The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018
Upcoming Events: Sign up on our web site Associate Safety Professional (ASP) Examination Preparation, August 28th Luke Timmerman: Recap of Mount Everest Summit to Support Oncology Research, September 4 th -- Early Evening Reception State and Federal Governments Response to High Priced Therapies in Medicaid, September 12th Implementing Equal Pay for Women in Your Organization, September 25th Creating Powerful Brands from Preclinical -> Commercialization Through Omnichannel Marketing Part 1 of 4, September 19th Phase I Clinical Trial Experience in Australia, October 9th
Luke Timmerman: Recap of Mount Everest Summit to Support Oncology Research, September 4 th -- Early Evening Reception
Thanks to our Legal Forum Working Group! Legal Co-Chairs: Lana Gladstein, Vice President and General Counsel, Brammer Bio Konstantin Linnik, PhD, JD, Partner, Nutter McClennen & Fish LLP John Harre, Founder, L.G.L Consulting
Speakers: The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? Naomi Leach Senior Associate, Data Protection, Stephenson Harwood Colin J. Zick is a partner with the Boston-based law firm, Foley Hoag LLP, where he serves as Chair of its Privacy and Data Security practice group. Moderator: John Harre, Founder, L.G.L. Consulting
Key GDPR considerations MassBio 31 July 2018 Naomi Leach Senior Associate, Life Science Transactions
Context How the GDPR came to be EU Data Protection Directive 95/46/EC Implemented in the UK by Data Protection Act 1998 (affects all organisations which process personal data in the UK as a data controller) Variations in implementation across EU General Data Protection Regulation 2016/679 came into direct effect on 25 May 2018
Key Terms in GDPR Personal Data Sensitive personal data / Special Categories Controller Processing Processor Data Subject
Key areas of change in GDPR from the previous laws Increased fines (up to greater of 4% of worldwide turnover or 20m Euro) Legal Grounds and Fair notice provisions tightened Direct obligations for data processors Accountability principle and DPOs Data breach notification and other rights of data subjects
The GDPR has greater Extra-territorial effect than the Directive Existing DP Directive only applies to non-eu entities if use a means of processing (e.g. equipment or processors) in the EU Regulation applies to entities based outside the EU if it: Extraterritoriality (i) or (i) Offers goods or services to EU residents Monitors the behaviour of EU residents Obligation to appoint a Representative in an EU member state and all the provisions of the Regulation apply Potential de minimus exemption for occasional/ small scale processing
Transferring data outside the EEA under GDPR Same restrictions apply as under the Directive and largely the same existing toolkit for compliance BUT Adequacy decisions subject to periodic review (query status of Channel islands pending reform of law adequacy grandfathered in short term) BCRs specifically referenced for first time (including BCRs for processors) October 2017 Irish courts refer standard contractual clauses to CJEU to opine on adequacy Privacy Shield became effective 1 August 2016 - may be challenged also
Lawful grounds for processing personal data GDPR does not change lawful grounds materially BUT increases burden on controllers to demonstrate it has satisfied lawful grounds Also greater right to challenge (e.g. when using legitimate interests) AND emphasis on transparency greatly increases detail to be included in privacy notices (e.g. websites/ Ts&Cs)
Using consent as your lawful ground Consent just one lawful ground for processing Must be specific, freely given & capable of being withdrawn Imbalance in bargaining power can mean invalid
Consent in the context of Clinical Trials Challenges Withdrawal of consent Specificity of consent Alternative Legal Grounds Comply with a legal obligation Legitimate interest In the public interest Necessary for Scientific Research Purposes Consent under Clinical Trials Regulation Still applicable and must be considered separately to GDPR requirements
New direct obligations for processors under GDPR Same (if enhanced) requirements apply to controllers Same requirements as to guarantees and contracts in writing (but with added detail as to content of contract) BUT certain provisions also apply directly to processors, e.g.: Record keeping requirements (Article 30(2)) Cooperation with regulators (Article 31) Security measures (Article 32) Notification of breach (to controller) (Article 33) International Transfers (Article 40-42)
Contracts with Processors (Article 28) Review for compliance with Article 28 update to include extra information including: Details of processing (e.g. subject matter, nature of data, duration) Security measures Audit rights No sub-processing without specific or general authorisation - Whose responsibility? Controller or processor?
Accountability General Principle of accountability runs through GDPR (Article 5(2)) Manifests itself as (eg): Express requirement on controller to demonstrate compliance with principles Requirements to keep record of processing Designation of data protection officers (in some instances) Data Protection by design and default Where relying on consent, evidence of such consent Failure to demonstrate compliance is itself a breach
Data Breach Data Breaches to be notified to regulator within 72 hrs after a controller is aware Where high-risk, data subjects may also need to be informed Consider interplay between processor and controller awareness
Data Subject Rights Right to object Right to be forgotten Wider scope/grounds to object (burden of proof on controller) Right to require erasure of data where no legal basis remaining
Data Subjects Rights Subject Access Requests Right of portability Same principles but time period reduced to 1 month Right to obtain a copy of data in an electronic and structured format which is commonly used requests which are manifestly unfounded or excessive can be charged for or refused Right to require transmission from one controller to another
Checklist to assist with GDPR compliance Audit What personal data is collected and where? Why is it held/used? With whom is it shared? Review lawful grounds for processing Consent? Legitimate interests? Necessary for contract? Review terms and notices What purposes are notified? What changes need to be made?
Checklist to assist with GDPR compliance Policies Review procedures for reporting breaches and contracts with key suppliers Consider updates to data retention, deletion and other policies (e.g. Subject Access) Contracts Review and amend contracts with processors Consider arrangements for data transfers overseas (model clause agreements?)
Key concerns for companies when acting as controllers or processors under the GDPR Accountability Prove compliance (Article 5) Obligation to carry out privacy impact assessments (Article 35) Liability ICO fines (max 4% turnover, or Euros 20 million) for both controllers and processors A triple threat of liability for processors Regulator fines plus claims from data subjects (including joint liability with controller) plus contractual claims from controller Breach notification Security requirements Controller must notify regulators within 72 hours, where feasible, (Article 33) and data subjects without undue delay (Article 34) Processor must notify the controller of any breach without undue delay (Article 33) Go beyond mere encryption and include the integrity of systems, back-ups and regular penetration testing (Article 32) Contracting ARTICLE 28 prescriptive about content of contracts No subprocessing without consent of controller (Art 28(2)) Subject matter clearly set out Audit rights permitted.
Contact Naomi Leach Senior Associate T: +44 20780922960 M: +44 7769 143 367 E: naomi.leach@shlegal.com
Thank you for attending!