EU General Data Protection Regulation

Similar documents
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Managing BSA/AML Compliance Risk

Pension Trustees. Final Countdown to the GDPR

Official Journal of the European Union. (Non-legislative acts) REGULATIONS

MiFID II 31 December MiFID II. Third country access

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

THE IMPORTANCE AND STATUS OF THE GENERAL DATA PROTECTION REGULATION (GDPR)

MiFID II 31 December MiFID II

The New EU General Data Protection Regulation (GDPR)

Revising policies and procedures under the new EU GDPR

MiFID II 31 December MiFID II

MiFID II 31 December MiFID II. Derivatives: trade execution

The contract is important so that both parties understand their responsibilities and liabilities.

International Privacy Day Global Privacy , the Year of Reform

Guidance: The new EU General Data Protection Regulation: Implications for Australia

The Future of Data Privacy in Europe T H E E U R O P E A N G E N E R A L D ATA P R I VAC Y R E G U L AT I O N (G D P R)

MiFID II 31 December MiFID II. Information to clients on costs and charges

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

BREXIT AND DATA PROTECTION Q & A

Derivatives: trade execution

A guide for the insurance industry

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

Everything you need to know about becoming an Insolvency Practitioner in the Slovak Republic. February

Sapin II - France s War on Corruption

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

COMMISSION DELEGATED REGULATION (EU) /... of

BE PREPARED FOR THE NEW EU DATA REGULATION

January 31, See 2

The new data protection law main changes at a glance

A survival guide for private equity

General Data Protection Regulation (GDPR)

MiFID II Best execution and client order handling

COMMISSION IMPLEMENTING REGULATION (EU) /... of XXX

The EU s General Data Protection Regulation enters into force on 25 May 2018

Processing under the GDPR: risk and liability shifts

Mandatory tax strategies, a code of practice and "special measures" a new era for corporates?

Singapore s new personal data protection legislation and how it compares to data protection legislation in other jurisdictions

COMMISSION DELEGATED REGULATION (EU) /... of

Navigating Regulatory Uncertainty

May Global Growth Strategy

Official Journal of the European Union. (Non-legislative acts) REGULATIONS

Tech and Cyber Claims Services

Payment Services Directive II: Unravelling the Mystery 7 March 2017

DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE

Australian Insolvency Reforms Is the Harbour Safe Yet?

CHARITY & NFP LAW BULLETIN NO. 419

Update: EU VAT on E-Commerce

MiFID II 18 January MiFID II

Pension Trustees Final Countdown To GDPR

Contents. Introduction 4. Directors conflicts duties 4. What is a conflict? 5. Who can authorise? 6. Authorising conflicts 7

HIPAA s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals

MiFID II 31 December MiFID II

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

MiFID II 31 December MiFID II

Revised EU Capital and Remuneration Framework for Investment Firms Proposal

Directors duties under the Companies Act An introduction

Shareholders' Rights in a Russian Joint-Stock Company

COMMISSION DELEGATED REGULATION (EU) /... of

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

MiFID II 31 December MiFID II

MiFID II Information to clients on costs and charges

PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS

Data Protection & Brexit

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

The new UK Bribery Act: why you need to be prepared

Global Real Estate Investments Opportunities and Risks in the Late Stage of the Cycle. Wolfgang Kubatzki, Managing Director, Scope Investor Services

What U.S.- Based Investment Advisers Should Know

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

PRIVACY NOTICE LAST UPDATED: SEPT. 2018

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

MiFID II 31 December MiFID II. Commodity derivatives

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Introducing the New Multi-Level Marketing Governing Act

The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018

MSCI Consultation on the Design of a Family of China A Style Indices. January 2006

Your Right Hand Finance Ltd (YRH) Subject Request Policy

Privacy Source EU-U.S. Privacy Shield Passes First Annual Review

Data Privacy Notice. Who are we and why do we register and use personal data?

Latham & Watkins Corporate & Finance Departments

The EU-US Privacy Shield: A How-To Guide

EU Council Adopts Revised Nuclear Safety Directive

Update on Third Country Equivalence Under EMIR

China extends foreign exchange cash pooling pilot programme to multinationals

Treasury Consultation Paper Another Step Towards Crowd-Sourced Equity Funding

GDPR: The future of marketing and commercialisation of data. Alexander Brown & Matt Dyer, Simmons & Simmons

Cross-Border European Insolvency in the Brexit Era

The Race to GDPR: A Study of Companies in the United States & Europe

MiFID II March MiFID II

Article 55 of the BRRD: contractual recognition of bail-in what you need to do

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

Third Party Rights / Licence. Binding Framework. Negotiating Framework

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

COMMISSION DELEGATED REGULATION (EU) No /.. of

WHAT DOES THE GDPR MEAN FOR PENSIONS?

Mastering Investment Banking Securities

HKMA reboots virtual banking. February 2018

ESG USA June 23, Christopher C. McKnett CMINST-2244

COMMISSION DELEGATED REGULATION (EU) /... of

Transcription:

WASHINGTON, D.C. ATLANTA BRUSSELS DENVER DUBAI DUBLIN HONG KONG LONDON MADRID MILAN NEW YORK PARIS SAN FRANCISCO SINGAPORE SYDNEY TOKYO TORONTO EU General Data Protection Regulation Databeskyttelsesdagen 2015 Copenhagen John Bowman, Senior Principal Promontory Financial Group, London jmbowman@promontory.com +44(0) 20 7997 3417 28 January 2015 2014 Promontory Financial Group (UK) Ltd. All rights reserved.

Ordinary legislative procedure (co-decision) Council of the European Union January 2012 INITIAL CONSULTATION LIBE DAPIX OPINION REPORT TEXT BEING REVIEWED INSTITUTIONAL FEEDBACK COMPROMISE AMENDMENTS PARLIAMENT VOTE COUNCIL OF MINISTERS VOTE Q2/3 2015? TEXT AGREED TEXT AGREED TRILOGUE AWAITING AGREED TEXT Q4 2015? COMPROMISE TEXT Q1 2016? IF EP AND COUNCIL VOTES PASS; REGULATION IS ADOPTED IF EITHER EP AND COUNCIL REJECTS DRAFT; FURTHER NEGOTIATIONS Q1 2018? REGULATION GOES LIVE 2

The state of play You should also oversee, during the first six months of the mandate, the conclusion of negotiations on the reform of Europe s data protection rules as well as the review of the Safe Harbour arrangement with the U.S. Jean-Claude Juncker, President-elect of the European Commission, mission letter to Andrus Ansip, Vice-President for the Digital Single Market, 10 September 2014 Jean-Claude Juncker We made it! #EUdataP Jan Philipp Albrecht Nothing is agreed Jan Philipp Albrecht, European Parliament Rapporteur for General Data Protection Regulation, on Twitter after LIBE Committee voted to adopt a compromise text, 21 October 2013 but partial general approach obtained on third country transfers, risk-based approach, and public sector exemptions under Greek and Italian Council Presidencies. Latvian presidency H1 2015. until everything is agreed Council of the EU DAPIX Working Group in Brussels 3

Some key issues and impacts

Expanded scope Material and Territorial scope: Scope of personal data extended to include cookies and IP addresses; the GDPR applies to the processing of personal data of EU residents regardless of the location of data controller/processor; Impact: Expanded scope could cut across certain businesses processes and models, e.g. online behavioural advertising and data analytics. Businesses that operate outside the EU will need to appoint a representative in the EU. Explicit consent: The only consent allowed is explicit. Burden of proof is on the data controller to demonstrate that explicit consent has been obtained; Impact: Increased collection costs; reduced take-up rates and risk that data sets cannot be fully utilized. Impact on advertising sector and digital economy generally. 5

Enhanced rights Right to be forgotten: Data controllers will need to inform third parties of a data subject request to erase personal data; Impact: Costly to implement and manage process to deal with requests. Would affect search, print, broadcast and social media in particular. Right to data portability: The data subject will have the right to obtain their personal data in a commonly used structured format; Impact: Cost of updating systems. Would affect utilities, telecoms, financial services and retail. 6

Additional obligations Measures based on profiling: The data subject will have the right not to be subject to a measure based on profiling where it legally or significantly affects them; Impact: Direct impact on advertising and credit reference agencies. European Parliament proposals require manual decision where profiling produces legal effect or significantly affects the individual. Data protection by design and default: The data controller must embed data protection by design and default into systems design and processes, and must implement appropriate measures to ensure the protection of the rights of the data subject; Impact: Potential costs on businesses with large and diverse systems, particularly where legacy systems need to be upgraded or replaced. Long lead-in time on IT programmes means current projects may be affected. 7

Additional obligations Data breach notifications: The data controller shall without delay and where feasible notify the supervisory authority of a breach within 24 hours (European Parliament and EU Council suggest 72 hours); Impact: UK Government impact assessment calculates costs of new reporting requirements at 30-130 million for UK business per annum. Data protection impact assessments: Data Protection Impact Assessments to be carried out where the data processing presents specific risks; projects in scope are likely to be wide; Impact: UK Government impact assessment calculates cost at 70-80 million for UK business per annum. Data controllers will need to focus on handling of sensitive data and build in carrying out data protection impact assessments early into the project management design process. 8

Additional obligations Data Protection Officers: To be mandatory except for small and medium enterprises with <250 employees where processing ancillary to core activities; Impact: UK impact assessment calculated cost at 35-75 million for UK business per annum. EU Council prefer non-mandatory risk-based appointments. European Parliament wants DPOs to be appointed where >5000 subjects data processed per annum. Data transfers to outside the EU: Adequacy decisions, model clauses, contracts and binding corporate rules are all permitted; Impact: All binding corporate rules and non-standard contracts will require preapproval of supervisory authorities; costly and time-consuming. Anti-FISA clause in European Parliament text could create conflict of law issues arising. EU/US Safe Harbour still under review by Commission and ECJ case pending. 9

Stronger and more consistent enforcement One-Stop Shop: The competent supervisory authority will be where the main Establishment of the data controller is located; Impact: Significant for multi-national businesses which would prefer to have a single home supervisory authority. Issue of local access by data subjects still to be resolved Sanctions: Maximum fines of 1million or 2% global turnover, whichever is higher. Member States may lay down rules on penalties; Impact: High fines may lead to risk-averse approach and therefore higher costs. European Parliament is proposing fines of 100 million or 5% global turnover, whichever is higher. 10

Will we get consistency? A Regulation has to be applied directly: theoretical consistency in most areas; YES The European Data Protection Board will own the consistency mechanism and may have own agenda; The European Court of Justice will continue to make pan-european rulings; and The Commission can adopt delegated and implementing acts but uncertainty on scope and timing. NO Some opt-outs and member state flexibility in Regulation (e.g. freedom of expression, public sector, employment, research); Local Data Protection Authorities will still interpret the Regulation in their guidance and enforcement actions; and Cultural and social norms will still differ, affecting press coverage, consumer reaction etc. 11

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback