The EU’s General Data Protection Regulation[1] Comes Into Effect on 25 May 2018.

Any company anywhere in the world which holds personal identifying information about EU resident private individuals will be impacted. Individuals covered by the regime may include prospective, existing and former customers, employees, contractors, contacts at suppliers or customers and marketing contacts.

The steps needed for any organization to comply with GDPR will always be particular to it. However, with only a few days to go before the implementation deadline, the aim of this short communication is to remind our clients of the deadline and provide a checklist of some of the common themes that have emerged in our advice with clients to date.

  • Updating employee privacy policies and distributing them / making them available on an intranet.
  • Reviewing standard-form employment contracts to consider whether consent as a lawful basis for processing employee data is sustainable or whether other lawful bases should be established.
  • Updating customer privacy policies and making them available online.
  • Considering need for customer consents (depending on the types of processing applied to customers’ data) and how to capture this.
  • Ensuring intra-group data transfer agreements are governed by the EU’s model terms or other appropriate arrangements for lawful transfer.
  • Reviewing contracts with suppliers where personal data is exchanged.
  • Updating and reviewing IT, data security and data protection policies, as well procedures governing data breaches.
  • Making sure you have in place procedures to respond to customers and employees’ requests (e.g. access to data, “right to be forgotten,” portability).
  • Assessing IT, data storage and security systems against the new standards.
  • Analyzing how data is controlled, processed and transferred, the availability of “legitimate interests” or other acceptable reasons as a basis for processing, and the need for consent.
  • Considering the extent to which customer or employee consent or notices are required concerning the sharing of information with third parties, such as third-country regulators, suppliers and business partners.
  • Considering the extent to which the company is able to satisfy data subjects' rights under the GDPR (e.g. rights to access, amend and delete personal data) especially in relation to data that the company has transferred to third parties.

Other steps may be needed, depending on the company’s usage and transfer of personal data.

The Shearman & Sterling team below was supported by associate Jerry Healy (Litigation-London) and consultant Mark Robinson (Mergers & Acqusitions-London).