become pa

aken in reg

ssing eedoms of

privacy sett

or specific i

processing

n or b

al part of of new p

esign andrganisatiset of pro

eration from process… f

Protection Re

es have bet bolted on

art of the d

gard to:

f individua

tings autom

identified p

g is made

by Def

both theproducts

d Data Pions musojects or

m the outsetfrom day o

egulation Ree

een implemn from at th

developme

ls

matically a

purposes a

fault?

e technoor servic

rotectionst take da new init

t of any newone.

ed Smith LLP

mented anhe concep

ent for eac

pply once

are

logical ces.

n by ata iatives.

w project,

08

nd pt

h

a

SuCopeguteinc

SuThsuthsu28

•

•

•

•

S

Thampraswre

HA2

Omdim

upplier dontrollers aersonal datuarantees, chnical ancluding me

upplier ohe processubject matte data sub

upplier and8 of the GD

only procedocumen

ensure thhave comconfident

takes all sthe Regul

ensures tsub-contr

Supply

he greatemounts treviouslys a legal rith sever

egulatory

How doeAll contracts2018 – in ot

Organisatiomost criticadeadline – omposed on

due diligeare requireta on their in particuld organisaeasures to

obligatioing by a suter, duratiobjects. It md the risks DPR the co

esses persted instruc

hose with ammitted the

iality;

security meation;

he same oractors;

y Cha

est impacto ensuriy being serequiremral aspecy guidanc

es this afs involving pther words,

ns should rl services fo

otherwise yon you which

GDPR: P

ence ed to carryr behalf. Thar in term

ational mea ensure th

ns upplier shoon, nature ust also tainvolved tontract mus

sonal data ctions;

access to pemselves t

easures re

obligations

in

ct of the ng sufficeen in th

ment in sts of thece as wel

ffect youpersonal da we are cur

review theiror their busou will risk could be (a

Preparing for t

y out due dhey will nees of expertasures wh

he security

ould be go and purpo

ake into acco the rightst stipulate

on

personal dao

quired und

flow down

GDPR oncient guahe Data Puch expl GDPR, gll as EU m

r busineata handlingrrently in th

r existing ariness operabeing non-ca) non-com

the European

diligence oed to ensut knowledgich will me of process

verned by oses of thecount the s and freee that the s

ata

der

n to

• acRrr

• de

• mto

n a contrrantees

Protectioicit term

greater clmember

ess? g or transfee transition

rangementations. Startcompliant opliant from

General Data

n supplierure suppliege, reliabili

eet the reqsing.

a written, e processinspecific tadoms of thsupplier:

assists the complianceRegulationrequests brights unde

deletes or end of the

makes avaito demonsobligations

roller’s deof data pn Directis as we slarity is estates’ d

ers must comn period.

ts with servit negotiatio

or having th your persp

Protection Re

s (processers can proity and resuirements

binding cong, the typsks and rehe data su

controllere with thei, includingy individuaer the Regu

returns allarrangem

ilable all instrate coms.

ealings wprotectiove but wsee now.expectedelegated

mply with t

ice providerons well in ahird party stpective and/

egulation Ree

sors) proceovide sufficources, to

s of the Reg

ontract, see of perso

esponsibilitbjects. Un

r with regar obligatio responseals to exerculation;

personal ent; and

nformationpliance wit

with its suon. This wwas not a. Howev through

d powers

he GDPR as

rs, starting advance of ttandard ter/or (b) unfa

ed Smith LLP

essing cient implemengulation,

tting out thonal data aties of the der article

rds ns under ts to cise their

data at the

necessaryth their

uppliers was nchored er, as

h s.

s at 25 May

with the the GDPR ms vourable.

09

nt

he nd

the

e

y

y

Int

1

If tinvtra

2

•

•

3

• •

In

UEc“oor

W•

ternationa

Adequathe Europevolved in tansferred,

AppropModel claModel cothe Euroorder to contracti

Binding CBinding Cexplicitly GDPR, whBCRs areinternatiowithin a gavailable processo

SpecificExplicit cContract

ntern

nder theconomic onward trrganisati

Worth noIn exceptspecific d

l transfers

acy Decisean Commhe transfe data may

priate Saauses ontractual pean Comlegitimise ng parties

CorporateCorporate recognisehich infers

e a methodonal transfgroup of co for both c

ors.

c Derogaonsent performa

ation

e GDPR, d Area (EEransfers”on.

oting… ional caseserogation.

GDPR: P

s under the

sions mission has

r providesflow freely

afeguard

clauses apmission mtransfers b.

e Rules Rules (“BCd in the te

s a level of d of legalisifer of persompanies

controllers

ations

ance

al Da

data tranEA) remai” of data

, the contro

Preparing for t

e GDPR ca

s adopted an ‘adequ

y between

s

pproved bymay be used

between th

CRs”) are ext of the legitimacying the onal data and are and

• Public • Legal c

ta Tra

nsfers to in subjec from an

oller may als

the European

n take plac

a decisionuate’ level othe EEA an

y d in he

.

• ET

• ET

interest claims

ansfe

countriect to rest importe

so invoke h

General Data

ce on the f

that the tof protectind country

EU Codes The GDPRof conductenforceabcontroller such codeapproved.

EU CertificThe GDPRcertificatiobasis for denforceabcontroller certificatioapproved.

rs

s outsiderictions.

er to ano

his compelli

Protection Re

following b

hird counton for the y, territory

of ConducR provides t

t along witle commit or process

es of condu

cation R also provion mechandata transfle commit or process

on mechan

• Vital• Publ

e of the E Restrictither thir

ng legitimat

egulation Ree

bases:

try, territor data beingor sector.

ct that approth binding ments of tsor may beuct have ye

ides for apnisms to befers along wments withsor. No su

nisms have

l interestslic source

Europeanons alsod countr

te interest a

ed Smith LLP

ry or sectog

oved codesand

the e used. Noet been

pproved e used as awith bindinh the ch

e yet been

s

n apply to

ry or

as a new

10

r

s

o

a ng

o

Co•

•

•

Thco

Thda

DThobco

Thlawas

PoOrdishig

D

W(Dth

CLasLa

Ad

ontrollerthe proce

the core scope or large sca

the core a

he DPO canorporate gr

he DPO muata protect

PO respohe DPO wilbligations, aooperating

he DPO muws, and witssigning re

osition organisationsmissed orghest leve

Data P

Whilst somDPO) as phe appoin

Case StuLiveWell, Incacross the gsurveys andLimited, a claccess to da

As yet theredata, proces

rs and pressing is ca

activities purposesale; or

activities co

n be an emroup can a

ust be desition knowle

onsibilitil be respoadvising o with the s

ust monitoth their orgesponsibil

of the DPns must enr penalisedel of mana

Protec

me organpart of thntment o

dy… c. is a U.S. hglobe, includd trials for re

oud providata for man

e is no regussed by Live

GDPR: P

rocessorarried out b

of the con, requires

onsist of p

mployee ofappoint a s

ignated onedge and a

ies nsible for n the perfo

supervisory

or compliaganisationlities, rais

PO nsure that d for carryagement.

ction

nisations heir accouof a DPO

headquarteding to 650esearch ander in Irelan

nagement a

latory guidaeWell could

Preparing for t

rs must aby a public

ntroller or pregular an

processing

f the organsingle DPO

n the basis ability to fu

informing ormance oy authority

ance with ’s policies ing aware

the DPO cing out the

Office

can voluuntability is mand

red busines0,000 customd product dd, though cnd IT opera

ance, but thd make it su

the European

appoint ac authorit

processor nd system

g on a large

nisation or .

of professulfil their D

and advisiof data proy.

the GDPR,on the pro

eness and

can operateir respons

ers

unarily apy prograatory.

ss offering hmers in thedevelopmencertain busiations. Will

he potentialbject to the

General Data

a DPO wty;

consist of matic mon

e scale of

hired exte

sional qualDPO respon

ng on the otection im

, with otheotection of staff train

e indepensibilities an

ppoint a mme, in

health and EU. LiveWent purposesness functiLiveWell n

l volume of e DPO requ

Protection Re

where:

processinitoring of

special ca

ernally, and

lities, in pansibilities.

organisatimpact asses

er EU or naf personal ning.

dently of ind is to rep

data pro certain c

wellness prell regularlys. Data are ons in the Ueed to app

data, includirement.

egulation Ree

g which, bf data subj

ategories

d compani

articular th

on’s data pssments, a

ational datadata. This

nstructionport direc

otection ocircumst

roducts andy carries outhosted by C

United Statepoint a DPO

ding sensiti

ed Smith LLP

y its naturjects on a

of data.

es within a

eir expert

protectionand

a protectio includes

, cannot bctly to the

officer ances

d services t customer Cirrus es have O?

ve persona

11

e,

a

on

e

al

Thpr

NIn

•

•

NNoof m

W

•

• • •

NHiex

• • •

D

Ho•

•

he GDPRrotection

ew rules the event

The natiorights an

Individualfreedoms

otice to otification t the breacillion or 2 p

hen you n

the naturof recordthe detaithe likely a descrip

otices togh risk dat

xemption a

the naturthe likely a descripindividua

Data B

ow to preTraining adata is aw

Responsedetection

R will requn authori

s of a data b

onal supervd freedoms affected s.

the Supeto the releh. Failure tper cent of

otify you s

re of the bds involvedls of the D conseque

ption of any

o Affecteta breacheapplies, an

re of the b conseque

ption of remal should ta

Breac

epare and awareare of wha

e plan: havmethods,

GDPR: P

uire dataty and, in

breach, co

visory authms of individ

where the

ervisory evant supeto notify wf global tu

hould inclu

reach, incld; DPO or anoences of thy, or propo

ed Individes must bed must co

reach; ences of thmedial actiake to min

h Not

eness: ensat amounts

ve an interinvestigati

Preparing for t

a breach n certain

ntrollers w

hority wheduals. e breach w

Authoritrvisory aut

when requirrnover.

ude:

uding cate

other persohe breach; osed, reme

duals e notified tontain the f

he breach; ion taken aimise poss

tificat

sure everyos to a brea

nal breachons and a

the European

notificatn circums

will be requ

re the bre

would likely

ty thority mured to do s

egories of

on if there and edial action

o affected following in

and as well as isible adver

tions

one in youach.

h responsen internal

General Data

ion to anstances, t

uired to no

ach would

y result in a

st be withso could re

individuals

is no DPO

n taken.

individualsnformation

nformatiorse effects.

ur organisa

e plan that reporting

Protection Re

n organisto affecte

otify:

d likely resu

a high risk

in 72 houresult in a fi

s and the a

O;

s without un in clear a

n about an.

ation who h

provides fprocedure

egulation Ree

sation’s leed individ

ult in the ri

to their rig

rs of becomine of up t

approxima

undue deland plain la

ny actions

handles pe

for robust e.

ed Smith LLP

ead dataduals.

sk to the

ghts and

ming awareo €10

te number

ay, unless anguage:

the

ersonal

breach

12

a

e

r

an

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 13

Controllers and processors must have a “lead supervisory authority” located in the jurisdiction where they have their main or sole establishment. There are complex rules in place to govern cooperation between an entity’s lead supervisory authority and other supervisory authorities, which take effect where a complaint is made by a data subject. There are also mutual assistance provisions in place, and supervisory authorities may operate jointly to conduct investigations and take enforcement action.

A European Data Protection Board, tasked with ensuring the consistent application of the GDPR, will also be established. The Board will have a number of responsibilities, including issuing guidance on a number of topics and resolving disputes between supervisory authorities.

Powers of Supervisory Authorities

Supervisory authorities have robust enforcement powers which go far beyond those under the Data Protection Directive. Supervisory authorities may, for example:

• order controllers or processors to provide information

• access a controller or processor’s premises and equipment

• issue warnings and reprimands;

• limit or ban data processing

• impose administrative fines of up to €20,000,000 or 4 per cent of total worldwide turnover.

The scope of enforcement powers available to supervisory authorities and their implications for businesses will ensure that GDPR compliance remains a board-level concern.

Supervisory Authorities and Sanctions

Supervisory authorities will continue to play a vital role under the GDPR. Each member state must have established at least one independent supervisory authority which will be responsible for enforcing the GDPR.

InThmpr

PaTh

1

2

3

4

5

6

7

8

9

10

P

n a nutshhe GDPR wember sta

repared an

ath to cohe ten step

Stakeho

Data Inv

GDPR G

Implem

Governstructur

Supply requirem

Cross-B

Accoun

Data Surespecte

0 Data Brand not

Putting

hell: will be fully

tes. The cond in place

ompliancps to comp

older Awa

ventory: A

Gap Analys

mentation

ance Strure to suppo

Chain (Proments

Border Tra

tability Pr

ubjects’ Riged

reach Notifications

g the

GDPR: P

in force froountdown for this se

ce pliance are

reness: Em

Assess and

sis: Determ

Plan: Crea

cture & Dort accoun

ocessors):

ansfers: Re

rocesses:

ghts: Put i

ification: C

Theo

Preparing for t

om 25 May has alread

eismic shift

:

mbed data

d record th

mine what

ate a proje

DPO : Appontability req

: Ensure su

eview cros

Utilise too

n place po

Create pol

ory int

the European

y 2018 anddy begun st in the reg

a protectio

he persona

additional

ect plan to

int data prquirement

upplier con

s-border d

ls and pro

olicies and

icy for bre

to Pra

General Data

d will applyso your orggulatory lan

on in your o

al data bein

l steps are

address th

rotection os

ntracts are

data transf

cesses to

procedure

each respo

actice

Protection Re

y in the UKganisation ndscape.

organisatio

ng process

required f

he complia

officer and

e amended

fers

document

es to ensu

nse, conta

e: Wha

egulation Ree

K and acros must have

on

sed

for GDPR c

ance gaps

create gov

d to meet G

t complian

re rights a

ainment, re

at Ne

ed Smith LLP

ss all EU e everythin

complianc

vernance

GDPR

ce

re

emediation

ext?

14

ng

e

n

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 15

London

Our European Team

As part of the IP, Information and Innovation Group, our IT, Privacy and Data Security team brings strength and increased connectivity in today’s information economy by developing a collaborative, cross-discipline practice focusing on data security, information governance, technology, and intellectual property services.

Cynthia O’Donoghue Partner, International Head of IT, Privacy & Data Security London +44 (0)203 116 3494 codonoghue@reedsmith.com

Kate Brimsted Partner London +44 (0)203 116 3620 kbrimsted@reedsmith.com

Philip Thomas Counsel London +44 (0)203 116 3526 pthomas@reedsmith.com

Katalina Bateman Senior Associate London +44 (0)203 116 2866 kbateman@reedsmith.com

Chantelle Taylor Associate London +44 (0)203 116 3481 ctaylor@reedsmith.com

Curtis McCluskey Associate London +44 (0)203 116 3467 cmccluskey@reedsmith.com

Tom Evans Associate London +44 (0)203 116 3653 tevans@reedsmith.com

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 16

Paris

Munich

Athens

Thought Leadership For more insight into the GDPR and other Data and Technology related matters, please take a look at our blog, the Technology Law Dispatch, at: www.technologylawdispatch.com

Recognition Our team has been recognised over a number of years with rankings in both the Chambers and Legal 500 directories.

"The team is responsive and approachable, very helpful and makes an effort to keep us updated about the latest important developments." Chambers & Partners 2017

Daniel Kadar Partner Paris +33 (0)1 76 70 40 86 dkadar@reedsmith.com

Caroline Gouraud Associate Paris +33 (0)1 76 70 40 34 cgouraud@reedsmith.com

Thomas Fischl Counsel Munich +49 (0)89 20304 178 tfischl@reedsmith.com

Alexander Hardinghaus Associate Munich +49 (0)89 20304 134 ahardinghaus@reedsmith.com

Anthony Poulopoulos Partner Athens +30 (0)210 41 99 423 apoulopoulos@reedsmith.com

Doretta Frangaki Associate Athens +30 (0)210 41 99 425 dfrangaki@reedsmith.com

ABU DHABI

ATHENS

BEIJING

CENTURY CITY

CHICAGO

DUBAI

FRANKFURT

HONG KONG

HOUSTON

KAZAKHSTAN

LONDON

LOS ANGELES

MUNICH

NEW YORK

PARIS

PHILADELPHIA

PITTSBURGH

PRINCETON

RICHMOND

SAN FRANCISCO

SHANGHAI

SILICON VALLEY

SINGAPORE

TYSONS

WASHINGTON, D.C.

WILMINGTON

reedsmith.com

Reed Smith is a global relationship law firm with more than 1,800 lawyers in 26 offices throughout the United States, Europe, Asia and the Middle East.

Founded in 1877, the firm represents leading international businesses, from Fortune 100 corporations to mid-market and emerging enterprises. Its lawyers provide litigation and other dispute-resolution services in multi-jurisdictional and high-stakes matters, deliver regulatory counsel, and execute the full range of strategic domestic and cross-border transactions. Reed Smith is a preeminent advisor to industries including financial services, life sciences, health care, advertising, entertainment and media, shipping and transport, energy and natural resources, real estate, manufacturing and technology, and education.

This document is not intended to provide legal advice to be used in a specific fact situation; the contents are for informational purposes only. “Reed Smith” refers to Reed Smith LLP and related entities. © Reed Smith LLP 2016