general data protection regulation. what to expect and how...

General Data Protection Regulation. What to expect and how to prepare?

18 May 2016

Kolvin Stone, Global Co-Chair Cybersecurity and Data Privacy

Dr. Christian Schröder, Head of IP/IT and Data Privacy Germany

Introduction

1. Introduction

2. Rationale and Background to GDPR

3. Effective Date: 25 May 2018

Agenda

1. Key Aspects of the EU Regulation

2. How to Prepare

3. Questions

Key Aspects of the EU Regulation

1. Harmonization

2. Risk-Based Approach

3. Wider Scope

4. Stronger Incentives for a Compliance Organization

5. Data Protection Impact Assessments

6. Sensitive Personal Data

7. Transparent Information for Data Subjects

8. Rights of Individuals

9. International Transfers

10.Severe Sanctions and Enforcement

Key Aspects of the EU Regulation (continued)

Harmonization

– Increased harmonization of data protection laws across the EU

• Regulation is going to be directly applicable in all Member States, it does

not need to be nationally implemented unlike the Directive

• One continent, one law?

– The EU Regulation leaves Member States much room for deviations:

• Employee data privacy law

Member States may provide for more specific rules regarding personal

data processing in the context of employment, e.g., for the purposes of

recruitment and performance of the contract of employment

• Information obligation to data subject

Information obligations do not apply where personal data must remain

confidential subject to an obligation of professional secrecy regulation

by Union or Member State law


Harmonization

• Genetic data, biometric data, data concerning health

Member States may maintain or introduce additional conditions (e.g.,

limitations) regarding this matter

• Child‘s consent

Member States may provide by law for a lower age for the child’s

consent than 16 years, but not below 13 years

• Data Protection Officer

Designation of a data protection officer also necessary where required

by Union or Member State law

• National identification number and general identities


Harmonization

• Protection of data subjects

• Journalism and freedom of expression

• Artistic and literary expression

• Important national economic interests

– Less administrative burdens

– One-Stop-Shop Mechanism is introduced


Risk Based Approach

– More reliance on independent risk assessments

– Data breach reporting where processing of personal data is likely to result

in high risk to rights and freedoms of individuals

– Right to object applied more restrictively

– Less stricter clauses for marketing or scoring, as compared to some

national laws, and more reference to broader provisions (balancing of

interest based justification)

– Appointment of data protection officer only mandatory where core activities

require systematic monitoring of individuals on a large scale or where

special categories of data are processed on a large scale

– More notification requirements which may trigger more opposition


Wider Scope

– Applicability in case of no establishment

in the EU (extraterritorial application)

– Increased obligations for data processors

Stronger Incentives for a Compliance Organization

– Code of Conduct

– Privacy by design and by default

– General increased compliance organization in order to reduce risk of fines

– Role of data protection officer

– Introduction of a mandatory personal data breach reporting obligation

within 72 hours unless breach is unlikely to result in a risk for the rights

and freedoms of individuals


Data Protection Impact Assessments (DPIA)

– Mandatory DPIAs (at least) in cases where processing of personal data is

likely to result in high risk to rights and freedoms of individuals (e.g.,

discrimination, identity theft or fraud, financial loss)

– DPIAs are particularly required in these cases:

• systematic and extensive evaluation of personal aspects relating to

individuals is based on automated processing and on which decisions

are based that produce legal effects or similarly significantly affect the

individual

• processing of sensitive personal data (e.g., ethnic origin) on a large

scale

• systematic monitoring of a publicly accessible areas on a large scale

– Risk assessment and demonstration of compliance with the Regulation

(competitive advantage)


Personal Data

– Definition expanded to include location data and online identifiers

Sensitive Personal Data

– Definition widened to include genetic data; biometric data; and

philosophical beliefs

Transparent Information for Data Subjects

– Significant increase in the amount and detail of information to be provided

to individuals:

• Legal basis for processing

• The legitimate interests pursued by the data controller or third party

• Reference to the applicable international data transfer mechanism

• About data processing by third parties

• Data retention periods


Rights of Individuals

– Right to erasure / right to be forgotten

– Data portability right

– Right to object to automated profiling

International Transfers

– Adequacy decisions under the Directive remain

– Mechanism for periodic review of new adequacy decisions every four

years

– ‘Compelling legitimate interests’ as a derogation

– Transfers not authorized by Union law restricted


Severe Sanctions and Increased Enforcement

– More severe fines for non-compliance. Maximum penalties of up to

20,000,000 Euro or 4% of the company’s annual worldwide turnover

– Data subject has:

• Right to a judicial remedy against a controller or processor

• Right to compensation – suffered damage (including non-pecuniary

damage)

– Direct liability of data controllers and processors towards the data subjects

is introduced

Associations and bodies can bring action on behalf of data subject

How to Prepare

• Awareness

• Make sure that key people are aware that the law is changing and understand

the impact. Form a working party

• Information you hold

• Organise an information audit. Document what personal data you hold, where

it came from and who you share it with

• Communicating privacy information

• Review your current privacy notices and put a plan in place for making any

necessary changes in time for GDPR implementation

• Individual's rights

• Review your products, services and procedures to ensure they cover the new

rights of individuals

How to Prepare (continued)

• Legal basis for processing personal data

• Review the various types of data processing you carry out, identify

your legal basis for carrying it out and document it

• Consent

• Review how you are seeking, obtaining and recording consent and whether

you need to make any changes

• Children

• Consider putting systems in place to verify individuals' ages and to gather

parental or guardian consent

• Data breaches

• Review data breach policies and procedures against new rules

How to Prepare (continued)

• Privacy by Design and Impact Assessments

• Develop policies to meet the new requirements on PbyD and Privacy

Impact Assessments and consider deploying privacy enhancing

technologies

• Governance and Data Protection Officers

• Review governance structures and designate a Data Protection Officer

• lnternational

• Determine which data protection supervisory

authority you come under

• Review Customer Contracts

• Who bears the cost of change in law?

When reviewing/preparing policies, be aware of unharmonized areas

– The Regulation does not apply at all to some areas and for many others, it

enables Member States to establish national laws, for example: information

obligations to data subjects, children consents, or employee data privacy

law.

How to prepare (continued)

• For questions please contact:

Contact

Dr. Christian SchröderPartnerHead of IP/IT and Data Privacy Germany

Orrick, Herrington & Sutcliffe LLPHeinrich-Heine-Allee 1240213 DüsseldorfGermany

Tel: +49 (0) 211-36787-316Fax: +49 (0) [email protected]

Kolvin StonePartnerGlobal Co-Chair Cybersecurity and Data Privacy

Orrick, Herrington & Sutcliffe LLP107 CheapsideLondon, EC2V 6DNDX: 557 London/CityUnited Kingdom

Tel: +44 20 7862 4701Fax: +44 20 7862 [email protected]

0 ORRICK

Attendance Sheet

ATTENDANCE VERIFICATION CODE:

*If a code is spoken during the program to verify attendance, please write the code in the space above*

Page: 1 of

Course: 2016 EU Privacy Webinar: General Data Protection Regulation Finally Adopted - What to Expect and How to Prepare

Format: Webconference

Instructor(s): Schroder, Christian Stone, Kolvin

CA Credits: I General - Participatory

NY Credits: 1 PP

Date: 5/18/2016

Time: 12:00-1:OOPM EDT

Location: New York (New York, NY)

Name Sign In Time In Sign Out Time Out License State Bar Number Email

Attendance monitored and verified by:

PLEASE RETURN TO MELISSA WOODS IN THE GOC ([email protected])

Generated by •MANMIER

0 ORRICK

New York MCLE Activity Evaluation - please return to [email protected]

Course: 2016 EU Privacy Webinar: General Data Protection Date: 5/18/2016 Regulation Finally Adopted - What to Expect and How to Time: 12:00-1:OOPM EDT Prepare

Location: New York (New York, NY) Format: Webconference

Instructor(s): Schrdder, Christian Stone, Kolvin

CA CLE Credits: 1 General

NY CLE Credits: 1 PP

1. Program Content (Multiple Choice)

Please rate: 0 Excellent 0 Good 0 Fair 0 Poor 0 N/A

2. Instructor Quality (Multiple Choice, Instructor)

Please rate:

Instructor: Sch rOder, Christian

0 Excellent 0 Good 0 Fair 0 Poor 0 N/A

Instructor: Stone, Kolvin 0 Excellent 0 Good 0 Fair 0 Poor 0 N/A

3. Written Materials (Multiple Choice)


4. Facility (Multiple Choice)


5. Effectiveness of Technology (Multiple Choice)

Please rate:

0 Exellent 0 Good 0 Fair 0 Poor 0 N/A

6. Relevance (Multiple Choice)


Generated by 0

M,XNAGER

0 ORRICK

New York MCLE Activity Evaluation - please return to mwoods@orrickcom

Course: 2016 EU Privacy Webinar: General Data Protection Regulation Date: 5/18/2016 Finally Adopted - What to Expect and How to Prepare Time: 12:00-1 :OOPM EDT


7. What was the most valuable part of this seminar? (Essay)

Comments:

8. What changes would you recommend to make the seminar more helpful to you? (Essay)

Comments:

9. General Comments (Essay)

Comments:

10. Name (optional) (Fill in the blank)

Generated by 0 MA..\GER

0 ORRICK

California MCLE Activity Evaluation Form - please return to [email protected]

Course: 2016 EU Privacy Webinar: General Data Protection Date: 5/18/2016 Regulation Finally Adopted - What to Expect and How to Time: 12:00-1 :OOPM EDT Prepare

Location: New York (New York, NY) Format: Webconference

Instructor(s): Schroder, Christian Stone, Kolvin

CA CLE Credits: I General

NY CLE Credits: 1 PP

1. Did this program meet your educational objectives?* (Rating)

Please rate on a scale of 1 to 5 (5 being the highest, best or most; 1 being the least, lowest or worst). 0504030201

2. Did the environment have a positive influence on your learning experience?" (Rating)


3. Were you provided with substantive written materials?* (Rating)

Please rate on a scale of I to 5 (5 being the highest, best or most; I being the least, lowest or worst). 0504030201

4. Did the course update or keep you informed of your legal responsibilities?" (Rating)


5. Did the activity contain significant current professional content?" (Rating)


6. Please rate the faculty * (Rating, Instructor)

Overall teaching effectiveness

Instructor: Schroder, Christian 0504030201

Instructor: Stone, Kolvin 0504030201

Generated by •MAN..CIF.R

0 ORRICK

California MCLE Activity Evaluation Form - please return to [email protected]

Course: 2016 EU Privacy Webinar: General Data Protection Regulation Date: 5/18/2016 Finally Adopted - What to Expect and How to Prepare Time: 12:00-1 :OOPM EDT


7. Please rate the faculty * (Rating, Instructor)

Effectiveness of teaching methods

Instructor: SchrOder, Christian 0504030201


8. Please rate the faculty k (Rating, Instructor)

Significant current knowledge of subject

Instructor: Schröder, Christian 0504030201


9. Name of Participant (optional): (Fill in the blank)

Additional Comments:

* Required Question

Generated by •M.NAGER

general data protection regulation. what to expect and how...

Documents