Data privacy from across the pond: what US companies need to know about the European General Data Protection Regulation. 15 February 2018 Jade Kowalski Jade Kowalski Joseph Fitzgerald Joseph Fitzgerald Senior Associate Senior Associate Associate Associate jkowalski@dacbeachcroft.com jkowalski@dacbeachcroft.com jfitzgerald@dacbeachcroft.com jfitzgerald@dacbeachcroft.com 020 7894 6744 020 7894 6744 020 7894 6875 020 7894 6875 @DACBprivacy @DACBprivacy
History of DP and privacy in Europe History of DP and privacy in Europe History of DP and privacy in Europe. History of DP and privacy in Europe. A B How to identify whether the GDPR applies How to identify whether the GDPR applies How to identify whether the GDPR applies. How to identify whether the GDPR applies. C An overview of the requirements of the GDPR An overview of the requirements of the GDPR GDPR requirements and consequences. GDPR requirements and consequences. D The consequences of a breach The consequences of a breach Practical steps for GDPR compliance. Practical steps for GDPR compliance. E Practical steps for GDPR compliance Practical steps for GDPR compliance
A History of DP and privacy in Europe History of DP and privacy in Europe EU General Data Protection Regulation General Data Protection Regulation (GDPR) which will replace the UK Data Protection Act 1998 and other national legislation across Europe on 25 May 2018 An attempt to harmonise data protection laws across Europe Places greater obligations on organisations when processing personal data Provides individuals with more rights which are easier to enforce Changes the risk profile of data protection compliance Not just about security of personal data, but also what personal data you have, where you have it, when and why you need it, and protecting data subjects’ rights
B How to identify whether the GDPR applies. How to identify whether the GDPR applies. Scope Regulates: 1. “ Processing ” of 2. “ Personal Data ” by 3. “ Controllers ” or “ Processors ”. “Personal Data” is broader under GDPR: “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person.”
B How to identify whether the GDPR applies. How to identify whether the GDPR applies. Jurisdictional reach Regulates “processing” of personal data by controllers or processors established in the EU. Also applies to controllers or processors not established in the EU where processing relates to: (a) Offering of goods or services to data subjects in the EU (b) Monitoring the behaviours of data subjects in the EU Overseas companies will need to appoint a local “representative” in certain circumstances.
B How to identify whether the GDPR applies. How to identify whether the GDPR applies. Situation Existing GDPR law applies applies US social media company with no No Yes European group companies, targeting the service at individuals in the EU. US retailer with e-commerce website, in No No the English language, accessible by EU citizens. The company only delivers to addresses in the US.
B How to identify whether the GDPR applies. How to identify whether the GDPR applies. Situation Existing GDPR law applies applies US retailer with e-commerce website, in No Yes English language, which takes payment in Euros and makes deliveries to European citizens US website which uses cookies to No Yes monitor behaviour and send targeted marketing to IP addresses, which include those belonging to European citizens
C An overview of the requirements of the GDPR An overview of the requirements of the GDPR Accountability Accountability Data Subject Rights Data Subject Rights Enforcement Enforcement • New principle of accountability • New principle of accountability • Subject access • Subject access • Up to 4% of worldwide turnover • Up to 4% of worldwide turnover • Data portability • Data portability • Certain processing activities will • Certain processing activities will or EUR 20,000,000. or EUR 20,000,000. • Erasure • Erasure require data protection impact require data protection impact • Right to compensation from a • Right to compensation from a • Right not to be subject to • Right not to be subject to assessments assessments data controller or data processor data controller or data processor automated decisions automated decisions • Privacy by design and privacy • Privacy by design and privacy • Quasi-ombudsman for group • Quasi-ombudsman for group • Objection to marketing • Objection to marketing by default by default litigation litigation Fair processing Fair processing Consent Consent Wider Scope Wider Scope • Data processors now have • Data processors now have notices notices • Higher threshold for consent • Higher threshold for consent direct obligations and liabilities direct obligations and liabilities • Specific and comprehensive • Specific and comprehensive meaning there will only be meaning there will only be • Expanded territorial scope to • Expanded territorial scope to requirements for content and requirements for content and limited circumstances when it limited circumstances when it govern companies outside of govern companies outside of format of privacy notices format of privacy notices may be relied upon may be relied upon EU EU including specifying legal basis including specifying legal basis of processing of processing Security Security Data Protection Data Protection Best of the rest Best of the rest Data breach notification to Data breach notification to • European Data Protection Board • European Data Protection Board Officers Officers regulator within 72 hours regulator within 72 hours to replace Working Party 29 with to replace Working Party 29 with New requirement to appoint a New requirement to appoint a Data breach notification to data Data breach notification to data remit for guidance and remit for guidance and DPO in certain circumstances DPO in certain circumstances subjects without undue delay subjects without undue delay consistent application of the consistent application of the DPO must be independent and DPO must be independent and Pseudonymised data formally Pseudonymised data formally GDPR GDPR must not be instructed on how to must not be instructed on how to recognised as a security recognised as a security • New concept of data privacy • New concept of data privacy carry out his/her role carry out his/her role protection protection seals seals
C An overview of the requirements of the GDPR An overview of the requirements of the GDPR Principle 1: Fair and Lawful Processing Is it Fair? Significant increase in information to be provided by data controllers to data subjects Data controllers must provide: contact details of data controller and DPO; purpose of processing and legal basis; recipients; international transfers; data retention period; reference to data subject rights; and existence of automated decision making including profiling.
C An overview of the requirements of the GDPR An overview of the requirements of the GDPR Principle 1: Fair and Lawful Processing Is it Lawful? Not in breach of any other law (including contractual obligations) Performed in reliance on a legal basis: Consent of the data subject Necessary for the performance of a contract with the Data Subject Necessary for compliance with a legal obligation to which the Data Controller is subject Necessary for the purposes of legitimate interests of the Data Controller which will not cause undue prejudice to the Data Subject Additional legal basis for processing of sensitive personal data
C An overview of the requirements of the GDPR An overview of the requirements of the GDPR Principle 2: Purpose limitation Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Principle 3: Data Minimisation Personal data must be adequate, relevant and limited to what is necessary Principle 4: Accuracy Personal data must be accurate and kept up to date
C An overview of the requirements of the GDPR An overview of the requirements of the GDPR Principle 5: Storage Limitation Personal data must not be kept for longer than is necessary Principle 6: Integrity and Confidentiality Personal data must be processed in a manner that ensure appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisation measures
C An overview of the requirements of the GDPR An overview of the requirements of the GDPR Principle 7: Accountability The data controller must be responsible for, and be able to demonstrate compliance with the other principles. Policies and procedures Governance Records of processing Data protection officers Data protection impact assessments Data protection by design and by default
Recommend
More recommend