Given recent headlines, ranging from Facebook to Cambridge Analytica to the City of Atlanta’s ransomware attack, the logical inference is that the European Union’s General Data Protection Regulation (GDPR) is a product of our current privacy-conscious environment. In fact, it was conceived as a long overdue update to the EU’s 1995 data protection directive and has been years in the making.

As GDPR appeared on the horizon, we had occasion to work with a number of clients on related issues. Certain themes emerged as frequent points of concern. Now that we are closing in on GDPR’s effective date, we have collected our thoughts on those points:

The GDPR has been years in the making. The statutory text alone comprises over 100 pages of dense, technical requirements. The text is supplemented by guidance and Working Party papers. The full impact of GDPR implementation will only be evident in hindsight. Until then, U.S.-based organizations should have a firm grasp on (1) what EU personal data they collect; (2) how they protect that data; (3) the GDPR-compliant legal basis of that collection; and (4) the documentation of their compliance with Privacy-by-Design principles. Because despite all the current murkiness about the GDPR, this much is clear: We are going to be hearing a lot more about it in the years to come.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

◀︎ Back to Thought Leadership