GDPR COMPLIANCE

CHECKLIST
PROTECTING EU AND UK PERSONAL DATA
PRACTICAL
CONSIDERATIONS
The EU and UK General Data Protection Regulation (GDPR) significantly impacts
how organisations, whether or not established in Europe, may collect and use
personal data relating to individuals in Europe or European business operations.
GDPR violations may result in significant regulatory fines (including direct liability
for group parent companies) and private litigation (including collective litigation).
Consider these steps to point your organisation in the direction of compliance
and consult Morgan Lewis lawyers (including a former senior enforcement lawyer
at a European data protection regulator) for more tailored analysis and advice.

1 GDPR AND EPRIVACY LAW APPLICATION • Determine whether the organisation is subject
to the GDPR, European ePrivacy laws, and/or
• Map how personal data is collected, used, and additional sector-specific data protection laws.
otherwise processed, notably, if involving:
• Determine whether the organisation is a
– “Special” and sensitive categories of data1 “controller” or “processor” with regard to specific
– Healthcare, clinical trial, biometric, or genetic data data processing activities.
– Criminal offences and law enforcement data • Determine whether the data processing is lawful,
and if so, identify the lawful basis (e.g., data
– Social media and telecom-related data
subject consent, legal obligation, or legitimate
– Banking, payment, and financial data interest).
– Children and vulnerable individuals • Determine which GDPR supervisory authority
– CCTV, surveillance, and facial recognition data will regulate and whether the organisation may
designate a lead supervisory authority.
– Artificial intelligence and machine learning
technologies
– Automated decision-making and profiling
2 DATA PROTECTION AND COOKIE NOTICES
• Controller should promptly provide a GDPR-
– Employee and workplace monitoring
compliant data protection notice to individuals.
– Connected consumer devices and IoT The GDPR is prescriptive as to what information is
– AdTech, cookies, and tracking technologies required in such notices.

– Electronic and telephone marketing • If an organisation uses cookies or other tracking

technologies or conducts electronic marketing,
– Transfers of personal data to other organisations it may need to provide notices and obtain opt-in
– Transfers of personal data outside Europe consents.

1
Special categories of data include racial or ethnic data, political opinions, religious beliefs, trade union membership, genetic data, biometric data,
health data, sex life data, and/or sexual orientation data.
3 KEY POLICIES AND DOCUMENTATION • Reliance on binding corporate rules (supervisory
authority–approved data transfer arrangements)
Develop relevant GDPR and related policies and
implement procedures to effect such policies, e.g.: • Supervisory authority–approved codes of conduct

• Record of Processing Activities (ROPA) • Reliance on specific exceptions (derogations),

e.g., obtaining data subject consent, in limited
• Template data subject consents circumstances
• Legitimate Interest Assessment (LIA) Organisations should undertake transfer risk
• Data Protection Policy assessments when relying on one of the above legal
transfer mechanisms to demonstrate that they are
• Information Security Policy
satisfied that the relevant GDPR protections are not
• Incident Response Plan (IRP) undermined. Importantly, Brazil, India, the People’s
• Business Continuity and Disaster Recovery Plan Republic of China, Russia, South Africa, and the United
(BCDRP) States are not on the list of approved countries.
• GDPR staff training materials and records
• Data subjects rights policies, e.g., requests seeking:
6 DATA PROCESSING CHAINS
The GDPR imposes obligations on controllers where data
– Access to data (within 30 days)
will be processed by other organisations (whether
– Data deletion and rectification controllers or processors) in a data processing chain.
– Data porting to third parties • Conduct GDPR diligence on vendors and
• Data retention and deletion policies subcontractors (processors) and enter into data
processing agreements prescribed by the GDPR.
• Template “data processing agreement”
• Consider whether a data sharing agreement is
• Records of consents granted by data subjects needed relative to other controllers (e.g., data
• EU representative appointment sharing in relation to clinical trials).
• Personal data breach log
7 DATA PROTECTION OFFICER (DPO)
4 PRIVACY IMPACT ASSESSMENT (PIA) Appoint a DPO if, for example, core business activities
Controller should conduct a PIA if processing could result include regular and systematic monitoring on a large
in a “high risk” to data subjects or systematic monitoring scale or processing of special categories of data on a
or profiling. large scale. The DPO should have a key role in the
organisation’s information governance.

5 DATA TRANSFERS OUTSIDE EUROPE

Consider necessary steps for data transfers to countries
8 DATA BREACH RESPONSE PROCESS
outside Europe (whether to affiliates, vendors, or business • Regularly test the IRP and BCDRP.
partners) if (1) the country is on an approved list (e.g., • If a personal data breach occurs, controller
Canada, New Zealand, or South Korea) or (2) if not, any of must “without undue delay” notify (i) relevant
the following legal mechanisms applies to such transfer: supervisory authority(ies) and (ii) impacted data
• Use of model/standard contractual clauses subjects, to the extent required by the GDPR.
approved by the European Commission and/or the • Processor must notify controller “without undue
UK Information Commissioner’s Office (ICO) delay.”
• Certification to the EU-US Data Privacy Framework • Perform other necessary or appropriate incident
(DPF) and UK-US Data Bridge remediation tasks
At Morgan Lewis, we’re always ready
to respond to the needs of our clients
and craft powerful solutions for them.

PRIMARY CONTACTS
Vishnu Shankar Megan A. Suehiro Kristin M. Hadgis
London | Brussels Los Angeles Philadelphia
[email protected] [email protected] [email protected]
+44.20.3201.5558 | +32.2.507.7500 +1.213.612.7324 +1.215.963.5563

Scott A. Milner Gregory T. Parks Dr. Axel Spies

Philadelphia Philadelphia Washington, DC | Frankfurt
[email protected] [email protected] [email protected]
+1.215.963.5016 +1.215.963.5170 +1.202.373.6145 | +49.69.714.00.777

Dr. Walter Ahrens Ezra D. Church

Frankfurt Philadelphia
[email protected] [email protected]
+49.69.714.00.766 +1.215.963.5710

Charles Dauthier
Paris
[email protected]
+33.1.53.30.44.74

Connect with us
www.morganlewis.com

© 2024 Morgan Lewis

Morgan, Lewis & Bockius LLP, a Pennsylvania limited liability partnership
Morgan Lewis Stamford LLC is a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP.
Morgan, Lewis & Bockius UK LLP is a limited liability partnership registered in England and Wales under number OC378797
and is a law firm authorised and regulated by the Solicitors Regulation Authority. The SRA authorisation number is 615176.
Our Beijing, Shanghai, and Shenzhen offices operate as representative offices of Morgan, Lewis & Bockius LLP.
In Hong Kong, Morgan, Lewis & Bockius is a separate Hong Kong general partnership registered with The Law Society of Hong Kong.
This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship.
Prior results do not guarantee similar outcomes. Attorney Advertising. 04092024_240842_A4