Privacy Law: GDPR & Privacy Shield

The EU’s General Data Protection Regulation (GDPR) became effective May 25, 2018 and requires businesses to protect EU citizens’ privacy and personal data.  Until July 16, 2020, the Privacy Shield Framework was a mechanism for a U.S. company to comply with the GDPR when transferring personal data from the European Economic Area (EEA) to the U.S.  

The GDPR has extraterritorial application which means a U.S. business that controls or processes personal data of EU citizens may be subject to the GDPR.  With even the smallest companies in the U.S. engaging in cross-border activities, an American business with no physical locations in the EU cannot assume that it is beyond GDPR’s reach.

I work with clients to determine whether they are subject to GDPR. If they are and previously relied on the U.S. Privacy Shield, I guide them through next steps to ensure GDPR compliance.

The following are some of the services I provide:

  • Create a data inventory and map data flows

  • Review controls / conduct risk assessment (Data Privacy Impact Assessment (DPIA))

  • Develop remediation plan

  • Draft, implement and review corporate policies and procedures, compliance programs and compliance training

  • Obtain informed consent from clients

  • Establish effective handling of data subject access requests

  • Review and update privacy notices

  • Assess third party risk including review and amendment of existing vendor agreements

  • Develop incident response plan


For more information, you may contact me via my site contact page or directly via e-mail: