Ready or Not...the GDPR Effective Date is Here

May 24, 2018 Alerts and Newsletters

Now that May 25th, the long awaited effective date of the European Union ("EU") General Data Protection Regulation (Regulation 2016/679) ("GDPR"), has arrived, many companies are realizing that they have more work to do to become fully compliant with its far ranging and complex requirements. According to one report, 52% of companies expect to be compliant as of the GDPR's effective date, 40% expect to be compliant after the effective date, and 8% do not know when they will achieve compliance.i Despite the large percentage of companies that will not be fully compliant, EU data protection authorities have made it clear that there will be no grace period. As Helen Dixon, Ireland's Data Protection Commissioner, acknowledged to Bloomberg Law, however, "if companies get the basics right in the GDPR, they are off to a good start."ii For companies that are not fully compliant, it is not too late to take steps to achieve compliance. Here are a few key areas of focus for every company:

First, determine whether the GDPR applies to your company. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU. While many U.S. companies do not have an establishment in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: 1) offering goods or services to such data subjects in the EU (regardless of payment from the data subject) or 2) monitoring the behavior of the data subjects if the behavior takes place in the EU. Second, identify the types of data processing activities that your company undertakes that may trigger the GDPR. Companies must understand how they are collecting and processing personal data in order to demonstrate compliance. Third, companies must ascertain and be transparent with data subjects about their processing activities. Finally, companies should focus on their ability to honor individual data subjects' rights, including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and rights related to automated decision making and profiling. Dixon noted that when organizations fail to honor the enumerated rights that the GDPR gives every data subject, higher fines should be expected.

Verrill Dana has been counseling U.S. companies on EU data protection laws (including the EU Data Protection Directive, which preceded the GDPR) for many years, and we are currently assisting various clients with their GDPR compliance efforts. Now that the effective date has arrived, it is important that companies do not delay their efforts toward GDPR compliance. Please feel free to contact one of our GDPR attorneys to assist your company with any remaining work your company needs to undertake to become fully compliant and avoid the specter of stiff penalties under the GDPR (up to $20 million EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher).


i "The Race to GDPR: A Study of Companies in the United States & Europe." McDermott Will & Emery LLP and Ponemon Institute LLC, Apr. 2018. Available at
ii Dixon, Helen, and Daniel R. Stoller. "EU Officials: Stick to Basics to Prep for New Privacy Regime." Bloomberg BNA Privacy & Security Law Report, 2 Apr. 2018. Bloomberg Law, Accessed 24 May 2018.
This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.

Firm Highlights


Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...


Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.


Verrill Welcomes Health Care Attorney Alicia Siani

(February 2, 2021) – Verrill is pleased to welcome health care attorney Alicia Siani to the firm’s Boston, Massachusetts office. Siani represents clients in a wide range of regulatory issues, including HIPAA privacy matters...


The Regulatory Sprint is Over - What’s at the Finish Line Under the New Stark and AKS Final Rules?

The U.S. Department of Health and Human Services (HHS) completed its “Regulatory Sprint” by finalizing changes to regulations pertaining to two federal fraud and abuse laws. On December 2, 2020, the Centers for Medicare...


Verrill Welcomes Jeffrey A. Smagula, Experienced Health Care and Life Sciences Attorney, Former Health Plan Compliance Executive

(May 12, 2021) – Verrill is pleased to welcome Jeffrey A. Smagula to the firm’s Boston office as Counsel in its nationally recognized Health Care & Life Sciences Group. Jeff Smagula brings to Verrill...


Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...


Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...


Common Rule

Guided multiple clients through the implementation of the revised HHS regulations (the "Common Rule"), including reviewing and revising policies and procedures, and assisting with institutional approaches to implementation.


HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...


European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...

Contact Verrill at (855) 307 0700