An automated tool that Orrick believes is the most comprehensive yet developed for companies across the globe to assess their compliance with the EU’s General Data Protection Regulation (GDPR) should be a must have for Chinese companies, said a partner in the firm’s London office.

Kolvin StonePartnerOrrick
Kolvin Stone

The firm’s site, called GDPR Readiness, aims to bring companies up to speed with the new regulation, which will come into effect in May next year.

“Of particular relevance to Chinese companies will be the restrictions on transferring data outside of the EU, which will require careful consideration of an appropriate lawful transfer method,” Kolvin Stone, a partner of Orrick in London, told China Business Law Journal.

“Acquisitions and investments into Europe by Chinese companies are beginning to increase again, and GDPR compliance and assessing the level of risk will be an important due diligence consideration, particularly in relation to more data-driven businesses such as technology companies,” said Stone.

He said Chinese tech companies doing business in Europe could become caught in the GDPR’s web even when they do not have operations in Europe. “For example, making an app available to EU residents and collecting data in the process will be an activity subject to the requirements of the GDPR.

“Lastly, Chinese service providers who do business with European customers will have to consider the implications of the GDPR if they are collecting their customer data when providing services. “

Stone said the firm’s GDPR Readiness tool breaks the regulation down into 14 themes and guides users “through a series of dynamic questions, and then automatically generates a tailored report summarizing likely key impacts of GDPR and areas for remediation based on the responses”.

“It is a good first step in understanding the key requirements under the GDPR, an organization’s level of readiness and beginning the process of developing a compliance plan.”

He said simply answering the questions asked was an educational process in helping businesses get a better sense of the GDPR and their own readiness, and was more effective than trying to wade through complex legal texts or guidance notes.

“Generally the emphasis on being able to demonstrate compliance to a regulator or other stakeholders brings challenges for every organization,” he said. “This requires businesses to have a developed privacy compliance program that is documented and available for inspection. The enhanced user rights and, for example, being able to effectively delete data when requested by an individual exercising their ‘right to be forgotten’ can present technical and operational challenges as systems may not be designed to support such requests,” he said.