Compliance with data privacy laws should be a top priority for all businesses
In today's information economy, data is the new oil. A business' ability to transfer and use customer data and other information is both integral to the day-to-day running of a company and key to profitability and success. With the introduction of new and more stringent data privacy laws, in particular the EU General Data Protection Regulation (GDPR – the biggest shake up in privacy laws in a generation), it is important now more than ever that businesses are fully informed and fully compliant.
We frequently advise clients on data privacy and confidentiality, especially in relation to the GDPR
The GDPR preserves and builds on the principles of the current EU regime, which was designed for a pre-digital age. The new law places protection of the privacy rights of the individual at its centre and, in the process, runs contrary to many business models that assume that data can flow freely, and without restriction in its use. The GDPR introduces a raft of new aggressive and intrusive rules, in particular very serious sanctions for breach which include fines which can go as high as 4% if the global turnover of a group of companies.
Adjustment to the new regime will require radical changes in approach for most businesses. Make no mistake, if companies do not prepare, they will be exposed to an unprecedented regulatory risk. The value of one of the most important assets a business holds – data – could be severely diminished without careful planning.
Clifford Chance operates a global cross-practice group of lawyers specialising in data protection and related "data management" issues. We are uniquely placed with deep litigation experience and relationships with data protection authorities, to support clients through complaints, claims and investigations relating to data privacy and other issues across their businesses. This includes strategic advice as to the approach to be taken, design and implementation of compliance programmes and advice on ad hoc issues arising in the application of those programmes.
We offer a wide range of compliance programmes and solutions including:
- GDPR compliance programmes. Comprehensive review of the data privacy systems and processes in place across a global business network, and its compliance with the new regulation (incorporating the services listed below).
- Review of justification strategies. In light of the new regime, a business' strategy for justification of its processing of personal data is key to compliance, particularly with regard to consent.
- Accountability measures. Gap analysis of organisational measures in place to deal with accountability, for example the appointment of a Data Protection Officer, the necessity of a data privacy impact assessment and the amendment of company policies.
- International data transfers. Review of whether a country outside of the EEA has "adequate safeguards" in place for the protection of personal data, including the use of "binding corporate rules" and non-EEA equivalents.
- Outsourcing management. Identification of key existing contracts which involve material outsourced processing of personal data, and renegotiation of terms to ensure compliance.
- Data Transfer Agreements. Model form (and other) data transfer agreements, and framework agreements for easy adherence and application to multiple transfers.
- Data loss response. Data breach response planning and advising on data security breaches, subject access requests and allegations of breach of data protection law, including representing clients before data protection authorities, other supervisory authorities and courts.
- Regulatory updates and review. Including in relation to the NIS Directive, ePrivacy Directive, GDPR and the relevant national implementing laws.
- Advising a Japanese trading and investment house on its EU GDPR compliance programme, following specific engagements relating to the implementation of a whistleblower hotline, an internal directory, an internal social network site for sharing business partner information and various information security systems; and the storage of emails outside the EEA.
- Advising an international bank on its European data privacy compliance programme, including steps to address the GDPR.
- Advising a global real estate investment fund manager on its GDPR compliance programme.
- Advising a global bank on the data privacy, client confidentiality and regulatory issues affecting the implementation of a customer relationship management system across its EMEA operations and on the parallel development of its global data privacy compliance package.
- Advising a range of diverse clients on data privacy (including GDPR), confidentiality and other "data management" issues
- Advising international clients on their data privacy compliance strategies when establishing new European businesses.