Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Gaming

Governmental Entities

Health Care

Hospitality

Long Term Care

Manufacturing

Real Estate

Retail

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

Practices

GDPR

Print Version

Practice Overview

Baker Donelson's General Data Protection Regulation (GDPR) team consists of data protection, privacy, and cybersecurity attorneys who assist our diverse client base, which ranges from entrepreneurs to non-profits to Fortune 500 companies, with GDPR matters spanning a wide variety of industries. Our experienced GDPR team guides clients through every phrase of the compliance process, from compliance program creation and gap analysis, to ongoing assistance with documentation and decision-making, according to a pace and level of engagement driven by each client's unique priorities and resources.

Our GDPR team closely monitors the rapidly evolving regulatory landscape, including European Union (EU) member state laws, guidelines and opinions, sectoral requirements, and best practices. Our team members are active participants in the privacy community and demonstrated GDPR subject matter expertise through regular client engagement, frequently serving as authors and speakers on GDPR-related topics, earning accreditations from the world's largest information privacy organization, the International Association of Privacy Professionals (IAPP), including Certified Information Privacy Professional (CIPP) in the United States (CIPP/US), Canada (CIPP/C) and Europe (CIPP/E), and Certified Information Privacy Manager (CIPM) certifications, and lending leadership and support to the IAPP's Nashville chapter of KnowledgeNet.

Our GDPR team also regularly partners with leading GDPR compliance consultants and vendors who build on our legal advice by providing our clients with comprehensive and international research services, EU-based legal support (through our TerraLex global network membership), onsite and offsite technology consultants, and EU representative and data protection officer services.

In the years leading up to and since the GDPR went into effect on May 25, 2018, our GDPR team has consistently been retained to advise clients facing compliance with this new and complex area of international privacy law and demonstrated its expertise with advising clients on the applicability of the GDPR to online and offline activities, as well as navigating the myriad of legal, operational, technological, and business-related aspects of compliance.

This comprehensive privacy regulation, which governs the processing of personal data of individuals in the European Union and European Economic Area, has captured the attention of many of our clients, especially with respect to its extraterritorial enforcement in non-EU countries such as the United States and Canada and tiered system of harsh fines which can amount to the greater of four percent of annual global revenue or 20 million euros.

Our GDPR team is also skilled at responding to our clients' requests for guidance as to how the requirements of the GDPR compares with those of other privacy regulations and security standards on which we regularly advise, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the California Consumer Privacy Act of 2018 (CCPA), National Institute of Standards and Technology (NIST) Computer Security Standards, the Canadian Personal Information Protection and Electronic Documents Act, and related Federal Trade Commission rules, among others.

How Do You Know if the GDPR Applies to Your Company?

Organizations (for profit and non-profit) that process personal data of natural persons ("data subjects") will be subject to the GDPR if they:

have a business presence (physical or otherwise) in the EU/EEA and the processing activities relate to the business activities in the EU/EEA (even if the processing takes place elsewhere); or
do not have a business presence in the EU/EEA and the data processing activities relate to the offering of goods or services to, or the monitoring of data subjects located in the EU/EEA.

Under the regulation, the definitions of which business activities constitute "processing," what is required to establish a business presence in the EU/EEA, and the types of offline and online data that may constitute "personal data" can be quite broad.

How Can We Help You?

Our team helps clients address the multitude of issues raised by GDPR compliance, including, but not limited to:

Gap analysis, risk assessment, audit support, and remediation for day-to-day operations and merger and acquisition events
Identification and categorization of data and data flows to meet data mapping and documentation requirements
Drafting and negotiating Data Protection and Data Sharing Agreements for the enterprise and between independent entities
Identifying cross-border data transfer strategies, including standard contractual clauses, Binding Corporate Rules, and reliance on adequacy decisions
Vendor / third-party service provider management and diligence
Preparing self-assessments, questionnaires, templates, and playbooks
Customized C-Suite, employee, and subcontractor training using various approaches (lecture, webinar, interactive, and train-the-trainer)
Advice on addressing data subject access requests and rights
Privacy policies (addressing cookies and analytics), notices, and terms for websites and mobile applications
Social media and website risk assessments
Contract negotiation
Responding to supervisory authorities and evaluating local requirements
Requirements for engaging EU representatives and Data Protection Officers
Internal policies and procedures
Drafting and advising on information security program and policies
Incident response and data breach strategies and support
Cross-Border Discovery, disclosure, and internal investigations

Advise clients on developing GDPR compliance policies and procedures, including data retention and destruction, data incident and breach response, employee privacy and data subject access requests, website privacy policies and terms of use, among others.
Advise domestic and international businesses regarding cross-border transfer mechanisms, including standard contractual clauses and Privacy Shield compliance and certification.
Conduct Privacy Risk Assessments (PIAs/DPIAs) for new programs, systems, processes, and high risk activities.
Update online and offline data privacy policies in line with applicable laws, with special attention to regarding disclosure to third parties, advertising, and processing through cookies and other similar technologies, (including website and mobile applications).
Review mobile applications and similar products for compliance with GDPR and third-party terms of use (Twitter, Amazon, Yahoo, etc.).
Advise on breach notification protocol to affected individuals and process on reporting to regulators, credit agencies, and law enforcement.
Advise on data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates) and incorporate data privacy into operational training (e.g., HR, marketing, call center).
Conduct due diligence around the data privacy and security posture of potential vendors and processors.
Draft and negotiate data processing agreements and addenda for controller, processor, and subprocessor roles, third party data sharing agreements, and intercompany data sharing agreements.
Assess website and mobile application functionality and advise on required and optional customer-facing privacy notices and terms of use for compliance with GDPR and other data protection regimes.
Analyze use cases for compliance with lawful processing requirements, data mapping, privacy assessments, and documentation of same.
Counseled a video and chat service on compliance for its mobile application and management of its data subject access requests.
Advised a leading consumer products company on all aspects of GDPR compliance for a portfolio of brands sold in the U.S., Canada, and the EU/EEA with an emphasis on website compliance.
Advised manufacturers regarding the applicability of GDPR due to having distributors in EU countries.
Advised an online publisher on applicability of GDPR as well as assisted with Privacy Shield registration and assisted in preparation of GDPR Legitimate Interest Assessments related to certain data processing activities, and prepared example GDPR consent language for online forms.
Advised a global supplier of industrial materials on communicating GDPR compliance internally and to customers. Also provided compliance advice relating to website privacy notice and terms of use.
Assisted investment management firm with updates to Investment Advisory Agreement and privacy statement.
Advised software companies on updating their website privacy notices and terms of use for company websites and apps.
Monitor and advise on international data privacy and data protection developments.

"Top Privacy and Cybersecurity Issues to Track In 2024," Republished February 5, 2024, in CPO Magazine (January 2024)
"To Boldly Go Places: EU's AI Act is Set to Become the Real Deal," republished in AI Business (December 2023)
"Show Your Work: The SEC Cyber Rules and Documenting Materiality Analysis Under NIST FIPS 199" (October 2023)
"New Legislation Will Require Critical Sector Entities to Report Certain Cyber Incidents," republished April 7, 2022 in, CPO Magazine (March 2022)
"GDPR Evolution Continues: Article 49 Derogations in a Post-Schrems II World," republished in the Daily Business Review (March 2021)
"Data Privacy Day 2020 – What Actions Businesses Can Take," (January 2020); republished in Corporate Counsel (February 2020)
"California Passes New Privacy Law with Far-Reaching Implications" (July 2018)
"Beyond GDPR: EU's ePrivacy Regulation to Add New Layer of Data Obligations" (June 2018)
"A Matter of Time: The Growing Recognition of an Employee's "Right to Disconnect" " (June 2018)
"GDPR and Employers – Five Questions Answered" (May 2018)
"A GDPR Check-up for U.S.-Based Hospitality Businesses" (May 2018)
"It's Here… GDPR Goes into Effect May 25" (May 2018)
"Employers Get Ready: GDPR Implications in the Employment Law Arena" (March 2018)
"GDPR Goes into Effect Next Year; Is Your Privacy Program Ready?" (October 2017)
"What U.S. Businesses Should Be Thinking About Now that European Commission Has Adopted Privacy Shield" (July 2016)
"EU-U.S. Privacy Shield Grows Stronger with Passing of Judicial Redress Act" (February 2016)
"U.S.-EU Safe Harbor Agreement Reached: Introducing the EU-U.S. Privacy Shield" (February 2016)

Part III – So You Think GDPR Does Not Apply to American Companies? Think Again. (March 2018)
Part II – So You Think GDPR Does Not Apply to American Companies? Think Again. (February 2018)
Part I – So You Think GDPR Does Not Apply to American Companies? Think Again. (January 2018)

Baker Donelson Adds Renowned Biometric Privacy Thought Leader David J. Oberly in D.C. (November 8, 2023)
Baker Donelson Corporate Attorney Justin S. Daniels Co-Authors Data Reimagined: Building Trust One Byte at a Time (October 11, 2022)
Baker Donelson's Matt White Earns Certified Information Privacy Technologist Certification (August 30, 2022)
Privacy and Technology Attorney L. Hannah Ji-Otto Joins Baker Donelson (August 17, 2022)
Baker Donelson Continues to Expand Its Technology & Privacy Practice with Addition of Vivien F. Peaden in Atlanta Office (August 4, 2021)
Baker Donelson's Matt White Earns Payment Card Industry Professional Certification (March 22, 2021)
Baker Donelson's Andrew J. Droke Earns Information Privacy Certification (July 16, 2020)
Baker Donelson's Matt White Earns Additional Information Privacy Certification (July 9, 2019)
Baker Donelson's Matt White Earns Information Privacy Certification (May 17, 2018)
Baker Donelson's Alex Koskey Earns Information Privacy Certification (April 19, 2018)
Baker Donelson's Zachary B. Busey Earns Information Privacy Certification (April 5, 2018)
Baker Donelson Attorneys Earn Information Privacy Certification (January 30, 2018)

David Oberly Analyzes Intentions, Prospects of Illinois BIPA Bill Change in Biometric Update (April 12, 2024)
David Oberly Comments on Risk to Vendors After FTC's Rite Aid Settlement in Cybersecurity Law Report (January 31, 2024)
Healthcare IT News Cites David Oberly Regarding States Enacting Cybersecurity Safe Harbor Legislation (January 30, 2024)
In Cybersecurity Law Report, David Oberly Discusses the Broad Impact of FTC's Rite Aid Order on Users of Biometrics and AI (January 24, 2024)
David Oberly Talks with Law360 About Federal Regulatory Focus on AI (November 9, 2023)
Law360 Highlights Addition of Biometric Pro David Oberly to Baker Donelson's D.C. Office (November 9, 2023)
Alisa Chestler Featured in MedTech Intelligence Q&A on Overcoming Barriers to EHR Adoption in Behavioral Health (November 8, 2023)
Alisa Chestler Featured on Healthcare IT News' HIMSS TV Discussing Behavioral Health Data Interoperability (October 18, 2023)
Justin Daniels Discusses Role of Government in Privacy and Cyber Safety on Fox 5 DC (September 30, 2023)
Alisa Chestler Discusses SEC Rules Regulating Cybersecurity in Nashville Post Q&A (September 5, 2023)
Alisa Chestler Quoted in Part B News on Cybersecurity Challenges Facing Providers in the Wake of MOVEit Data Breach (August 21, 2023)
Justin Daniels Offers Insights into What's Next for the Cryptospace After SEC Actions in E-Crypto News (August 21, 2023)
Alisa Chestler Discusses Protecting Enterprise Assets Against Cybersecurity Failures in InformationWeek (June 21, 2023)
Matt White Comments on How Speed Complicates Real-Time Payment Anti-Fraud Protections in Global Association of Risk Professionals (June 16, 2023)
In Commercial Factor Q&A, Alex Koskey and Matt White Discuss Risks and Rewards of Utilizing AI in Financial Services (April 20, 2023)
Justin Daniels Discusses Importance of Cybersecurity in Business Exit Planning on GrowthTV Tech Series: Powering the Future of the Middle Market (February 10, 2023)
Justin Daniels Quoted in The Drum on Need for Meaningful Legislative Change Around Data Privacy and Security (February 7, 2023)
Justin Daniels Featured on The Technologist's Tech Snippets Today (January 23, 2023)
Alisa Chestler Quoted in Behavioral Health Business on Future of EHRs in Behavioral Health Care (August 18, 2022)
Justin Daniels Shares Five Things to Know to Create a Highly Successful Career in the NFT Industry in Authority Magazine (July 10, 2022)
Newly Elected Nashville Shareholders Bert Chollet, Andy Droke and Ryan Richards Featured in Nashville Post (April 18, 2022)
In Q&A with Global Atlanta, Justin Daniels Outlines Why the Ukraine War is a Watershed Moment in U.S. Cyber Readiness (March 3, 2022)
Justin Daniels Discusses SEC Push for More Transparency Related to Cybersecurity in Inc. (February 14, 2022)
Justin Daniels Quoted in E-Crypto News on Potential Regulatory Issues for NFTs in 2022 (January 28, 2022)
Justin Daniels Offers His Perspective on NFT Industry Predictions for 2022 in App Developer Magazine (January 4, 2022)
Justin Daniels Discusses the Privacy and Security Risks of Connected Health Devices in Healthcare Info Security (August 23, 2021)
Law360 Highlights Addition of Vivien Peaden to Firm's Privacy and Technology Practice (August 5, 2021)
Justin Daniels Talks with Cybersecurity Insights About What Organizations Should Consider as They Face Ransomware (June 29, 2021)
Justin Daniels Featured in Cybersecurity Insights Fireside Chat on What's Broken with M&A Cybersecurity (April 26, 2021)
Alisa Chestler Comments on Recent OCR Right of Access Settlements in Hospital Access Management (November 10, 2020)
Alisa Chestler Featured on AUA Inside Tract Podcast on Understanding COVID-19 HIPAA Relief Provisions for Telehealth (March 31, 2020)
Alisa Chestler Discusses Continued Emphasis on Cybersecurity and Data Privacy Law During 2020 in Law360 (January 1, 2020)
Alisa Chestler Featured on HealthcareInfoSecurity Discussing Data Privacy and Security Trends (November 13, 2019)
Alisa Chestler Discusses Best Practices for Health Care Providers to Prevent Ransomware Attacks in Bloomberg Law (July 31, 2019)
Alisa Chestler Quoted in Bloomberg Law on Trend of Tech Companies Partnering with Health Care (March 4, 2019)
Alisa Chestler Discusses HHS Draft Strategy for Interoperability Among Electronic Health Records in the Nashville Post (March 2, 2019)
Ashley Thomas Quoted in Bloomberg Law on Proposed HHS Rule Allowing Exceptions to Information Blocking Ban (February 11, 2019)
Alisa Chestler Talks with Law360 About the Continued Growth of Cybersecurity Practice Area in 2019 (January 1, 2019)
Alisa Chestler Quoted in HIPAA Regulatory Alert on Operational Issues Involved in Access to Patient Records (December 1, 2018)
Alisa Chestler Discusses Need for Comprehensive Information Security Programs to Prevent Health Care Cyber Extortion in Bloomberg Health Law & Business (November 15, 2018)

Key Contact

Andrew J. Droke, CIPP/US

T: 615.726.7365

Email Professional

View All Professionals in this Practice

Related Practices

Featured Media

David Oberly Analyzes Intentions, Prospects of Illinois BIPA Bill Change in Biometric Update

News / April 12, 2024

David Oberly Comments on Risk to Vendors After FTC's Rite Aid Settlement in Cybersecurity Law Report

News / January 31, 2024

Healthcare IT News Cites David Oberly Regarding States Enacting Cybersecurity Safe Harbor Legislation

News / January 30, 2024

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 23 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.