Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

Similar documents
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

The General Data Protection Regulation s Impact on M&A

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

California s Consumer Privacy Act Vs. GDPR

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

GDPR Essentials. To Meet the May 25th Deadline. FIA Webinar March 1, 2018

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

What U.S.- Based Investment Advisers Should Know

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

Geomni, Inc. EU-U.S. Privacy Shield: Consumer Privacy Policy

The Marketing Arm Inc. EU-U.S. Privacy Shield: Consumer Privacy Policy

THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

The New EU General Data Protection Regulation (GDPR)

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

The General Data Protection Regulation (GDPR) Personal data in SOS International

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Data Processing Addendum

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR

Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

Data Processing Addendum

DDB. EU/Swiss-U.S. Privacy Shield: Consumer Privacy Policy

CLOUDINARY DATA PROCESSING ADDENDUM

Pension Trustees. Final Countdown to the GDPR

BREXIT AND DATA PROTECTION Q & A

General Data Protection Regulation (GDPR)

AppLovin Data Processing Agreement

GDPR Data Processing Addendum

New legislation brings changes to how data is handled

Ximedica, LLC Privacy Shield Policy

GDPR: The Most Frequently Asked Questions: Are the Standard Contractual Clauses Enough?

THE IRON MOUNTAIN GDPR JARGON BUSTER

Guidance: The new EU General Data Protection Regulation: Implications for Australia

California s Groundbreaking Privacy Law: The New Front Line in the U.S. Privacy Debate

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

The Race to GDPR: A Study of Companies in the United States & Europe

WHAT DOES THE GDPR MEAN FOR PENSIONS?

Data Protection Post-Brexit

ON24 DATA PROCESSING ADDENDUM

Moxtra, Inc. DATA PROCESSING ADDENDUM

Data Processing Appendix

ROSETTA STONE LTD. PROCESSING ADDENDUM

Amgen Binding Corporate Rules (BCRs) Public Document

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Data Processing Appendix

Are You Prepared for the California Consumer Privacy Act?

These terms of business (the Terms ) explain the entire rights and obligations of You and Us regarding the provision of our Services.

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers

The EU-US Privacy Shield: A How-To Guide

Data Processing Addendum

Pension Trustees Final Countdown To GDPR

DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES)

These terms of business (the Terms ) explain the entire rights and obligations of You and Us regarding the provision of our Services.

California Consumer Privacy Act: What you need to know now. July 24, 2018

DATA PROCESSING ADDENDUM

PERSONAL DATA PROCESSOR AGREEMENT

DATA PROCESSING ADDENDUM

DATA PROCESSING AGREEMENT

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

Fitbit, Inc.: EU-U.S. Privacy Shield Privacy Policy - Consumer Data

EU Data Processing Addendum

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

DATA PROCESSING ADDENDUM

The Brazilian Data Protection Law LGPD

Overview and the New Rules of Imports & Customs Compliance Daniel Waltz and Christopher Skinner

ARTICLE 29 Data Protection Working Party

DATA PROCESSING ADDENDUM

PRC Data Privacy Laws in a Nutshell

Customer GDPR Data Processing Agreement

Data protection legislation back to the drawing board?

ADVERTISING PURCHASE AGREEMENT TERMS AND CONDITIONS

M&A ACADEMY. Privacy and Data Security Issues in M&A Transactions. Ezra Church, Don Shelkey, Pulina Whitaker March 5, 2019

EU General Data Protection Regulation

The data protection fee

Firefighters Pension Scheme

DATA PROCESSING ADDENDUM

DATA PROCESSING AGREEMENT/ADDENDUM

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Preparing for California's New Privacy Law Will Make for a Busy 2019 for Legal, IT and Info Governance Departments

Transatlantic Trends in Private M&A Transactions

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

IRIS Group of Companies Customer Data Processing Terms

Impact of the European General Data Protection Regulation on U.S. M&A

HOW TO EXECUTE THIS DPA:

2018 Australian privacy outlook

The Allied Group Privacy Shield Policy

CP is licenced and supervised by the Commission de Surveillance du Secteur Financier (hereinafter CSSF ).

Privacy Shield Notice

Cover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name

DATA PROCESSING ADDENDUM

Data Protection Cayman Islands

TIFFANY AND COMPANY: EU-U.S. PRIVACY SHIELD PRIVACY POLICY - CONSUMER DATA

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 2

CHARITY & NFP LAW BULLETIN NO. 419

Processing under the GDPR: risk and liability shifts

Transcription:

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law On May 25, 2018, the European Union (EU)'s General Data Protection Regulation (GDPR) comes into force, broadening the scope of privacy obligations for companies doing business in or with Europe. The GDPR applies to all businesses that collect and use personal information of EU residents, including organizations located outside the EU. U.S. companies, including Data Processors in the United States, may be subject to the GDPR if they offer products or services to EU residents or if they monitor the behavior of such residents even if they do not have a physical presence in the EU. Below is an overview of GDPR as well as a GDPR Readiness Checklist to help companies prepare for their compliance obligations. Background The GDPR replaces the EU s Data Privacy Directive (Directive), adopted in 1995. The Directive established a privacy regime centered on the protection and rights of the individual to control how his/her personal data is collected is used. The Directive was not actually binding on the Member States. Instead, it required that each Member State enact its own national data privacy law consistent with the Directive by the end of 1998. However, these national privacy laws proved not to be consistent, both as enacted as well as enforced by the Member States Data Protection Authorities (DPAs). The GDPR, adopted in April 2016 with a two-year implementation period until May 25, 2018, seeks to remedy some of the flaws in the Directive. For example, the GDPR is a regulation, as opposed to a directive, and is therefore automatically applicable as internal law in each and every Member State. Accordingly, there is no requirement that Member States enact their own national data privacy law incorporating the GDPR. Member States, however, will need to revise their current privacy laws in order to supplement the GDPR in areas that are not finally settled by the GDPR, hence the importance of monitoring legal developments at both the EU and national level in the months leading up to the effective date of the GDPR this May. The intent of the GDPR is to establish a single set of privacy rules across the EU, thus harmonizing data privacy protections in the Member States and making compliance easier. Enforcement, however, will remain with the Member States. The GDPR provides that each Member State is to establish an independent Supervisory Authority (SA) to investigate complaints and conduct other enforcement actions. Where an entity has multiple locations in the EU, the SA in the Member State where the entity has its main establishment will be the lead enforcement authority, acting as the one-stop-shop overseeing that entity s data processing activities throughout the EU. Member States also will retain primary jurisdiction over certain privacy issues that are not addressed or finally settled by the GDPR. While entities operating in the EU must take steps to comply with the GDPR, companies looking to comply with EU laws will also need to consider

Member State laws or regulations that are adopted in conjunction with or as a supplement to the GDPR. Finally, the GDPR does not affect the current eprivacy Directive, adopted in 2002, and which addresses the processing of Personal Data by providers of electronic communications services, such as Internet Service Providers. (The eprivacy Directive is informally known as the Cookie Law as it requires, among other things, that EU businesses post a notification and obtain user consent if they use cookies on their websites.) While the EU has initiated a review of the eprivacy Directive to make it consistent with the GDPR, this effort is not expected to be completed by May 25. Like the GDPR, the expectation is that the updated eprivacy Directive will also be an EU-wide regulation and will therefore not require that Member States implement their own consistent national laws. Key Provisions/Key Changes in the GDPR from the 1995 Directive The GDPR seeks to strengthen the ability of EU residents (Data Subjects) to be informed about and control what data is collected about them and how it is used. The definition of Personal Data under the GDPR is even broader than the Directive: [P]ersonal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer s IP address. Moreover, Data Controllers (the entities that collect the Personal Data from an EU resident and control how it is used) and Data Processors (the entities that process Personal Data on behalf of Data Controllers) must provide individuals access to information about what Personal Data is collected about them and how it is processed. In certain cases, the individual is entitled to request that their Personal Data be erased from the records of the Data Controller and Data Processor. Below is a summary list of other important changes and requirements found in the GDPR: Consent -- Companies must get affirmative consent to process the personal information of individuals. Consent must be freely given, specific, informed and unambiguous. For example, an individual s failure to click an opt out box, by itself, is not valid consent. Consent must also be reversible, and specific to each type of data processing. Internal Compliance -- Businesses will need to implement comprehensive, EUcompliant data protection compliance programs and then be able to provide evidence of these programs to EU data protection authorities, if asked. Built-In Privacy -- New products and services must encompass Privacy-by-Design or Privacy-by-Default concepts when personal information is to be collected. In addition, a Data Privacy Impact Assessment (DPIA) may be required to work out risks inherent in new products or in connection with certain activities, and appropriate security and other protections would need to be implemented based on that risk assessment.

Data Breach Notification -- The GDPR imposes notification requirements for data breaches. Businesses will have only 72 hours to notify data protection authorities, and, in certain circumstances, affected individuals, after a data breach. They must also implement a specific data breach response and mitigation plan. Individual Control -- Businesses must be responsive to requests from individuals to know what personal information is collected about them and how it is being used; and individuals may object to the use of their personal information for profiling, and request that their information be deleted (under certain circumstances). Data Privacy Officers (DPOs) Depending on the nature of their business, non-eu companies may need to appoint a Data Privacy Officer. Data Processor Obligations The GDPR imposes new requirements on Data Processors to implement security protections, keep records on their data processing, appoint an internal DPO (if necessary), facilitate responses to requests by individuals about what Personal Data is collected, comply with cross-border data transfer requirements, and notify Data Controllers of a data breach. Data Processors are directly liable under the GDPR for failing to comply with these requirements. Increased Penalties -- The GDPR includes significantly increased penalties for violations, with fines as high as 10M or 2% of annual worldwide revenue, or 20M or 4% of annual worldwide revenue, depending on the type of violation. U.S. Companies In addition to determining whether a U.S. Company is subject to GDPR, even if it has no physical presence in Europe, another important consideration for U.S. companies is whether they are involved with the cross-border transfer of EU residents Personal Data from the EU to the U.S. for processing. The GDPR retains the 1995 Directive s prohibition against such transfers to any countries that lack adequate data protection law. The EU previously determined that United States laws do not provide adequate data protection, and the GDPR does not change that determination. As a work-around mechanism, in 2016 the EU and U.S. entered into the Privacy Shield Framework, in which U.S. companies self-certify with the U.S. Department of Commerce that they will comply with EU data protection requirements for Personal Data of EU residents that is transferred to the U.S. for processing. Be advised, however, that self-certification is not a substitute for complying with the GDPR. The Privacy Shield only addresses the issue of the transfer of the Personal Data from the EU to the U.S. for processing. Self-certifying compliance with EU law under the Privacy Shield means a US company also will have to comply with the GDPR when it becomes law in May 2018. GDPR Readiness Checklist Companies should be prepared for the May 25, 2018 implementation of GDPR, and compliance efforts should be underway or begin as soon as possible. The expanded breadth of the GDPR implicates a comprehensive review of current data privacy practices, policies and procedures of

covered organizations. We provide this checklist to highlight those areas in the GDPR that will see the most significant changes from current EU data protection requirements: Confirm data footprint in EU Start by identifying and mapping data flows (document what data is collected, from whom and from where, how it is processed, how long is it retained and why, and to which third parties is it disclosed and why). Determine if fewer categories of data should be collected and processed given the purpose(s) for which the Personal Data is being collected. Update customer-facing privacy policy GDPR requires companies to obtain express consent from individuals whose Personal Data is collected, which means users must affirmatively agree either by statement or a clear, affirmative action. Pre-clicked boxes will not be sufficient under the GDPR. Privacy policies and actual practices -- must reflect this updated requirement. Update vendor agreements -- Review current vendor agreements for data protection terms and update to include GDPR requirements. Update processor agreements Review current processor agreements to ensure that the specific elements for these agreements as set forth in the GDPR are included. Determine if a Data Privacy Impact Assessment is necessary A formal Data Privacy Impact Assessment (DPIA) is to be conducted where the data processing presents high risks to the rights and freedoms of the individuals whose Personal Data is collected. A DPIA, moreover, is required where data processing includes profiling of individuals, large-scale processing of special categories of Personal Data, or there is large-scale and systematic monitoring of a public area. Implement Privacy by Design Privacy by Design (also known as Privacy by Default ) means taking steps to ensure that, by default, when developing a new product that involves data collection and processing, the data practices must be the minimum necessary for the intended purpose. In addition, organizations must implement appropriate technical and nontechnical protections for Personal Data they collect. Appoint a Data Protection Officer (if required) -- Data Controllers and Data Processors are required to appoint an internal DPO if they core activities include data processing that involves regular and systematic monitoring of individuals or large-scale processing of certain special categories of Personal Data. Create/update procedures for processing user access requests and complaints Organizations must implement internal procedures to respond to individual s requests and complaints regarding how their Personal Data is collected and processed. Under certain circumstances, the individual may be in a position to direct that his/her Personal Data be deleted.

Review and update data breach response policy and procedures Organizations must ensure that their Data Breach Mitigation Plan is updated to reflect the GDPR requirements. Review and update record keeping procedures and policies Data Controllers and Data Processors must keep detailed records of their data processing activities. Develop a cross-border transfer strategy (if implicated) -- Data Controllers and Data Processors must comply with cross-border transfer restrictions if Personal Data is sent outside the EU for processing. For example, U.S. Data Processors can self-certify under the EU-U.S. Privacy Shield Framework to authorize transfers of Personal Data from the EU to the United States for processing. Conduct employee training on new requirements, processes and procedures and update employee guidance and policies Educate and train employees on new GDPR privacy protection requirements and processes. In addition, employee guidance and policy materials should be updated to reflect the GDPR requirements. Periodic employee monitoring and security checks for compliance Conduct periodic reviews of employee practices and security protections to confirm compliance with GDPR requirements. --------------- Outside GC is well positioned to assist you with determining how to comply with the GDPR. Our team includes U.S. and EU-trained attorneys experienced with data privacy requirements in the EU and well versed in the new obligations imposed by the GDPR as well as other data privacy laws and regulations in individual EU Member States not covered by the GDPR. We are also experienced with obtaining self-certification under the EU-U.S. Privacy Shield Framework for cross-border data transfers. Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. Mark Johnson has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C. Lakshmi Sarma Ramani served as the lead global attorney for privacy matters at The Nature Conservancy, where she also managed a wide range of legal and regulatory compliance matters, including cybersecurity, tax, finance, technology, marketing, membership and fundraising. We would be happy to discuss your specific needs. Feel free to reach out directly to Stephan (Stephan@outsidegc.com), Mark (mjohnson@outsidegc.com) or Lakshmi (lsramani@outsidegc.com), or request more information by visiting our Contact Us page.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback