Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Similar documents
EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

European Union General Data Protection Regulation

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

Pension Trustees. Final Countdown to the GDPR

General Data Protection Regulation (GDPR)

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Privacy Policy Statement

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Privacy Statement v 1.1

The New EU General Data Protection Regulation (GDPR)

Data Processing Addendum

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

Guidance: The new EU General Data Protection Regulation: Implications for Australia

The EU-US Privacy Shield: A How-To Guide

What U.S.- Based Investment Advisers Should Know

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

Amgen Binding Corporate Rules (BCRs) Public Document

Pension Trustees Final Countdown To GDPR

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

Data Processing Appendix

BREXIT AND DATA PROTECTION Q & A

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

Revising policies and procedures under the new EU GDPR

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

Data Processing Addendum

Moxtra, Inc. DATA PROCESSING ADDENDUM

Appropriate Policy Document

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

GDPR : We protect your data

A guide for the insurance industry

GDPR update and its impact on accountancy practices

THE IMPORTANCE AND STATUS OF THE GENERAL DATA PROTECTION REGULATION (GDPR)

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

DATA PROCESSING ADDENDUM

THE IRON MOUNTAIN GDPR JARGON BUSTER

DATA PROCESSING AGREEMENT

GDPR FOR PRIVATE EQUITY AND REAL ESTATE

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

Impact of the European General Data Protection Regulation on U.S. M&A

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 2

DATA PROCESSING AGREEMENT

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

CLOUDINARY DATA PROCESSING ADDENDUM

Customer GDPR Data Processing Agreement

Data Privacy Notice. Who are we and why do we register and use personal data?

Cover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

All Sorts UK Limited Data Protection Policy 17 th May 2018

We protect your data and privacy by taking all relevant measures in accordance with applicable legislation.

ROSETTA STONE LTD. PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

Personal Data. Protection Policy

The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018

THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

DATA PROCESSING ADDENDUM

DATA PROTECTION NOTICE

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR

CHARITY & NFP LAW BULLETIN NO. 419

Data protection and transfer

Claims Handling We process Your Personal Data in order to record and handle your insurance claim. This may include sharing your Personal Data with:

The Race to GDPR: A Study of Companies in the United States & Europe

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

Data Protection Post-Brexit

New legislation brings changes to how data is handled

The General Data Protection Regulation s Impact on M&A

The contract is important so that both parties understand their responsibilities and liabilities.

Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions

Privacy Statement. Key Definitions. Data Controller. Processing

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

DATA PROTECTION LAWS OF THE WORLD. Angola vs Czech Republic

EU General Data Protection Regulation

BINDING CORPORATE RULES

EU Data Processing Addendum

PRIVACY POLICY FOR CUSTOMER, PROSPECT AND PARTNER REGISTER

privacy notice who is responsible for processing your personal data and who you can contact in this regard reasons for processing your data

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

2. TASK OF DPO IN INTERNATIONAL DATA TRANSFERS

Privacy Shield Notice

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

ON24 DATA PROCESSING ADDENDUM

HOW TO EXECUTE THIS DPA:

Information about Danica Pension s processing of personal data

DATA PROTECTION POLICY

The Brazilian Data Protection Law LGPD

Recent privacy legislation in the European Union has posed specific

Your Data Your Rights

Data Privacy Statement

a publication of the health care compliance association SEPTEMBER 2018

Brexit Essentials: an update on data protection and privacy

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

JOSTENS EUROPEAN PRIVACY POLICY

Mobius Life Limited Data Privacy Notice

Transcription:

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty Overview of the EU General Data Protection Regulation (GDPR)

WHAT YOU NEED TO KNOW ABOUT THE EU GENERAL DATA PROTECTION REGULATION (GDPR) What is the GDPR? It s the most significant development in data protection law in 20 years. Current EU data protection is based on the 1995 EU Data Directive. In January 2012, the European Commission first announced proposed revisions to the Directive. On December 17, 2015, the European Parliament and Council announced the text of the brand-new General Data Protection Regulation (GDPR). The GDPR has 99 articles and is over 200 pages long. Its adoption follows years of intense lobbying and represents a landmark moment in data protection and privacy both in Europe and around the world. Effective Date. The GDPR becomes effective May 25, 2018. Until then, the 1995 Directive remains in effect. Highlights of the GDPR. Some of the major provisions of the GPDR include: Expansion of Scope. Non-EU businesses will be subject to the GDPR if they 1) offer goods or services to EU residents or 2) monitor the behavior of EU residents. The GDPR may apply to any controller or processor of EU citizen data, regardless of where the controller or processer is located. New obligations are imposed on data processors and controllers. Data Breach Notification. The GDPR requires that a privacy regulator be notified by data controller within 72 hours of discovery of the breach. Notice to individuals, without undue delay, may be required if there is a potential of serious harm. Notice not required if personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Increased Fines for Noncompliance and Right to Sue. Currently, fines under the Directive vary by member states and are relatively low. Under the GDPR, violations of certain provisions, such as consent requirements or cross-border data transfer restrictions, can trigger fines up to the greater of 20,000,000 or 4% of a company s annual revenue. Individuals are also allowed the right to sue and obtain compensation from a noncompliant controller or processor. Two tiers of fines created depending on whether controller or processor committed any previous violations and nature of violation. Data Protection Officers. The GDPR will require controllers or processors to appoint a data protection officer where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale or where the entity conducts large scale processing of special categories of data. If data processing is a core activity and where sensitive data is processed on a large scale appointment of DPO may be necessary. Those in the healthcare, insurance, pharma, biotech, and technology industries may need to hire additional data protection officers to comply. -2-

Data Protection Impact Assessment (DPIA). Businesses may be required to implement data protection by design (e.g., when creating new products, services or other data processing activities). Controllers required to carry out DPIA when the type of processing is likely to result in a high risk to the rights and freedoms of natural persons. DPIA required if controller engages in a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. DPIA may be required to identify privacy risks in any new products or services. Additional guidance from the European Data protection Board may be necessary to determine when a DPIA is necessary. Consent Requirements. Consent remains a lawful basis for the transfer of personal data under GDPR. Consent, as a legal basis for processing, may be harder to obtain under GDPR. Directive allowed controllers to rely upon implied and opt-out consent in some limited circumstances. GDPR requires a statement or a clear affirmative action by data subject. Consent must be freely given, specific, informed, and unambiguous. Businesses that rely upon consent to process personal data will need to carefully review existing practices. Consent will not be considered valid if a data subject has to give consent to processing for the provision of a service where the processing is not necessary to the actual performance of the contract. New consent requirements for processing children data. One Stop Shop. The GDPR s intent is to harmonize data protection law within the EU. Under the Directive, a Data Processing Authority in a member state could exercise authority over any business operating within its territory. The GDPR creates a Supervisory Authority to act as lead and have jurisdiction over any complaints and violations. Children. Parental consent must be obtained if the concerned individual is under 16 (unless the member state passes a law to lower this age, but in any event the age cannot be lower than 13). Sensitive Data. More stringent requirements apply to sensitive data than under the EU Directive, including genetic, biometric, health, racial, and political data. Enhanced Notice and Information Obligations. Directive required controller to provide data subjects certain minimum information before collecting data including identity of controller, purpose of processing, and any recipients of data. Data subjects were given limited right under Directive to access data. GDPR increases the number of disclosures required before collecting personal data including how long the data will be stored. Data subjects must also be informed of their right to withdraw consent at any time. Controllers must provide data subject any information they hold about a data subject, free of charge, and within one month of request. More details may now need to be disclosed to data subjects, both initially (e.g., in a privacy policy) and in response to access requests. Controllers may be required to allow individuals to obtain a full copy of their data in a standard format and possibly facilitate transfer of data to others. The -3-

information disclosed and rights to access are more robust under the GDPR. New Rights- Right to be Forgotten and Data Portability. The GDPR codifies the right to be forgotten following the European Court of Justice 2014 Google Spain decision so that it now applies to all controllers. Individuals will now have right to request that businesses delete their personal data in certain circumstances (e.g., where the data is no longer necessary for the purposes for which it was collected). The GDPR adds a new right to data portability so that data subjects can request personal data collected about them or have it transferred to another provider of online services. Data portability only applies when processing was originally based on user s consent or on a contract and does not apply to processing based upon controller s legitimate interests. Businesses may need to prepare for how they will comply with these requests for rectification and erasure of personal data or data portability and to the means for handling and documenting requests from data subjects. Cross Border Transfers GDPR allows personal data transfer outside EU subject to compliance with set conditions. As provided in the Directive, the transfer of personal data to a location outside the EU remains restricted. Personal data of EU residents can only be transferred to a country with adequate data protection. Unless and until the United States is deemed to have adequate data privacy protection, the transfer of data must look to options such as the Privacy Shield, Model Contracts, Binding Corporate Rules, derogations such as consent and other limited exceptions under the GDPR. Exceptions or derogations are allowed under GDPR for the following: data subject explicit consent to proposed transfer provided data subject is informed of possible risks of such transfer due to absence of adequacy decision and appropriate safeguards are implemented, or the transfer of personal data is necessary for performance of contract. GDPR retains same derogations as Directive including consent but adds new opportunity for business to assert compelling legitimate interests of controller. The GDPR acknowledges as valid current requirements for BCR s as provided in Directive. BCR s will still require prior approval by DPA but process will be streamlined and easier to follow. Standard contractual clauses (model contracts) no longer will need prior DPA approval as currently required in some member states. Finally, a new program under GDPR allows for transfer based upon codes of conduct or certifications that are approved by relevant EU authority and so long as appropriate safeguards are applied.. [On October 6, 2015 the European Court of Justice invalidated the EU-US Safe Harbor framework that allowed the storage and processing of personal data of EU citizens so long as the business self-certified compliance with certain privacy policies and procedures. Thousands of businesses relied upon this safe harbor framework. On February 2, 2016 the European Commission and U.S. Department of Commerce announced a new data transfer framework, the so-called Privacy Shield, to replace the invalidated Safe Harbor agreement. The proposed Privacy Shield includes a federal ombudsman to oversee intelligence access to EU citizen data, a multi-step complaint process for EU citizens, and additional enforcement and remedies for noncompliance. On July 12, 2016 the Privacy Shield was finally approved. Businesses can self-certify with the United States Department of Commerce as of August 1, 2016. Additional materials, details, and guidance on Privacy Shield compliance are available -4-

at the US Department of Commerce website. https://www.commerce.gov/page/eu-usprivacy-shield What Should You Do Today? You must continue to comply with the Directive while, at the same time, preparing for the GDPR and possibly the Privacy Shield. May 25, 2018 will be here sooner than you think. Start preparing now. Perform a Risk Analysis. What risks does business face under current service model and activities? Where are gaps that need to be filled? Compliance Checklist. Transparency: Privacy Notices and Information disclosure; Collection and Purpose Limitations; Children Information; Consents and Ability to Withdraw; Tracking of Preferences; Accuracy; Privacy Program Management and Processes; Cross Border Data Transfer compliance; Use of Data Protection Impact Assessments; Obligations as Controller and/or Processor; Third party contracts to process information; Records to document activities as controller/processor; Documented data security program and processes; Use of Encryption and other technical safeguards; Anonymization and Pseudononymisation; Data breach readiness and response; Incident Response plan; Mechanism for providing access to information; Handling of complaints and requests for erasure, correction, and opt-outs; Make Appropriate Changes. What steps can be taken to meet the new requirements? Resource Planning. What resources are necessary to transition to the GDPR? Budget. What additional costs may be incurred in compliance planning? Team Approach. Engage all key stakeholders in planning including the legal, HR, finance, product/service development, and marketing functions. GP:4518956 v1-5-

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback