general data protection regulation. what to expect and how...
TRANSCRIPT
General Data Protection Regulation. What to expect and how to prepare?
18 May 2016
Kolvin Stone, Global Co-Chair Cybersecurity and Data Privacy
Dr. Christian Schröder, Head of IP/IT and Data Privacy Germany
Introduction
1. Introduction
2. Rationale and Background to GDPR
3. Effective Date: 25 May 2018
Agenda
1. Key Aspects of the EU Regulation
2. How to Prepare
3. Questions
Key Aspects of the EU Regulation
1. Harmonization
2. Risk-Based Approach
3. Wider Scope
4. Stronger Incentives for a Compliance Organization
5. Data Protection Impact Assessments
6. Sensitive Personal Data
7. Transparent Information for Data Subjects
8. Rights of Individuals
9. International Transfers
10.Severe Sanctions and Enforcement
Key Aspects of the EU Regulation (continued)
Harmonization
– Increased harmonization of data protection laws across the EU
• Regulation is going to be directly applicable in all Member States, it does
not need to be nationally implemented unlike the Directive
• One continent, one law?
– The EU Regulation leaves Member States much room for deviations:
• Employee data privacy law
Member States may provide for more specific rules regarding personal
data processing in the context of employment, e.g., for the purposes of
recruitment and performance of the contract of employment
• Information obligation to data subject
Information obligations do not apply where personal data must remain
confidential subject to an obligation of professional secrecy regulation
by Union or Member State law
Key Aspects of the EU Regulation (continued)
Harmonization
• Genetic data, biometric data, data concerning health
Member States may maintain or introduce additional conditions (e.g.,
limitations) regarding this matter
• Child‘s consent
Member States may provide by law for a lower age for the child’s
consent than 16 years, but not below 13 years
• Data Protection Officer
Designation of a data protection officer also necessary where required
by Union or Member State law
• National identification number and general identities
Key Aspects of the EU Regulation (continued)
Harmonization
• Protection of data subjects
• Journalism and freedom of expression
• Artistic and literary expression
• Important national economic interests
– Less administrative burdens
– One-Stop-Shop Mechanism is introduced
Key Aspects of the EU Regulation (continued)
Risk Based Approach
– More reliance on independent risk assessments
– Data breach reporting where processing of personal data is likely to result
in high risk to rights and freedoms of individuals
– Right to object applied more restrictively
– Less stricter clauses for marketing or scoring, as compared to some
national laws, and more reference to broader provisions (balancing of
interest based justification)
– Appointment of data protection officer only mandatory where core activities
require systematic monitoring of individuals on a large scale or where
special categories of data are processed on a large scale
– More notification requirements which may trigger more opposition
Key Aspects of the EU Regulation (continued)
Wider Scope
– Applicability in case of no establishment
in the EU (extraterritorial application)
– Increased obligations for data processors
Stronger Incentives for a Compliance Organization
– Code of Conduct
– Privacy by design and by default
– General increased compliance organization in order to reduce risk of fines
– Role of data protection officer
– Introduction of a mandatory personal data breach reporting obligation
within 72 hours unless breach is unlikely to result in a risk for the rights
and freedoms of individuals
Key Aspects of the EU Regulation (continued)
Data Protection Impact Assessments (DPIA)
– Mandatory DPIAs (at least) in cases where processing of personal data is
likely to result in high risk to rights and freedoms of individuals (e.g.,
discrimination, identity theft or fraud, financial loss)
– DPIAs are particularly required in these cases:
• systematic and extensive evaluation of personal aspects relating to
individuals is based on automated processing and on which decisions
are based that produce legal effects or similarly significantly affect the
individual
• processing of sensitive personal data (e.g., ethnic origin) on a large
scale
• systematic monitoring of a publicly accessible areas on a large scale
– Risk assessment and demonstration of compliance with the Regulation
(competitive advantage)
Key Aspects of the EU Regulation (continued)
Personal Data
– Definition expanded to include location data and online identifiers
Sensitive Personal Data
– Definition widened to include genetic data; biometric data; and
philosophical beliefs
Transparent Information for Data Subjects
– Significant increase in the amount and detail of information to be provided
to individuals:
• Legal basis for processing
• The legitimate interests pursued by the data controller or third party
• Reference to the applicable international data transfer mechanism
• About data processing by third parties
• Data retention periods
Key Aspects of the EU Regulation (continued)
Rights of Individuals
– Right to erasure / right to be forgotten
– Data portability right
– Right to object to automated profiling
International Transfers
– Adequacy decisions under the Directive remain
– Mechanism for periodic review of new adequacy decisions every four
years
– ‘Compelling legitimate interests’ as a derogation
– Transfers not authorized by Union law restricted
Key Aspects of the EU Regulation (continued)
Severe Sanctions and Increased Enforcement
– More severe fines for non-compliance. Maximum penalties of up to
20,000,000 Euro or 4% of the company’s annual worldwide turnover
– Data subject has:
• Right to a judicial remedy against a controller or processor
• Right to compensation – suffered damage (including non-pecuniary
damage)
– Direct liability of data controllers and processors towards the data subjects
is introduced
Associations and bodies can bring action on behalf of data subject
How to Prepare
• Awareness
• Make sure that key people are aware that the law is changing and understand
the impact. Form a working party
• Information you hold
• Organise an information audit. Document what personal data you hold, where
it came from and who you share it with
• Communicating privacy information
• Review your current privacy notices and put a plan in place for making any
necessary changes in time for GDPR implementation
• Individual's rights
• Review your products, services and procedures to ensure they cover the new
rights of individuals
How to Prepare (continued)
• Legal basis for processing personal data
• Review the various types of data processing you carry out, identify
your legal basis for carrying it out and document it
• Consent
• Review how you are seeking, obtaining and recording consent and whether
you need to make any changes
• Children
• Consider putting systems in place to verify individuals' ages and to gather
parental or guardian consent
• Data breaches
• Review data breach policies and procedures against new rules
How to Prepare (continued)
• Privacy by Design and Impact Assessments
• Develop policies to meet the new requirements on PbyD and Privacy
Impact Assessments and consider deploying privacy enhancing
technologies
• Governance and Data Protection Officers
• Review governance structures and designate a Data Protection Officer
• lnternational
• Determine which data protection supervisory
authority you come under
• Review Customer Contracts
• Who bears the cost of change in law?
When reviewing/preparing policies, be aware of unharmonized areas
– The Regulation does not apply at all to some areas and for many others, it
enables Member States to establish national laws, for example: information
obligations to data subjects, children consents, or employee data privacy
law.
How to prepare (continued)
• For questions please contact:
Contact
Dr. Christian SchröderPartnerHead of IP/IT and Data Privacy Germany
Orrick, Herrington & Sutcliffe LLPHeinrich-Heine-Allee 1240213 DüsseldorfGermany
Tel: +49 (0) 211-36787-316Fax: +49 (0) [email protected]
Kolvin StonePartnerGlobal Co-Chair Cybersecurity and Data Privacy
Orrick, Herrington & Sutcliffe LLP107 CheapsideLondon, EC2V 6DNDX: 557 London/CityUnited Kingdom
Tel: +44 20 7862 4701Fax: +44 20 7862 [email protected]
0 ORRICK
Attendance Sheet
ATTENDANCE VERIFICATION CODE:
*If a code is spoken during the program to verify attendance, please write the code in the space above*
Page: 1 of
Course: 2016 EU Privacy Webinar: General Data Protection Regulation Finally Adopted - What to Expect and How to Prepare
Format: Webconference
Instructor(s): Schroder, Christian Stone, Kolvin
CA Credits: I General - Participatory
NY Credits: 1 PP
Date: 5/18/2016
Time: 12:00-1:OOPM EDT
Location: New York (New York, NY)
Name Sign In Time In Sign Out Time Out License State Bar Number Email
Attendance monitored and verified by:
PLEASE RETURN TO MELISSA WOODS IN THE GOC ([email protected])
Generated by •MANMIER
0 ORRICK
New York MCLE Activity Evaluation - please return to [email protected]
Course: 2016 EU Privacy Webinar: General Data Protection Date: 5/18/2016 Regulation Finally Adopted - What to Expect and How to Time: 12:00-1:OOPM EDT Prepare
Location: New York (New York, NY) Format: Webconference
Instructor(s): Schrdder, Christian Stone, Kolvin
CA CLE Credits: 1 General
NY CLE Credits: 1 PP
1. Program Content (Multiple Choice)
Please rate: 0 Excellent 0 Good 0 Fair 0 Poor 0 N/A
2. Instructor Quality (Multiple Choice, Instructor)
Please rate:
Instructor: Sch rOder, Christian
0 Excellent 0 Good 0 Fair 0 Poor 0 N/A
Instructor: Stone, Kolvin 0 Excellent 0 Good 0 Fair 0 Poor 0 N/A
3. Written Materials (Multiple Choice)
Please rate: 0 Excellent 0 Good 0 Fair 0 Poor 0 N/A
4. Facility (Multiple Choice)
Please rate: 0 Excellent 0 Good 0 Fair 0 Poor 0 N/A
5. Effectiveness of Technology (Multiple Choice)
Please rate:
0 Exellent 0 Good 0 Fair 0 Poor 0 N/A
6. Relevance (Multiple Choice)
Please rate: 0 Excellent 0 Good 0 Fair 0 Poor 0 N/A
Generated by 0
M,XNAGER
0 ORRICK
New York MCLE Activity Evaluation - please return to mwoods@orrickcom
Course: 2016 EU Privacy Webinar: General Data Protection Regulation Date: 5/18/2016 Finally Adopted - What to Expect and How to Prepare Time: 12:00-1 :OOPM EDT
Location: New York (New York, NY)
7. What was the most valuable part of this seminar? (Essay)
Comments:
8. What changes would you recommend to make the seminar more helpful to you? (Essay)
Comments:
9. General Comments (Essay)
Comments:
10. Name (optional) (Fill in the blank)
Generated by 0 MA..\GER
0 ORRICK
California MCLE Activity Evaluation Form - please return to [email protected]
Course: 2016 EU Privacy Webinar: General Data Protection Date: 5/18/2016 Regulation Finally Adopted - What to Expect and How to Time: 12:00-1 :OOPM EDT Prepare
Location: New York (New York, NY) Format: Webconference
Instructor(s): Schroder, Christian Stone, Kolvin
CA CLE Credits: I General
NY CLE Credits: 1 PP
1. Did this program meet your educational objectives?* (Rating)
Please rate on a scale of 1 to 5 (5 being the highest, best or most; 1 being the least, lowest or worst). 0504030201
2. Did the environment have a positive influence on your learning experience?" (Rating)
Please rate on a scale of 1 to 5 (5 being the highest, best or most; 1 being the least, lowest or worst). 0504030201
3. Were you provided with substantive written materials?* (Rating)
Please rate on a scale of I to 5 (5 being the highest, best or most; I being the least, lowest or worst). 0504030201
4. Did the course update or keep you informed of your legal responsibilities?" (Rating)
Please rate on a scale of 1 to 5 (5 being the highest, best or most; 1 being the least, lowest or worst). 0504030201
5. Did the activity contain significant current professional content?" (Rating)
Please rate on a scale of 1 to 5 (5 being the highest, best or most; 1 being the least, lowest or worst). 0504030201
6. Please rate the faculty * (Rating, Instructor)
Overall teaching effectiveness
Instructor: Schroder, Christian 0504030201
Instructor: Stone, Kolvin 0504030201
Generated by •MAN..CIF.R
0 ORRICK
California MCLE Activity Evaluation Form - please return to [email protected]
Course: 2016 EU Privacy Webinar: General Data Protection Regulation Date: 5/18/2016 Finally Adopted - What to Expect and How to Prepare Time: 12:00-1 :OOPM EDT
Location: New York (New York, NY)
7. Please rate the faculty * (Rating, Instructor)
Effectiveness of teaching methods
Instructor: SchrOder, Christian 0504030201
Instructor: Stone, Kolvin 0504030201
8. Please rate the faculty k (Rating, Instructor)
Significant current knowledge of subject
Instructor: Schröder, Christian 0504030201
Instructor: Stone, Kolvin 0504030201
9. Name of Participant (optional): (Fill in the blank)
Additional Comments:
* Required Question
Generated by •M.NAGER