Michael Gorm Madsen

I'm a partner and head of our skilled and dedicated Privacy and Data Protection group in Denmark, advising on a wide range of data protection and e-privacy matters.

The need for data protection advice has expanded dramatically with the introduction of the EU Data Protection Regulation (GDPR). The GDPR is a very complex set of rules, not only to understand, but also to apply. That calls for a pragmatic approach yet still deeply rooted in a profound knowledge of the law. Our job is to understand our clients' business and to help our clients find the right solutions for them. Therefore, I am particularly satisfied that our client feedback often mentions our readiness to understand the clients' need, our sense of pragmatic solutions and our availability.

My passion for data protection law began, like many other matters in life, as a coincidence. In 2000, an international law firm asked me to write a chapter to a book on the implementation of the Data Protection Directive in Denmark. From that point on, I was hooked by the complexity of data protection rules and the challenges they pose to an ever changing world facing new technological development and possibilities.

Together with my team, I have vast experience in assisting our clients with all aspects of privacy and data protection, from full blown GDPR compliance projects, including awareness and client training, identification of lawful basis, complying with transparency requirements, establishing the appropriate level of procedures, policies and safety measures, to the daily challenges, including subject access requests, data breaches, negotiation of data processor agreements, cross border transfers of personal data, audits and authority enquiries, and taking part in clients business elaborations sitting in the midst of a service or product developing team with the task of ensuring privacy by design.

As GDPR applies to every kind of business and organisation, I have assisted and gained insight into a wide range of client sectors including retail, biotech and medical device, adtech, gaming, health sector, fintech, software and platform service providers, insurance and brokers, utility providers, industry associations, unions, public bodies and non-profitable organisations and more.

Being a part of Bird & Bird's international team of skilled privacy and data protection lawyers provides a unique tool enabling seamless coordination of cross border advice and projects and I have coordinated as well as contributed to multi-jurisdictional projects.

Since 2013, I have been a Certified Information Privacy Professional (CIPP/E).

Having a commercial law background, I also advise on commercial contracts, consumer law and marketing law.

• Rolling out a global Danish retailers' data protection program in 25 EU and EEA countries: including data mapping and providing country specific gap analysis. Our Copenhagen Data protection team coordinated advice from Bird & Bird's international network of lawyers to include advice on local variations. As part of the project we held a number of internationally accessible webinars and local workshops in all countries. The project further involved the international roll out of localised GDPR implementation documentation.
• Assisting a public authority agency in a GDPR compliance project: including identifying data processing activities and verifying the relevant lawful basis, identifying data processor relations and preparing gap-analysis including advice on the implementation step required to obtain full GDPR compliance. During the project, we also advised on several privacy related issues on the agency's marketing activities, the use of photos and video recordings, the processing of personal data on website and e-marketing.
• Assisting a modern waste-management and energy company in a full GDPR compliance project. The project included assistance on map data processing activities in relation to consumers, users of services, and employees. Based on an extensive mapping of data flow and processing activities our Copenhagen data protection team prepared a gap analysis verifying lawful basis for processing and identified steps to be taken to become fully GDPR compliant. Furthermore, we assisted in the implementation process and have drafted required GDPR documentation. At the end of the project, the client decided to appoint Bird & Bird as their formal Data Protection Officer.