The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers).
Continue Reading

The search by consumers, payers and providers for more efficient, effective and convenient care delivery models has led to an explosion of technological innovation in the health care sector. This explosion has supported the increased use of telemedicine by providers to reach patients who were previously out of reach, and to provide more timely and

On April 22, 2015, the U.S. Securities and Exchange Commission (SEC) announced that it had awarded $1.4 million–$1.6 million to a compliance officer-turned-whistleblower who aided the SEC in an enforcement action against the officer’s employer. This marks the second time an employee with an internal audit or compliance function—who does not typically qualify under whistleblower

Tuesday, February 10, 2015
12:30 – 1:30 pm EST

Please join McDermott Will & Emery for a complimentary webinar discussing key issues retirement plan sponsors should take into account when establishing and maintaining internal controls based on the compliance requirements Internal Revenue Service (IRS) and U.S. Department of Labor (DOL) agents review when they conduct

All individuals involved in a proposed sale transaction have a personal stake in full federal, state and local legal compliance because of expanding doctrines of personal liability and successorship liability, notwithstanding transaction documents that purport to disclaim assumption of seller’s liabilities.

Read the full article.

The following post comes to us from Michael W. Peregrine, Partner at McDermott Will & Emery, Andrew C. Liazos, head of McDermott’s executive compensation practice, and Timothy J. Cotter, Managing Director at Sullivan, Cotter, and Associates, Inc. 

Governing boards should consider compliance-based incentive compensation as a supplement to statutorily mandated “clawback” provisions, and as an

by Susan M. Nash, Mary K. Samsa and Maggie McTigue

The U.S. Department of Labor (DOL) audits already evaluate a company’s compliance on a spectrum of laws, statutes and regulations.  However, the DOL has updated and revamped its audit letter to now also capture compliance aspects of the Patient Protection and Affordance Care Act.