privacy-compliance

Global Privacy Landscape

EU General Data Protection Regulation (GDPR)

Territorial reach: Governs the processing of personal data belonging to individuals located in the EU/EEA, irrespective of where the processing entity is based.

Core obligations for in-house legal teams:

• Legal basis documentation: Every processing activity must rest on one of six recognized grounds -- consent, contractual necessity, legitimate interest, statutory obligation, protection of vital interests, or public authority function
• Individual rights fulfillment: Requests for access, correction, deletion, portability, processing restriction, and objection must be resolved within one calendar month, with a two-month extension available for particularly involved requests
• Impact assessments (DPIAs): Mandatory when processing is expected to create elevated risk for individuals
• Incident reporting: The competent supervisory authority must be notified within 72 hours of detecting a personal data breach; affected individuals require prompt notification when the breach poses high risk
• Processing inventory: Maintain the register of processing activities mandated by Article 30
• Cross-border safeguards: Transfers outside the EEA require valid mechanisms such as Standard Contractual Clauses, adequacy determinations, or Binding Corporate Rules
• Data Protection Officer: Appointment is required in specific situations -- public bodies, organizations conducting large-scale processing of sensitive categories, or those engaged in systematic large-scale monitoring

Where in-house teams most often engage:

• Evaluating vendor DPAs for regulatory alignment
• Counseling product teams on embedding privacy into design
• Managing communications with supervisory authorities