GDPR Essentials. To Meet the May 25th Deadline. FIA Webinar March 1, 2018

Similar documents
Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Pension Trustees. Final Countdown to the GDPR

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

Data Privacy Statement

Southern Golden Retriever Rescue Data Protection Policy

Data Processing Addendum

The General Data Protection Regulation (GDPR) Personal data in SOS International

All Sorts UK Limited Data Protection Policy 17 th May 2018

The General Data Protection Regulation s Impact on M&A

THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

Man and Machine - Data Protection Policy

M&A ACADEMY. Privacy and Data Security Issues in M&A Transactions. Ezra Church, Don Shelkey, Pulina Whitaker March 5, 2019

Pension Trustees Final Countdown To GDPR

DATA PROCESSING AGREEMENT ( AGREEMENT )

Guidance: The new EU General Data Protection Regulation: Implications for Australia

Cover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name

California s Consumer Privacy Act Vs. GDPR

European Union General Data Protection Regulation

FUNDS MANAGED BY GOLDMAN SACHS ASSET MANAGEMENT - FAIR PROCESSING NOTICE EFFECTIVE DATE: 25 MAY 2018

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

The Race to GDPR: A Study of Companies in the United States & Europe

The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018

WHAT DOES THE GDPR MEAN FOR PENSIONS?

What U.S.- Based Investment Advisers Should Know

Data Processing Addendum

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

PRIMARY MEMBERSHIP GUIDE

DATA PROTECTION POLICY. AtonLine Limited

Negotiating Business Associate Agreements

Impact of the European General Data Protection Regulation on U.S. M&A

GDPR FOR PRIVATE EQUITY AND REAL ESTATE

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

CHARITY & NFP LAW BULLETIN NO. 419

Firefighters Pension Scheme

Detailed guidance for employers

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

Privacy Statement v 1.1

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

DATA PROTECTION POLICY

Building a Program to Manage the Vendor Management Lifecycle

DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Webinar: Deep Dive into Risk, High Risk and Risk Assessments in the GDPR

Benefit from a new fiduciary approach

PRIVACY NOTICE Use of Information Data Controller and Data Processor

GENERAL DATA PROTECTION REGULATIONS PRIVACY NOTICE

ON24 DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

BINDING CORPORATE RULES

PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

3(38) Fiduciary Services. 3(21) Co-Fiduciary Services & INVESTMARK FIDUCIARY SERVICES FOR RETIREMENT PLANS

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )

The EU s General Data Protection Regulation enters into force on 25 May 2018

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

The New EU General Data Protection Regulation (GDPR)

LGIM Liquidity Funds plc Privacy Policy

DATA PROCESSING ADDENDUM

THE UNIVERSITY, CAMBRIDGE IN AMERICA AND THE COLLEGES DATA SHARING PROTOCOL

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

a publication of the health care compliance association SEPTEMBER 2018

Cyber ERM Proposal Form

NOTIFICATION INFORMATION TO BE GIVEN 1

New legislation brings changes to how data is handled

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

Amgen Binding Corporate Rules (BCRs) Public Document

Blockchain. Technologies. Team Overview. Seyfarth Shaw Blockchain Technologies 1

Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

Your Right Hand Finance Ltd (YRH) Subject Request Policy

General Data Protection Regulation (GDPR)

ADDSECURES WAY OF PROCESSING PERSONAL DATA

Data Processing Appendix

Hillgate Travel GDPR Response. Privacy Policy

2. FROM WHICH SOURCES THE BANK COLLECTS YOUR PERSONAL DATA?

PRIVACY NOTICE issued by DALE Accounting and Tax Services Ltd

Risk Associated with Meetings

Bespoke services. Browse our menu of bespoke services to see how we can support your alternative investment fund with our expertise.

PRIVACY NOTICE 1. WHAT IS A PRIVACY NOTICE & WHY IS IT IMPORTANT?

DATA PROCESSING ANNEX

Data Processing Addendum

ERGO Versicherung AG UK Branch Data Privacy Notice

Title CIHI Submission: 2014 Prescribed Entity Review

GDPR update and its impact on accountancy practices

Data Processing Agreement, the Contract

Broadbean Technology Limited - Data Processing Agreement (25th May 2018)

Mobius Life Limited Data Privacy Notice

GDPR: Frequently Asked Questions to Brokers Ireland, February 2018.

Cyber Risk Mitigation

DATA PROCESSING ADDENDUM

Annuity Death Benefit Payment Authority

General Data Protection Regulation (GDPR) Data Protection Notice

Deep Experience. THOUGHTFUL INNOVATION. Target date solutions from T. Rowe Price

Privacy Shield Notice

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS

Transcription:

GDPR Essentials To Meet the May 25th Deadline FIA Webinar March 1, 2018 3/1/2018 1

Administrative Items The webinar will be recorded and posted to the FIA website following the conclusion of the live webinar. A question and answer period will conclude the presentation. Please use the question function on your webinar control panel to ask a question to the moderator or speakers. Questions will be answered at the conclusion of the webinar. CLE certificates will be emailed shortly after conclusion of the webinar.

Upcoming Webinars and Events Physical Commodity Trading An Update on Developments in Regulation in the US, EU and UK March 8, 2018 10:00 AM 11:00 AM EST Webinar 43rd Annual International Futures Industry Conference March 13-16, 2018 Boca Raton Resort & Club Boca Raton, FL 40th Annual Law & Compliance Division Conference May 2-4, 2018 Omni Shoreham Washington, DC Learn more and register at FIA.org/events

Today s Presenters Michael Sorrell Associate General Counsel, FIA Melise Blakeslee Partner, Sequel Technology & IP Law, PLLC CEO, Achieved Compliance Solutions, LLC Paula Bruening Of Counsel, Sequel Technology & IP Law PLLC Sr. Director, Global Privacy Policy, Achieved Compliance Solutions, LLC 3/1/2018 4

A Refresher on the Basics: the Big Changes Policy shift from reliance on consent to accountability. GDPR is extraterritorial and applies to anyone offering goods or services to data subjects in the EU. Extremely broad definition of personal data. Required records of your processing. Must identify and maintain a legal basis for processing personal data. Consent is difficult to establish. Must honor the individual s rights. Appoint a DPO and a Representative (not in every case) Direct responsibility for subcontractors and others 3/1/2018 5

Quick Review Big Changes Extraterritoriality Offering goods or services to data subjects in the EU. Or, monitoring their behavior. Residents of the EU are the beneficiaries. Nothing to do with citizenship. Expats in EU are also beneficiaries

Quick Review Big Changes Definition of Personal Data is entirely different that the old-style focus on name plus an account number, etc. Any information related to an identified or identifiable natural person A person s business contact information is subject to all the GDPR protections. No distinction from private life data Safe to assume that all the data you collect must be treated in accordance with GDPR requirements

Quick Review Big Changes Record-keeping Article 30 requires written records of the data collected and purposes of processing. Data mapping is 1 st step Where kept in all systems With whom is it shared Transfers to countries outside the EU US is not an adequate country. Result: data can only be transferred under approved mechanism Time limits on data retention Technical and security measures

Quick Review - Big Changes Legal Basis for processing MUST be one of these: Consent (very difficult to establish, opt-out is dead, optin is dying) Necessary to performance of contract with data subject. Privity with data subject can be problem for FCMs Compliance with a legal obligation of controller (only EU legal obligations) Vital interests of data subject Public interest task Legitimate business interest weighed against interests of data subject

Quick Review Big Changes Honor individual s rights Right to be informed (who has the obligation to inform? Controller or processor?) Right of access Right of rectification and erasure Right of portability Need a process in place 1/3 or UK residents plan on using their right to access data and request erasure. Rights don t always trump controller s right to retain information under certain circumstances identify and write your playbook now.

Quick Review Big Changes Appoint a DPO Appoint a Rep in the EU Not everyone needs to appoint a DPO, best practice may dictate DPO required if core activities consist of operations that require regular, systematic, monitoring of data subjects on a large scale Unless only occasional processing, then Rep is required if you do not have an establishment in the EU. (Data subject s convenience not yours) Rep to maintain records, respond to data subjects, and regulators on all matters

Quick Review Big Changes Joint & several liability between controller, and all processors Law mandates contractual undertakings Actual management and oversight. Will require amendment of most contracts with 3 rd parties who have access to personal data

Immediate steps (if not done already) Know your company s data. Know your company s vendors. Establish a policy that is accurate and promotes good privacy outcomes for the data subjects Appoint company staff in charge of data privacy oversight across the company. Begin workforce privacy training. Provide appropriate resources for security. Understand your company s needs for legal representation and support.

Know Your Data Conduct a review of your data holdings across the company What does the company collect? From where is the data collected? With whom does the company share data? How does the company process? Assess the risks data collection and processing raises for individuals.

Know Your Vendors GDPR holds companies responsible for protection and responsible use of their data no matter where or by whom it is processed. Liability for failing to protect data cannot be outsourced Companies must conduct due diligence to be sure vendors Have established good internal data protection measures Can meet the obligations that come with data Companies must clearly articulate data obligations in their contractual agreements.

Immediate Risk Reduction Make sure you have a written opinion about legal basis for processing: is it consent? Contract, legitimate business interest? Make sure privacy policy is accurate and transparent. Use data maps to ensure completeness. EU Cookie policy requirements Appoint staff to be responsible Have ready the documents regulators will require Are you currently able to produce in 72 hours? Appoint a rep in the EU. Assess the risk data collection, storage and processing may raise to individuals, mitigate, and document the assessment.

On-going Risk Reduction Have a long-term plan, ensure regular management participation Breach remediation plan Breach notification plan Data transfer mechanisms Educate staff GDPR requires that companies implement technical and organizational security measure commensurate with the risk raised by processing data Companies must stay abreast of necessary software upgrades and patches Companies must be able to respond quickly to emerging threats. Data Retention and destruction Privacy by Design On-going risk assessments Obtain insurance

These are myths I can wait till May GDPR only applies to EU firms Consent solves everything GDPR compliance is primarily the IT department s problem I don t have to comply if we only collect business information I don t need a lawyer s help I have to isolate EU data Software solutions make me GDPR compliant I just need really good insurance I don t need to change my marketing practices My current privacy policy is good enough

Some industry specific problems How does customer consent intersect with obligations to obtain data, such as for anti-money laundering/financial suitability requirements? Obtaining consent through an intermediary, can it be done? Or, is direct privity required? When is consent mandatory? Officers and owners of entity customers - what is the obligation to provide notice? Is a code of conduct mandatory for a US FCM? How is this different from a GDPR compliance policy? How does a US FCM determine compliance with EU security standards?

Limits of Software-Only Solutions Beware of claims that software or tools will make you GDPR compliant. Tools, generally, implement mechanisms of security or honoring rights, such as Access controls Data destruction Encryption Consent recording Keep track of consents Automate the individual s rights process, or Help the DPO stay organised, track contracts Some, are diagnostic and help identify gaps in business processes, and track compliance, generate documents and records. Some educate

Melise R. Blakeslee, Esq. Partner, Sequel Technology & IP Law, PLLC CEO, Achieved Compliance LLC Melise Blakeslee is the founding principal of Sequel Technology & IP Law, PLLC. Ms. Blakeslee has advised companies with respect to some of the largest databases in the world for financial transactions, clearing of travel, and media, as well as for many global membership organizations. A significant part of her practice relates to helping clients navigate the myriad number of international data protection laws, including breach crisis management. In addition to her law practice, Ms. Blakeslee is the founder and CEO of Achieved Compliance Solutions, LLC offering an end-to-end privacy and data protection software solution for companies that are too understaffed and budget-constrained to effectively meet GDPR challenges. Her aim is to help business achieved GDPRcompliance in an efficient and cost-effective manner through the use of tools aimed specifically at those without the benefit of a dedicated privacy officer or staff. Melise is a member of the International Association of Privacy Professionals, and the bars of New York and the District of Columbia. Prior to founding Sequel, Melise was a partner with a premier international law firm, heading its ecommerce and Technology department. melise@sequeltechlaw.com melise@achievedcompliance.com 571.366.1784 Paula Bruening Senior Director, Global Privacy Policy Paula brings 25 years of privacy and data protection policy development and representation expertise to her role at Achieved Compliance. Prior to coming to Achieved Compliance, Paula worked at Intel Corporation, where she was Director of Global Privacy Policy. At Intel she developed and coordinated data protection policy across the company, focusing particularly on the European Union. Prior to her tenure at Intel, she served as Vice President for Global Policy at the Centre for Information Policy Leadership at Hunton & Williams LLP, a pathfinding privacy and information policy think tank located in Washington, D.C. addressing cross-border data flows, emerging technologies, and cyber security issues. She was counsel for the Center for Democracy & Technology; Senior Attorney Advisor for the National Telecommunications and Information Administration of the Department of Commerce; and Senior Analyst for the U.S. Congress Office of Technology Assessment. Paula has extensive experience working on information policy issues in developing countries and with international organizations such as the Organization for Economic Cooperation and Development and APEC. paula@achievedcompliance.com

Meet Achieved Compliance ACHIEVED COMPLIANCE Its suite of automated, software-based services combined with dedicated client counseling help companies quickly establish accountability-based data governance that responds to the requirements of regulators and the demands of the data-driven market. Using the PrivacyMinder software platform, and with the support of the Achieved Compliance legal team, budget-challenged companies can achieve the advantages enjoyed by larger industry players, but without the expensive outside counsel or consultants. ACHIEVED REPRESENTATION SERVICES The GDPR requires that U.S. businesses that collect data about European citizens maintain a registered representative in the EU. Our representation services provide onthe-ground EU presence companies need to comply with Article 27 of the GDPR. Located in the UK, Achieved Compliance Advocacy, Ltd. maintains required records, acts as a liaison to investigators and data subjects, as well as provides legal support in case of an investigation. Achievedcompliance.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback