As many people will be aware, the overhaul of existing EU data privacy laws has been a long time coming and negotiated over many years – the new regulations will finally be implemented on 25 May 2018. And if you are wondering whether there is a ‘grace period’, then yes there is, but we are in that two year readiness phase now so there will not be any additional time allowed by regulators.

So, how will it affect your company? Well, it is pretty much guaranteed that any business handling data relating to anyone in Europe will be impacted by the changes, even if the business doesn’t have any companies or operations on the ground. Plus, the definition of “personal data” is much more widely defined than PII. It’s also highly likely that EU regulators will seek to make examples of non-EU businesses failing to comply, so we are here to provide you with support on what you need to do within the next year to reduce the risk of facing penalties of €20m or up to 4% of global revenue!

The articles below provide a good overview and some infographics on the approaches that will be needed – and we have teams of specialist lawyers across Europe ready to walk you through what is need, provide pragmatic solutions to the challenges that businesses face and help shape your business’ data strategy for the coming 12 months.

Aside from that, we have now been through another European election – this time the surprise UK election where the result caused another upset, ending in a “hung parliament” (no single party with a majority). However, the U.K. prime minister is maintaining her commitment to start Brexit negotiations and we will of course be closely monitoring the course of these negotiations.

Our colleagues, Flemming Moos from Germany and Ashley Hurst from the UK will be in the Bay Area this week to talk to clients about GDPR, cyber security and related litigation issues. As always, don’t hesitate to let me know if you’d be interested in meeting with them.

Best wishes,
Emily

WannaCry cyber-attack | How will new laws affect security obligations and regulatory risk?

An unprecedented cyber-attack on 12 May 2017, which affected over 45,000 organisations globally, provides yet another stark example of why all businesses need to implement robust IT infrastructure measures to protect their data and IT infrastructure, and know what to do should the worst happen. Discussion around cyber security protection often centres on the protection of data and the GDPR, but the WannaCry attack illustrates that not all cyber security incidents are about data. Where the victims of an incident are providers of essential services – such the UK NHS in this case – another incoming piece of (typically less talked about) EU legislation will impose obligations, and potentially sanctions: the EU Network and Information Security Directive.

Read more >