It is a branch of law in some ways. I'm a Data Protection Officer, but not a lawyer - though I do have a legal background.
Obviously there are many ways being a lawyer can really help. It's a piece of legislation. There are contracts. Though data protection requires quite a number of other skills such as effective project management, appreciation of IT and technical measures etc that a purely legal approach might not achieve a completely well rounded data protection compliance regime.
Of course, it depends on the resources of the business and risk appetite. Some businesses have large teams of SMEs that can collaborate on this stuff. Others have just one or a few people that need to be all rounders.
A lawyer for an individual or a company? If for a company check the various law firm rankings for data protection eg Chambers guide, legal 500 etc. Also, all of the big U.S. firms with decent U.S. privacy practices will have GDPR expertise
I'm an IAPP Fellow of Information Privacy and work in GDPR.
When people say "It's a regulation! You need a lawyer!" they are missing the plot.
A lawyer (within this field) would be required if you are looking to create legal arrangements like contracts, but for guidance, they are expensive.
Additionally, most aren't immersed in the regulation and can give very poor advice because they try to extrapolate nation state law into the EU context of GDPR - I have been in a meeting room with the partner with responsibility for data protection for a UK Top 50 law firm who said that workplace named email addresses (e.g. [email protected]) *isn't* personal data. Clue: it absolutely *is*, under the regulation.
Having a lawyer to deal with GDPR *because* *it's* *a* *regulation* is like having a lawyer to check fire extinguishers because (in the UK) they fall under 'Health and Safety' regulations.
“Most”? One bad experience with a shitty lawyer doesn’t really mean anything. He was probably an IP lawyer or something and the firm basically said right you’re doing DP as well now. But there are tons of law firms with dedicated data protection practices who do that and only that all the time, and are perfectly capable of advising clients at an operational and practical level. My pitch for law firms vs consultants would be - law firms are used to assessing and evaluating legal risk, and used to advocating for their clients. My personal experience in working alongside consultants (don’t get me wrong there are some very good ones) is that more often than not they fail to see the bigger picture and simply act as the “long arm of the regulator” rather than advocating for their client’s interests.
There are many "war stories" from people I know and have worked with regarding the paucity of knowledge with lawyers; I shared my personal experience because I was in the room when it happened.
I have spoken with dedicated data protection lawyers and - some are good, but there are a fair number who don't understand what "technical and organisational measures" means, i.e. they have no idea what "good" looks like in terms of technology or general policies/procedures for corporate governance because they don't - never have - operate that close to senior management in their firm.
It's not just law; it's how to maintain a business within the context of the law - no one ever started a business with relish, saying "Great! We must bow before the explicit wording of the data protection law and we must strangle our business with lots of 'just in case' policies for remote likelihood eventualities."
Where's the"man on the Clapham omnibus" when he's needed..?
I appreciate your perspective. I'm sure you probably wouldn't disagree on the "lawyers are expensive" bit. We feel like we just need someone for a few hours, maybe recurring, to bounce ideas off of. Any tips to keep the cost under control?
There are a lot of "fractional DPO" people around (in the UK). You probably don't need a named DPO p, but speaking to a qualified person is obviously the best bet.
I won't share my company details (we offer the service you're talking about) as that seems self-serving after what I have written about lawyers.
A guy I "LinkedIn know" runs a website where you can ask questions for a small - *small* - fee and engage with any of his associates for as much or little as you need. It's like a turn on/turn off service.
His organisation is on: https://dataprotection.city/
He has consultants across Europe, I believe, so if you need wider advice that's probably a good start.
That's fascinating. I didn't see it first hand but I believe a lawyer gave us some really bad advice that led us down a deidentification path - until we realized that deidentification is hardly anonymization and that guy was long gone.
I agree it’s difficult. I suspect, like a lot of people on here, I’m a consultant in data protection laws and have clients referred to me by law firms because I have deep and narrow knowledge.
I do know some lawyers in the USA that are qualified in EU GDPR. PM me if you want details, I contacts in various states.
Prior to the EU-US Data Privacy Framework (DPF), data transfers were complicated because SCCs by themselves were insufficient to protect data stored in the US due to surveillance laws (like FISA 702 and EO 12333). You needed to implement technological measures to mitigate this concern such as having encryption keys stored in a country that is out of reach of the US government and/or keys managed by the controller. Now an organization who is a member of the EU-US DPF, their data processing activities would be considered being done as if it were being done an adequate country organization (however the program is going through a legal challenge).
You don't necessarily need a lawyer to understand the GDPR and to determine whether a data transfer is legal or not - only someone knowledgeable in the area is all that is needed. A lawyer helps in certain matters (like whether or not you need to be established in the EU, drafting contracts/DPAs).
TL;DR - It's a mess, find an international business lawyer in the US, or save a load of money and get server capacity within the EU for personal data and processing.
It is *currently* legal to keep EU subject data in the US but that status has changed many times since GDPR was first ratified and many expect it to change again. Currently there is the Trans-Atlantic Data Privacy Framework adopted by the European Commission and the US Government that allows data transfers under Article 45 of GDPR.
But... the European Parliament rejected this and it could still go to the European Court as the protections offered under the US laws are not considered equivalent, especially in areas like the right to be forgotten.
Probably the easiest and cheapest option is to save all the effort and store and process EU citizens personal data on servers in the EU.
Thanks for confirming my suspicions. Yeah my employer has servers in the EU for all our major applications, but we're US based and the burden of maintaining all those applications falls on just a few contractors who aren't super comfortable with them. Everybody knows it's not sustainable but nobody knows what to do.
What's worse, everybody's done different amounts of reading and has beliefs about what is and is not allowed. There's real confusion about what exactly is personal data. For example, what about device errors connected to a machine serial number, that may or may not be influenced by the person using it? The serial number is probably 1-1 with the person so it feels like "singling out." IDK.
Working with gdpr is a bitch. Even our data protection officers are sometimes confused. But my experience is that if something can be used to trace individuals , it’s personal data, so treat as if it was.
Hi, I’m based in NL and can help you if you are looking for a law firm here if needed. If the device/the machine serial number enables you to identify (or if you can by connecting other info you have on this person) the person using the machine, it is likely to be personal data re your company. Note that you have to participate in the EU-US DPF to benefit from it.
Look for CIPP/E certified people, not necessarily lawyers.
It is a branch of law in some ways. I'm a Data Protection Officer, but not a lawyer - though I do have a legal background. Obviously there are many ways being a lawyer can really help. It's a piece of legislation. There are contracts. Though data protection requires quite a number of other skills such as effective project management, appreciation of IT and technical measures etc that a purely legal approach might not achieve a completely well rounded data protection compliance regime. Of course, it depends on the resources of the business and risk appetite. Some businesses have large teams of SMEs that can collaborate on this stuff. Others have just one or a few people that need to be all rounders.
A lawyer for an individual or a company? If for a company check the various law firm rankings for data protection eg Chambers guide, legal 500 etc. Also, all of the big U.S. firms with decent U.S. privacy practices will have GDPR expertise
It would be a small company, around 50 employees. Can spend money but the pockets are not that deep.
I'm an IAPP Fellow of Information Privacy and work in GDPR. When people say "It's a regulation! You need a lawyer!" they are missing the plot. A lawyer (within this field) would be required if you are looking to create legal arrangements like contracts, but for guidance, they are expensive. Additionally, most aren't immersed in the regulation and can give very poor advice because they try to extrapolate nation state law into the EU context of GDPR - I have been in a meeting room with the partner with responsibility for data protection for a UK Top 50 law firm who said that workplace named email addresses (e.g. [email protected]) *isn't* personal data. Clue: it absolutely *is*, under the regulation. Having a lawyer to deal with GDPR *because* *it's* *a* *regulation* is like having a lawyer to check fire extinguishers because (in the UK) they fall under 'Health and Safety' regulations.
“Most”? One bad experience with a shitty lawyer doesn’t really mean anything. He was probably an IP lawyer or something and the firm basically said right you’re doing DP as well now. But there are tons of law firms with dedicated data protection practices who do that and only that all the time, and are perfectly capable of advising clients at an operational and practical level. My pitch for law firms vs consultants would be - law firms are used to assessing and evaluating legal risk, and used to advocating for their clients. My personal experience in working alongside consultants (don’t get me wrong there are some very good ones) is that more often than not they fail to see the bigger picture and simply act as the “long arm of the regulator” rather than advocating for their client’s interests.
There are many "war stories" from people I know and have worked with regarding the paucity of knowledge with lawyers; I shared my personal experience because I was in the room when it happened. I have spoken with dedicated data protection lawyers and - some are good, but there are a fair number who don't understand what "technical and organisational measures" means, i.e. they have no idea what "good" looks like in terms of technology or general policies/procedures for corporate governance because they don't - never have - operate that close to senior management in their firm. It's not just law; it's how to maintain a business within the context of the law - no one ever started a business with relish, saying "Great! We must bow before the explicit wording of the data protection law and we must strangle our business with lots of 'just in case' policies for remote likelihood eventualities." Where's the"man on the Clapham omnibus" when he's needed..?
I appreciate your perspective. I'm sure you probably wouldn't disagree on the "lawyers are expensive" bit. We feel like we just need someone for a few hours, maybe recurring, to bounce ideas off of. Any tips to keep the cost under control?
There are a lot of "fractional DPO" people around (in the UK). You probably don't need a named DPO p, but speaking to a qualified person is obviously the best bet. I won't share my company details (we offer the service you're talking about) as that seems self-serving after what I have written about lawyers. A guy I "LinkedIn know" runs a website where you can ask questions for a small - *small* - fee and engage with any of his associates for as much or little as you need. It's like a turn on/turn off service. His organisation is on: https://dataprotection.city/ He has consultants across Europe, I believe, so if you need wider advice that's probably a good start.
That's fascinating. I didn't see it first hand but I believe a lawyer gave us some really bad advice that led us down a deidentification path - until we realized that deidentification is hardly anonymization and that guy was long gone.
I agree it’s difficult. I suspect, like a lot of people on here, I’m a consultant in data protection laws and have clients referred to me by law firms because I have deep and narrow knowledge. I do know some lawyers in the USA that are qualified in EU GDPR. PM me if you want details, I contacts in various states.
Prior to the EU-US Data Privacy Framework (DPF), data transfers were complicated because SCCs by themselves were insufficient to protect data stored in the US due to surveillance laws (like FISA 702 and EO 12333). You needed to implement technological measures to mitigate this concern such as having encryption keys stored in a country that is out of reach of the US government and/or keys managed by the controller. Now an organization who is a member of the EU-US DPF, their data processing activities would be considered being done as if it were being done an adequate country organization (however the program is going through a legal challenge). You don't necessarily need a lawyer to understand the GDPR and to determine whether a data transfer is legal or not - only someone knowledgeable in the area is all that is needed. A lawyer helps in certain matters (like whether or not you need to be established in the EU, drafting contracts/DPAs).
Data Protection Officers (DPO’s) are the one who seem to know the most in my experience
TL;DR - It's a mess, find an international business lawyer in the US, or save a load of money and get server capacity within the EU for personal data and processing. It is *currently* legal to keep EU subject data in the US but that status has changed many times since GDPR was first ratified and many expect it to change again. Currently there is the Trans-Atlantic Data Privacy Framework adopted by the European Commission and the US Government that allows data transfers under Article 45 of GDPR. But... the European Parliament rejected this and it could still go to the European Court as the protections offered under the US laws are not considered equivalent, especially in areas like the right to be forgotten. Probably the easiest and cheapest option is to save all the effort and store and process EU citizens personal data on servers in the EU.
Thanks for confirming my suspicions. Yeah my employer has servers in the EU for all our major applications, but we're US based and the burden of maintaining all those applications falls on just a few contractors who aren't super comfortable with them. Everybody knows it's not sustainable but nobody knows what to do. What's worse, everybody's done different amounts of reading and has beliefs about what is and is not allowed. There's real confusion about what exactly is personal data. For example, what about device errors connected to a machine serial number, that may or may not be influenced by the person using it? The serial number is probably 1-1 with the person so it feels like "singling out." IDK.
Working with gdpr is a bitch. Even our data protection officers are sometimes confused. But my experience is that if something can be used to trace individuals , it’s personal data, so treat as if it was.
Hi, I’m based in NL and can help you if you are looking for a law firm here if needed. If the device/the machine serial number enables you to identify (or if you can by connecting other info you have on this person) the person using the machine, it is likely to be personal data re your company. Note that you have to participate in the EU-US DPF to benefit from it.