My law firm and I advise U.S.-based corporations in their compliance with GDPR. An important aspect of my privacy expertise is my dual qualification as a European and U.S. lawyer and my ability to juggle complex concepts in an area that is constantly evolving and getting more complex every day.
A GDPR Lawyer can help you understand your obligations under the new European law
The U.S and European privacy landscape is ever changing due to a flurry of recent new U.S. and international laws and regulations being adopted in the wake of the GDPR having come into force on May 25, 2018.
To complicate matters further, the privacy landscape is very much impacted by varying and often conflicting definitions of what constitutes privacy v. data protection in the EU v. the U.S. In addition, there is a material difference in the approach to privacy regulation that has been undertaken by regulators on either side of the Atlantic.
For more on this I invite you to read my recent article on the various regulatory approaches to privacy and data protection in the EU, the U.S., and Canada.
The difficulty faced by U.S.-based companies in apprehending the GDPR comes not only from the differing approaches to privacy in Europe and North America but also from the fact that the GDPR is eminently a European text, drafted in a European drafting style, and calling upon concepts that are themselves rooted in a European legal culture which is very different from the U.S. legal culture.
For more on that and the importance of retaining European counsel to assist in complying with EU law in general, please read my article.
When beginning a new engagement of advising U.S. companies on their GDPR compliance, I inevitably am asked to answer the same initial questions about the GDPR. This is the inspiration for this article on the 6 questions to ask your GDPR Lawyer, in the hope it facilitates a productive discussion between the client and their counsel.
#1 – What Is the GDPR (and how different is it from U.S. laws on Privacy)?
It may sound like an odd question to ask your GDPR Lawyer, but the purpose of that question is not to test your lawyer’s knowledge of the GDPR and EU law in general – something you may not be in a position to do – but rather to see how they articulate that knowledge in layman terms to someone who may not be familiar with privacy law to begin with, let alone EU privacy laws.
And while you are at it, have your attorney explain to you the key differences between GDPR and U.S. laws, as they apply to you and your company’s processing activities. To help you in gaining a layman’s understanding of the GDPR I invite you to have a look at my GDPR Practical Guide for the Small Business
#2 – How did you develop your understanding of the GDPR and how do you keep up with day-to-day developments under EU privacy laws?
As for myself, being a European lawyer practicing in the U.S., I experience daily the challenges of staying current of legal developments in the EU, particularly in a field – data protection law – that is constantly evolving. If your lawyer is only admitted as a lawyer in the U.S. it is a perfectly legitimate question to ask how they developed their knowledge of GDPR and other EU data protection laws. Personal data breach, consent, transparency… There are a lot of concepts that are uniquely defined under this regulation!
And while you’re at it, don’t hesitate to ask them about EU national derogations and to give you examples of individual EU countries that have legislated differently from the GDPR with respect to the processing of their residents’ personal data. To help you in this discussion I invite you to read my article on the EU national derogations to the GDPR.
#3 – Am I subject to the GDPR?
Not every company is subject to the GDPR, and just because a company has a website that is accessible from the EU it doesn’t mean it has to comply with the GDPR. The next question you should therefore ask your GDPR Lawyer is what requirements of GDPR apply to you and your processing activities.
For your GDPR Lawyer to be able to answer that question he/she would need to ask you a number of questions about your business and your data processing activities. To help you in that discussion please read my article on what is GDPR.
#4 – How long would it take, and how much would it cost to comply?
This is probably the one question any regulatory lawyer dreads getting, and for obvious reasons, since the answer to this question will very much depend on the size and complexity of your organization and processing activities, on your current state of compliance, on whether or not you already have implemented some internal procedures and processes and whether or not you have adopted some internal policies to document your current internal controls around your processing activities.
But the value of asking these types of questions of your GDPR Lawyer lies less in the definitive answer – which would warrant further discussions – than in the way your counsel reacts to your question and explains what would he/she need to know before they can answer your question. To help you in this discussion, I invite you to read my article on the GDPR and the U.S. lawyer.
#5 – How do you support your clients on GDPR and what are your availability and resources to help me in my GDPR compliance?
In the area of GDPR compliance, which is not only a very complex piece of legislation but also one that requires a fair amount of resources and availability on the part of both the lawyer and the client, it is important that the GDPR Lawyer has an articulated and well thought through step-by-step strategy for supporting you and providing you with the tools that allow you to manage your GDPR compliance with their help.
In this area, probably more than in any other area of the law, collaboration between the lawyer and various stakeholders within the client’s organization is critical, and therefore it is only fair that you would ask your GDPR Lawyer to describe for you their support strategy on GDPR.
#6 – What is your GDPR experience, and do you have any references you could share with me of clients in my industry you have helped in their GDPR compliance?
Privacy is a specialty area. One cannot (and should not) hold themselves as a privacy lawyer, even less so as a GDPR Lawyer, just by reading the law. It takes many years of professional and operational experience advising clients in this area. It should therefore be your GDPR Lawyer’s expectation that you would question their knowledge and professional experience.
And you should definitely ask them whether they have prior experience advising clients in your industry on GDPR matters, as this prior experience would contribute to the lawyer developing an appreciation of the types and purposes of your company’s processing activities.
Retaining privacy counsel to advise and assist you on complying with foreign laws is an important and difficult decision to make, as there aren’t many true experts of EU privacy laws – which go well beyond GDPR – in the U.S. It is also an important decision to make as failures to comply with the GDPR may lead to the imposition of significant fines in an amount of the greater of 4% of the company’s worldwide annual revenue and 20 million Euros (approx. 25 million U.S. dollars).
Last but not least, it is also a committing decision as hiring a GDPR Lawyer is often the starting point of a relationship of many weeks if not months of collaborative work between you and your counsel, whom you will entrust with some of your most confidential information.
It is therefore important you have a relationship of trust with your advisor and have confidence in their ability to competently answer the above 6 questions to ask to your GDPR Lawyer. These 6 questions should be the first step to establishing that relationship of trust!