Ten Practical Steps Companies Should Take to Implement GDPR

Ten Practical Steps Companies Should Take to Implement GDPR

For those looking to implement GDPR ahead of time, here’s a quick round up of the steps you should be looking to take.

With the regulation only going into force 25 May 2018, there’s still time time to implement GDPR. Below are ten practical steps to help your company become compliant. …


Privacy Shield Finalized – How Everyone Can Take Advantage of the New European Data Transfer Framework


The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State.  The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed.  Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection.  As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….


How to Prepare for the General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (the “GDPR”) was adopted by the EU Parliament last April 14, 2016. The GDPR will replace the EU Data Protection Directive (95/46/EC), which was implemented more than 20 years ago. After a two year transition period to integrate the new obligations, the GDPR will be directly applicable in all EU Member States in June 2018.

The GDPR’s aim is to unify data protection law within the European Union and increase data subjects’ rights (I). This involves strengthened obligations for companies in terms of compliance (II), as well as extended powers of Data Protection Authorities (“DPA”) (III)….




Rules on Monitoring an Employee’s Private Internet Use at Work: A New ECHR Decision

In a decision rendered on January 12, 2016, the European Court of Human Rights (“ECHR”) held that the dismissal of an employee for having used his professional email account for personal purposes during working hours did not violate Article 8 of the European Convention on Human Rights1.

The applicant, a Romanian national, was employed by a private company from 2004 to 2007 as an engineer in charge of sales. At the employer’s request, he created a Yahoo Messenger account to respond to client enquiries. In July 2007, the employee was informed by his employer that his Yahoo Messenger account had been monitored for a week and the records showed that he had used the device for personal purpose, whereas the company internal regulations expressly prohibited the use of company device (e.g., computers, telephones) for personal purposes….delonbouquet

IAPP Boulder Event Featuring Update on BREXIT

July 14, 2016

Bryan Cave is hosting an International Association of Privacy Professionals (IAPP) informal evening of networking on July 14 in its Boulder office. While there is no formal agenda, special guest Sarah Delon Bouquet from Bryan Cave in Paris will give a quick update on the GDPR and BREXIT. Boulder Partner David Zetoony is co-chair of the Colorado regional network of IAPP. Click here for more information or to register.

5 – 6:30 p.m.

Bryan Cave LLP
1801 13th Street
Suite 300
Boulder, CO 80302

The Privacy Implications of Whistleblowing in the EU

Whistleblowing schemes were introduced in the EU as a result of the Sarbanes-Oxley Act (“SOX”) adopted by the US Congress in 2002 following various corporate financial scandals. SOX requires US companies and their EU-based subsidiaries to establish “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters [and] the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting of auditing matters.1”  The implementation of whistleblowing schemes will, in most cases, lead to the collection, processing and transfer of personal data (e.g., name of the accused person) which raises data privacy concerns . . .


The (ex) EU-US Safe Harbor At A Glance (2015)

On Tuesday, October 6, 2015, the European Court of Justice decided that the EU/US Safe Harbor regime for data transfers is no longer… safe.  Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, but with the decision that is no longer an option.  In addition companies currently relying on Safe Harbor are scrambling to find alternative compliance strategies . . . ExSafeHarbor