POST MAY 25TH – GDPR OBLIGATIONS, GOVERNANCE, AND RESPONSE WEBINAR May 2, 2018 BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.
WITH YOU TODAY Karen Schuler Lisa Sotto Part ner and Nat ional Dat a & Part ner and Chair, Privacy and Informat ion Governance Pract ice Cybersecurity Pract ice Leader Hunt on Andrews Kurt h LLP BDO US A, LLP 200 Park Avenue 8401 Greensboro Drive, S uit e 800 New York, NY 10166 McLean, VA 22102 Direct : 212-309-1223 Direct : 703-336-1533 lsot t o@ hunt on.com kschuler@ bdo.com www.huntonprivacyblog.com www.bdo.com T MAY 25 TH – GDPR OBLIGATIONS 2 POS , GOVERNANCE, AND RES PONS E WEBINAR
TOPICS TO BE COVERED • GDPR Background • Primary Legal Considerations • Approach to GDPR • Minimizing Y our Exposure Post-May 25 • Managing Risk in an Uncertain World T MAY 25 TH – GDPR OBLIGATIONS 3 POS , GOVERNANCE, AND RES PONS E WEBINAR
GDPR Background T MAY 25 TH – GDPR OBLIGATIONS 4 POS , GOVERNANCE, AND RES PONS E WEBINAR
GDPR Background The General Data Protection Enhanced personal privacy • Regulation (GDPR) imposes rights new rules on organizations that offer goods and services Increased duty for protecting • to people in the European data Union (EU), or that collect and analyze data tied to EU Mandatory breach reporting • residents, no matter where they are located. S ignificant penalties for non- • compliance T MAY 25 TH – GDPR OBLIGATIONS 5 POS , GOVERNANCE, AND RES PONS E WEBINAR
Key GDPR Themes Strengthened Increased Harmonisation Increased rights of enforcement, obligations individuals fines, liabilities • Right t o erasure • Regulat ory fines up t o • Harmonised rules, but • DP principles t ight ened 4% of annual worldwide not fully (e.g. employee (consent , t ransparency) • Dat a port abilit y t urnover dat a, children dat a) • Profiling rules • Right not t o be subj ect • Individual act ion • One S t op S hop: Lead t o aut omat ed • Privacy Impact DP A for pan-European profiling/ right t o obj ect • Class act ion Assessment mat t ers, in cooperat ion • Criminal sanct ions (in • Privacy by Design wit h ot her DP As; Local nat ional laws) • Breach not ification – t o DP A for local mat t ers • Larger role for European DP As and individuals and redress for Dat a Prot ect ion Board • Direct obligat ions and individuals (EDPB) liabilit y for processor • Risk-based approach • Account abilit y – Privacy • S ome reduct ion of Programme administ rat ive burden • Int ernal record of (no nat ional regist rat ion processing of processing or prior • DP Officer aut horisat ion) • BCRs, seals and cert ifications T MAY 25 TH – GDPR OBLIGATIONS 6 POS , GOVERNANCE, AND RES PONS E WEBINAR
Territorial S cope EU Businesses Non-EU Businesses • The GDPR applies if personal • The GDPR applies when a data are processed in the business “ targets” individuals context of the activities of in the EU (by offering them their establishment in the EU products or services), or monitor the behavior of • Based on the concept of individuals in the EU “ establishment” • What is “ targeting” ? • Irrespective of where the actual processing takes • What is “ monitoring” ? place T MAY 25 TH – GDPR OBLIGATIONS 7 POS , GOVERNANCE, AND RES PONS E WEBINAR
Data S ubj ect Rights Access Obj ection Portability Profiling/ Restriction Erasure automated decisions T MAY 25 TH – GDPR OBLIGATIONS 8 POS , GOVERNANCE, AND RES PONS E WEBINAR
Fines & S anctions • Controllers and processors subj ect to administrative fines for non- compliance • High fines of up to: ‒ 20 million euros, or ‒ “ in case of an undertaking” up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher • Fines should take into account: ‒ Gravity and duration of the violation, and ‒ Any mitigating measures taken by companies • Criminal sanctions also available and will continue to be determined at national level T MAY 25 TH – GDPR OBLIGATIONS 9 POS , GOVERNANCE, AND RES PONS E WEBINAR
Primary Legal Considerations T MAY 25 TH – GDPR OBLIGATIONS 10 POS , GOVERNANCE, AND RES PONS E WEBINAR
Legal Basis for Processing • Personal data may be processed under the GDPR only if there is a legal basis to do so • Legal bases include: ‒ Consent ‒ Performance of a contract ‒ Compliance with a legal obligation ‒ Legitimate Interests T MAY 25 TH – GDPR OBLIGATIONS 11 POS , GOVERNANCE, AND RES PONS E WEBINAR
GDPR Transparency Requirements • Transparency is an explicit requirement • Personal data must be processed fairly, lawfully and in a transparent manner ‒ The Controller is responsible for demonstrating compliance with transparency obligations ‒ The Controller must provide information to individuals in a concise, transparent, intelligible and easily accessible form, using clear and plain language ‒ Individuals must be made aware of data processing, purposes, risks, rules, safeguards and rights ‒ Further reinforced by and linked to requirements for consent, notice, legitimate interest, publishing DPO contacts T MAY 25 TH – GDPR OBLIGATIONS 12 POS , GOVERNANCE, AND RES PONS E WEBINAR
Privacy Notice Requirements • Controllers must provide certain information to individuals when: ‒ Obtaining data directly from the individuals, and ‒ When obtaining personal data about the individual from third parties • This information must include: ‒ Controller/ representative identity and DPO identity/ contact details ‒ Purposes of processing and legal basis ‒ When processing based on legitimate interests, an explanation ‒ Whether provision of data is mandatory ‒ Information about recipients of data and data retention periods ‒ Explanation of individual rights ‒ Information regarding cross-border transfers ‒ Existence of automated decision taking and logic behind it T MAY 25 TH – GDPR OBLIGATIONS 13 POS , GOVERNANCE, AND RES PONS E WEBINAR
Accountability Requirements Data Codes of Internal Protection conduct and records certifications Officer Data Data protection Protection by impact Design and by assessments Default T MAY 25 TH – GDPR OBLIGATIONS 14 POS , GOVERNANCE, AND RES PONS E WEBINAR 14
Approach to GDPR T MAY 25 TH – GDPR OBLIGATIONS 15 POS , GOVERNANCE, AND RES PONS E WEBINAR
Holistic GDPR Implementation • • Access requests • Data Protection Readiness and forms Officer S ervices assessment • • • Business processing Response iGRC mechanisms • • POS Compliance Information • Rectification & inventory • Policy erasure • Management Risks • Accuracy • Vendors Dat a • Account abilit y & Obj ections • S pecial categories Transfers & Organizat ional Technical Measures Measures S ubj ect Monit oring & Readiness, Access Right s Governance Dat a Mapping • • Records retention & Transfers to data & Regist ers erasure subj ects • Awareness & • Transfers to DPA’ s/ S A’ s training 3 rd party transfers • • Website policies • International transfers • Privacy notices • Info. security policies • Data protection • Data breach response & policies notifications T MAY 25 TH – GDPR OBLIGATIONS 16 POS , GOVERNANCE, AND RES PONS E WEBINAR
Path to Compliance • GDPR is a combination of evolving and new requirements • GDPR requires an ongoing compliance obligation • Management buy-in is critical • Continued compliance means ‒ Ongoing diligence Ongoing understanding of your data processing activities o Conduct ongoing gap analyses against GDPR requirements o Continue to remediate based on the gap analysis o ‒ Ongoing Remediation Execute strategic remediation on an ongoing basis o Continue to implement underlying changes o T MAY 25 TH – GDPR OBLIGATIONS 17 POS , GOVERNANCE, AND RES PONS E WEBINAR
Minimizing Your Exposure Post- May 25 T MAY 25 TH – GDPR OBLIGATIONS 18 POS , GOVERNANCE, AND RES PONS E WEBINAR
Minimizing Exposure People Informat ion Meet DPO Requirement s management Policies & PoS & ERP procedures Compliance Process GDPR LIFECYCLE Dat a S AR t ransfers & Management st orage Technology Cont racts & Training & t hird part y awareness Management T MAY 25 TH – GDPR OBLIGATIONS 19 POS , GOVERNANCE, AND RES PONS E WEBINAR
S ecurity: Risk Assessment and S afeguards Obligat ions S ecurit y measures • Applies to • Technical controllers and safeguards processors • Organisational • Must evaluate safeguards risks of • Policies and processing procedures • Must put in place adequate security measures T MAY 25 TH – GDPR OBLIGATIONS 20 POS , GOVERNANCE, AND RES PONS E WEBINAR
Recommend
More recommend