roadmap to the gdpr - brexit analysis outsourcing processors - presentation
TRANSCRIPT
Roadmap to the GDPR: Brexit Analysis, Outsourcing & Processors
July 14, 2016
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2
Speakers
Peter SwireSenior Counsel, Atlanta
Alston & Bird
Jan DhontPartner, Brussels
Alston & Bird
Karen SanzaroCounsel, Washington, D.C.
Alston & Bird
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3
Overview
Update on the Privacy Shield.
Brexit and Data Protection in Europe.
The GDPR. Outsourcing and Processors.
Outsourcing. The US perspective.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4
Insert Peter’s slides
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5
Brexit - The Broader Picture
Brexit has no immediate effect but complicates long-term planning
Process 2 years negotiation period after formal notification of the EU (Art. 50 EU Treaty)
Qualified majority of the European Council and approval by the European Parliament
Outcome unclear, a lot of speculation (EEA or EFTA-type deal; Free trade agreement)
After exit: Substantial legislation in place that implements EU Directives
Regulations will cease to apply
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6
Brexit and Data Privacy
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 7
Brexit and Data Privacy
UK remains part of the EU until formal exit. UK companies may import/export personal data freely
Third-country transfer restrictions apply as usual
After exit? The UK will be a “third country”
GDPR will not directly apply – formal “inadequacy”
Main establishment status – uncertain future in the UK
UK may amend Data Protection Act to reflect GDPR and obtain adequacy (cf. Switzerland)
Privacy Shield can be used by UK companies until Brexit.
Practical guideline: Include the UK in GDPR implementation plan as before.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 8
Outsourcing & Processors
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 9
Outsourcing & Processors
Introduction
- Controller / Processor duality maintained
- Processors are liable under the GDPR
- Increased importance of information security
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 10
Territorial Scope/Applicable Law
Directive GDPR
Controller Processor Controller Processor
Located inside the EU
Yes No Yes Yes (new!)
Located outside the EU
No, unless use of equipment (or processor) in
the EU
No Yes, if processing relates to (i) offering of goods or services to data subjects in
the EU; or (ii) monitor of their behavior in
the EU (new!)
Yes, if processing relates to (i) offering of goods or services to data subjects in the EU; or (ii) monitor of their behavior in the EU (new!)
In principle no direct obligations for processors
Varying national information security standards distort market
Vendor based in the EEA may trigger “use of equipment”standard
Direct obligations for processors
In principle only one information security standard
“Use of equipment” not maintained, but replaced by“monitoring” criterion
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 11
Territorial Scope/Applicable Law
Practical consequences:
- Companies (controllers and processors) outside the EU but subject to GDPR need to appoint a representative.
- Companies (controllers and processors) in the U.S. may be subject to the GDPR even if they have no presence in the EU and be required to apply outsourcing requirements.
- Processors in the EU may have competitive disadvantage compared to processors outside the EU.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 12
The Controller’s Perspective
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 13
Outsourcing Requirements - Regime
Vendor must provide appropriate technical and organizational measures:
- to ensure processing is GDPR-compliant and,
- individuals’ data protection rights are observed (Art. 28 GDPR)
Requirement 1: Select Adequate Vendor Assessment
- Substantially higher standard than Directive- Vendor vetting (and tracking thereof) will
become key- Expected move towards increased
information security (especially encryption) and incident tracking services
- Vendors need to anticipate enhanced consumer choice and accommodate privacy-by-design/default
- Also vendors outside the EU if they want to maintain EU market share
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 14
Outsourcing Requirements - Regime (cont.)
Requirement 2: Controllers remain responsible for sub-contracting (Article 28(2) and (4))
- Subcontracting requires the specific or general written authorization of the controller.
- The sub-contractor must be held by “the same data protection obligations” as set out in the contract between the controller and processor.
- Processor is primarily liable to the controller for sub-processor’s failure to comply.
- Sub-contracting must be part of vendor vetting
- Applying “the same data protection obligations” can be problematic in practice
- Vendors acting as sub-vendors need to anticipate controllers’ compliance needs –may also create competitive advantages (e.g., providers of security monitoring/encryption services)
Assessment
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 15
Outsourcing Requirements - Regime (cont.)
- The processing must be governed by a contract or legal act under EU law and that binds the processor.
- Contract must be in writing – can be electronic.
- Commission approved “model contract” possible (Article 28 (7)).
- Existing arrangements not “grandfathered” under GDPR
- Review of service agreements required – requires in some cases strategic planning:
- Prioritization- Gap assessment- Documentation of vendor
commitments/agreed measures- Contract amendment/termination
- Negotiations may be difficult, e.g. liability caps, (in)sufficient cyber-security insurance, etc.
- Consider data processing templates and vendor onboarding process/program
Requirement 3: Mandatory Stipulations Assessment
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 16
Outsourcing Requirements - Mandatory Stipulations
Required Terms (Article 28 (3) GDPR).
Details on (i) subject-matter and duration of processing, (ii) nature and purpose of processing, (iii) type of personal data and data subjects, and (iv) obligations and rights of the controller
Processing on Instructions. Only process data on “documented instructions” from the controller. Including data transfers outside the EU.
Confidentiality undertaking. Personnel authorized to process data must be subject to confidentiality obligations.
Security measures. Implement adequate information security (Article 32 GDPR).
Engagement of sub-processors. The processor must respect the GDPR’s regime on sub-processing (including flow-down of obligations).
Assist on data subject rights.
Assist on controller obligations. Includes assistance with respect to (i) appropriate information security; (ii) breach notification: (iii) DPIAs; and (iv) audits by the Supervisory Authority.
Data deletion/return.
Information and audits. Processor must make available to controller “all information required to demonstrate compliance” with outsourcing requirements and permit controller (mandated) audits.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 17
Accountability Requires Vendor Management Program
• Risk categorization
• Review of transfers and uses
• Subcontractors
• Security review
• Vendor solvency and cyber-insurance
Vendor Selection
• Develop template data processing agreements
• Service agreements should enable and facilitate oversight, including audit rights, on-site inspections, periodic testing, vendorreporting obligations
Contract Management
• Vendor inventory – record for each vendor containing basic vendor information/data-mapping/relevant documentation (service agreements, processing instructions, reports on data breaches, etc.)
• Review Procedures and Templates – SOPs on regularity and intensity of oversight and standard forms for conducting and documenting reviews
• Governance and Follow Up – Relevant company stakeholders should be involved and sign-off responsibility for oversight assessment and remediation
Audit & Oversight
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 18
The Processor’s Perspective
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 19
Obligations for Vendors
1. Maintain record of processing activities and keep available to SAs
- Processor Information/Contact Details- Controller (client/customer) Information – for each controller- Categories of Processing – categories of processing carried out on behalf of each controller- Transfers – identification of any “third countries” to which data are transferred- Security Measures – general description “where possible” of the technical and organizational
measures
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 20
Obligations for Vendors (cont.)
2. Cooperation duty with Supervisory Authorities.
3. Designate a representative (if applicable) and/or a DPO as required under the GDPR or by national law.
4. Comply with data transfer regime.*
5. Comply with sub-contractor and “down-flow” requirements.
6. Obligation to notify the controller without undue delay in case of personal data breach.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 21
Considerations for Processors
Work on strategy to deal with potential liability and customer demands:- Assess potential liability exposure and options to reduce exposure (e.g., contractual, relocation of
data center, etc.).
- Anticipate specific demands in terms of enhanced information security, breach response, privacy-by-design/default and cooperation with SA inspections.
- Accommodation of client-driven GDPR expectations may cause system/back-end issues (heavy lifting may be required for IT).
Focus on sub-contractor oversight and controls.
Develop data processing language for service agreements in anticipation of customer request.
Secure certain data uses (e.g. data analytics, improvement of service platforms) in agreements.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 22
Liability Regime
Administrative Liability.
Both the controller and processor are liable for compliance with requirements applicable to them – up to 10 million Euros or 2 percent of the company’s global TO.
Processor is liable as controller for processing outside instructions (Article 28 (10)).
Civil Liability.
Controller is liable for damage caused by processing in violation of the GDPR.
Processor is liable for damage caused by processing in violation of provisions to which it is specifically subject.
Joint and several liability for obligations to which both controller and processor are subject. Possible to redistribute liability by contract.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 23
Conclusion
GDPR is expected to result in heavy recalibration of legal and commercial relations between controllers/processors.
Vendor management should be high up on GDPR preparation list given expected complexities.
Vendors should start getting prepared. Challenges but also opportunities for vendors to anticipate client demands.
Large-scale processors may come under SA scrutiny – not the case under Directive.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 24
Practical Considerations
What does it all mean? Enhanced Accountability for Controllers
“Sufficient Guarantees”
Direct application to processors
Mandatory Contract requirements
Joint and Several Liability
Enhanced Rights for Data Subjects
Breach Notification Requirements
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 25
Vendor Management Updates
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 26
Risk-Based Approach
Risk classification will drive level of due diligence and oversight
Data Protection Impact Assessment may be required
High risk processing (new technology, widespread processing, sensitive data, processing that makes it difficult for data subjects to exercise rights)
Specific activities designated by Supervisory Authorities
PIA should take vendors into account
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 27
Data Security Considerations
• Pseudonymization / encryption
• Business Continuity / Disaster Recovery
• Participation in approved codes of conduct
• Financial / cyber and other insurance
Due Diligence
• Allocation of responsibilities / liabilities
• Notification Requirements
Contracts
• Audits
• Regular Testing (e.g., annual penetration tests)
• Security questionnaire updates
• Participation in customer incident response planning and testing
Oversight
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 28
Enhanced Data Subject Rights
• Assessment of processor capabilities
• Right of access / erasure
• Data portability requirements
Due Diligence
• Allocation of responsibilities
• Fees
• Response Times
Contracts
• Reporting requirements
• Service Levels
• Audit rights
Oversight
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 29
Subcontractor Objection Rights
• Identify material subcontractors
• Include in PIA / due diligence as necessary
• Data portability requirements
Due Diligence
• Right to Object
• Multi-tenant cloud and shared service offerings?
Contracts
• Reporting
• Audit rights
Oversight
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 30
Controller Instruction
• Scope of data processing
• Analytics?
Due Diligence
• Vendors will want to specify controller instructions
• Joint controller risk
Contracts
• Reporting
• Audit rights
Oversight
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 31
Oversight and Governance
Identify Stakeholders:
Information Security
Privacy
Legal
Business
Active Monitoring
Remediation
Contract Support
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 32
New York Webcast Participation
If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet
AB7132016
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 33
About Alston & Bird’s Privacy and Data Security Practice:
Follow us: @AlstonPrivacy
www.AlstonPrivacy.com
Cybersecurity Preparedness & Response Team
Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in
both preventing and responding to security incidents and data breaches, including all
varieties of network intrusion and data loss events.
www.alstonsecurity.com
Privacy & Data Security Team
Our team helps clients at every step of the information life cycle, from developing and
implementing corporate policies and procedures to representation on transactional
matters, public policy and legislative issues, and litigation.
www.alston.com/privacy
Questions