Ready or Not...the GDPR Effective Date is Here

May 24, 2018 Alerts and Newsletters

Now that May 25th, the long awaited effective date of the European Union ("EU") General Data Protection Regulation (Regulation 2016/679) ("GDPR"), has arrived, many companies are realizing that they have more work to do to become fully compliant with its far ranging and complex requirements. According to one report, 52% of companies expect to be compliant as of the GDPR's effective date, 40% expect to be compliant after the effective date, and 8% do not know when they will achieve compliance.i Despite the large percentage of companies that will not be fully compliant, EU data protection authorities have made it clear that there will be no grace period. As Helen Dixon, Ireland's Data Protection Commissioner, acknowledged to Bloomberg Law, however, "if companies get the basics right in the GDPR, they are off to a good start."ii For companies that are not fully compliant, it is not too late to take steps to achieve compliance. Here are a few key areas of focus for every company:

First, determine whether the GDPR applies to your company. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU. While many U.S. companies do not have an establishment in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: 1) offering goods or services to such data subjects in the EU (regardless of payment from the data subject) or 2) monitoring the behavior of the data subjects if the behavior takes place in the EU. Second, identify the types of data processing activities that your company undertakes that may trigger the GDPR. Companies must understand how they are collecting and processing personal data in order to demonstrate compliance. Third, companies must ascertain and be transparent with data subjects about their processing activities. Finally, companies should focus on their ability to honor individual data subjects' rights, including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and rights related to automated decision making and profiling. Dixon noted that when organizations fail to honor the enumerated rights that the GDPR gives every data subject, higher fines should be expected.

Verrill Dana has been counseling U.S. companies on EU data protection laws (including the EU Data Protection Directive, which preceded the GDPR) for many years, and we are currently assisting various clients with their GDPR compliance efforts. Now that the effective date has arrived, it is important that companies do not delay their efforts toward GDPR compliance. Please feel free to contact one of our GDPR attorneys to assist your company with any remaining work your company needs to undertake to become fully compliant and avoid the specter of stiff penalties under the GDPR (up to $20 million EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher).


i "The Race to GDPR: A Study of Companies in the United States & Europe." McDermott Will & Emery LLP and Ponemon Institute LLC, Apr. 2018. Available at
ii Dixon, Helen, and Daniel R. Stoller. "EU Officials: Stick to Basics to Prep for New Privacy Regime." Bloomberg BNA Privacy & Security Law Report, 2 Apr. 2018. Bloomberg Law, Accessed 24 May 2018.
This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.

Firm Highlights


Verrill Ranked in American Bar Association’s Health Law Top 10 in the Northeast

(January 19, 2021) – Verrill was recently ranked third in the American Bar Association (ABA) Health Law Section's Eighth Annual Top 10 Recognition for the Northeast Region. This is the sixth consecutive year that...


Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...


Nearly 80 Verrill Attorneys Recognized by Best Lawyers® 2021, Including a Dozen Named Lawyers of the Year

(August 24, 2020) – Nearly 80 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2021 , including 12 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer...


Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.


The Regulatory Sprint is Over - What’s at the Finish Line Under the New Stark and AKS Final Rules?

The U.S. Department of Health and Human Services (HHS) completed its “Regulatory Sprint” by finalizing changes to regulations pertaining to two federal fraud and abuse laws. On December 2, 2020, the Centers for Medicare...


340B Providers Get Partial Relief from New Dispute Resolution Regulation

1. 340B ADR Process Established At long last, more than ten years after Congress directed it to do so, HHS has finalized an alternative dispute resolution (“ADR”) process for both providers and pharmaceutical manufacturers...


Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...


European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...


HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...


Michael K. Fee to Lead Verrill’s Nationally-Recognized Health Care and Life Sciences Practice Amidst Recent Changes

(August 31, 2020) – Verrill is pleased to announce Michael K. Fee as the new leader of Verrill’s nationally-recognized Health Care & Life Sciences Group. The Group has a long history of representing a...

Contact Verrill at (855) 307 0700