Data Privacy Bootcamp: GDPR - Mayer Brown · PDF fileGDPR: The Key Changes • A Regulation, not a Directive: The GDPR will be directly applicable in the same form in all EU Member

Data Privacy Bootcamp: GDPR preparing for the general data protection regulation

Data Privacy Bootcamp: GDPRPreparing for the General Data Protection Regulation

Oliver YarosPartner

Mayer Brown

Rebecca EisnerPartner

Mayer Brown

Kendall BurmanCounsel

Mayer Brown

Topics We Will Cover Today

• Data protection: The current framework and concepts

• The GDPR: The upcoming changes to data protection law

• Do you need to comply? Assessing whether the GDPRapplies

• Preparing for the GDPR: The ten steps your business should

Doing Business in a Connected World

• Preparing for the GDPR: The ten steps your business shouldtake

• How we can help: The Mayer Brown GDPR ReadinessService

2

European Data Protection Law:The Current Framework

• European Data Protection Directive 95/46 adoptedin 1995

• Personal data

• “Processing”

• Data controller


• Data controller

• Data processor

• Data subjects

• Supervised by national data protection authorities

• Criminal offenses, fines and other civil sanctions

3

European Data Protection Law: The Challenges

• Enormous technological change since 1995. Scale of data collection, use and sharing hasincreased dramatically but current law does not adequately address increasing concernsover misuse of data/data loss, length of time data can be held and issue of consent

• Covers personal data processed by data controllers established in the EU and those usingequipment in the EU. Does not cover data controllers established outside the EU or data


equipment in the EU. Does not cover data controllers established outside the EU or dataprocessors

• Enacted unevenly throughout the EU, compliance required with different sets ofprocedures in each member state

• Has led to spiralling bureaucracy, costing businesses around €2.3b a year according toEuropean Commission

4

The GDPR: The Reform Timeline in theBroader Context

“Citizens and businesses will benefit from clear rules that are fit for the digital age, that give strongprotections and at the same time create opportunities and encourage innovations in a EuropeanDigital Single Market”

- Vera Jourova, EU Commissioner


January 2012

Reformannounced. Firstdraft of GDPRreleased byEuropeanCommission

June 2013

Edward Snowdenleaks classifiedmaterial. Theserevealsurveillance ofcompanies inSafe Harborprogram

March 2014

Amended,tougher draft ofGDPR adopted byEuropeanParliament

June 2015

EuropeanCommission,Parliament andCouncil start finalnegotiations onGDPR

October 2015

CJEU invalidatesSafe Harbor

December 2015

GDPR final draftagreed by theEuropean Union.Adopted in April2016

June 2016

EU-US DataProtectionUmbrellaAgreementagreed

July 2016

EU-US PrivacyShield launchedto replace SafeHarbor

May 25, 2018

The GDPRbecomes lawwithin theEuropean Union.All organizationsmust comply bythis date

5

GDPR: The Key Changes

• A Regulation, not a Directive: The GDPR will be directly applicable in the same form in allEU Member States with the intention of reducing the burden on internationalorganizations

• Changes to territorial scope: In addition to businesses that are established in the EU,non-EU businesses that process personal data in relation to the offer of goods or servicesto individuals within the EU, or as a result of monitoring individuals within the EU, will


to individuals within the EU, or as a result of monitoring individuals within the EU, willnow have to comply

• Significantly higher fines: The maximum fine will be substantially increased to 4% of anenterprise's worldwide turnover or €20 million per infringement, whichever is higher

• New data loss notification obligation: The relevant European DPA must be notifiedwithout undue delay and where feasible within 72 hours. The individuals affected mayalso have to be notified

6

GDPR: The Key Changes

• New data privacy governance requirements: A data protection officer may have to beappointed to be responsible for an organization's compliance. Organizations will also berequired to map their processing activities and undertake data protection impact assessmentsfor higher risk processing

• A requirement to implement ‘privacy by design’: Businesses must now take a proactiveapproach to ensure that an appropriate standard of data protection is the default position


approach to ensure that an appropriate standard of data protection is the default positiontaken

• Strengthening of individuals’ rights to personal data: Individuals will have ‘right to beforgotten’, the ‘right to data portability’ and the right not to be subjected to automated dataprofiling

• Obligations on both data controllers and data processors: Service providers will be heldaccountable for their own level of appropriate security, must document their processing to thesame extent under the GDPR and must obtain prior consent to use sub-processors

7

Assessing Whether the GDPR Applies

European Data Protection Directive95/46 applies to

General Data Protection Regulation2016/679 applies to

A data controller where it is established in an EUMember State and the data is processed in the contextof that establishment

The processing of personal data in the context of theactivities of a data controller or data processorestablished in the EU, irrespective of where the


of that establishment established in the EU, irrespective of where theprocessing takes place

A data controller where it is not established in an EUMember State but is using equipment in an EUMember State for processing data otherwise than forthe purposes of transit through that Member State

The processing of personal data of data subjects whoare in the EU by a data controller or data processor notestablished in the EU, where the processing activitiesare related to:• The offering of goods or services to those data

subjects; or

• The monitoring of their behaviour in the EU

8

Get Ready to Comply: Ten Steps to Preparefor the GDPR

1. Inform Your Leadership, Formulate a Plan

2. Decide Whether a Data Protection Officer Should be Appointed and a Data ProtectionFramework Created

3. Map the Personal Data that Your organization is Processing

4. Examine the Results to Determine Which of Your Data Processing Activities and Business UnitsMust Comply with the GDPR


Must Comply with the GDPR

5. Address the Risks Identified in Any Data Processing Activities

6. Review the Grounds Under Which Personal Data is Being Processed

7. Update Your Data Governance Policies and Procedures

8. Design and Implement New Compliance Systems to Comply with the GDPR

9. Review Your Supply Chain Contracts to Ensure that Your Service Providers will Comply

10. Assess any International Transfers of Personal Data Being Conducted by Your Business

9

Step 1Inform Your Leadership, Formulate a Plan

Step 1: Inform Your Leadership, Formulate a Plan

• Senior management should be made aware of the changes to data protection lawand how it will affect your business. Consider:

› Providing an executive summary of a preliminary assessment of the application of the GDPRto your business and the potential implications of non-compliance to your leadership team

› Asking external advisors to brief senior members of the management, legal or compliance


› Asking external advisors to brief senior members of the management, legal or complianceteams on the requirements under the GDPR at the next team meeting

› Drawing up a high level framework of the GDPR requirements that must be put intooperation within your business and conducting an analysis to identify any gaps

11


• Senior management should designate the individuals that will formulate a plan forhow your business will implement the requirements of the GDPR and will educatethe wider workforce on its operational impact. Consider which individual(s) shouldbe appointed based on:

› Seniority within your organization, their role, knowledge of your business and their ability


› Seniority within your organization, their role, knowledge of your business and their abilityto affect change

› Expertise in data privacy issues and experience in conducting business change projects

› Which business unit (Legal? Compliance?) will be tasked with devising and implementingcompliance and their relationship with that business unit

12


• When formulating a plan, consider:

› Which business unit will be tasked with devising and implementing compliance

› How your organization has previously implemented business change projects before andwhether any elements of previous plans can be utilized, based on previous experience

› Whether an existing data privacy framework exists within your organization and whether


› Whether an existing data privacy framework exists within your organization and whetherthat can be used as a starting point and adapted to comply with the GDPR

› Whether a previous data protection risk or gap analysis exists and can be used to helpformulate the plan

› Whether external advisors or providers can be utilized to assist your organization toformulate the plan

13

Step 2Appoint a Data Protection Officer?

Step 2: Appoint a Data Protection Officer?

• Decide whether it is required under the GDPR to appoint a data protection officer(DPO) who will be responsible for the implementation of the requirements of theGDPR and monitoring compliance with it.

• A DPO must be appointed if:

› The relevant data processing activity is carried out by a public authority or body;


› The relevant data processing activity is carried out by a public authority or body;

› The core activities of the relevant business involve regular and systematicmonitoring of individuals, on a large scale; or

› The core activities of the relevant business involve processing of sensitivepersonal data, or data relating to criminal convictions and offenses, on a largescale.

15

Step 2: Appoint a Data Protection Officer?

Responsibilities of a DPO

• Monitor compliance with GDPR

• Assist with the production of DPIAs

• Pay particular attention to high risk

Rights of a DPO

• Sufficient funding and access toperform the role

• Certain degree of autonomy


• Pay particular attention to high riskprocessing

• Available for data subject concerns

• Cooperate with DPAs

• Protected under the GDPR from unfairdismissal/termination in some cases

• Business must involve the DPO from theoutset in all related issues

16

Step 3Map Your Personal Data

Why map data?

• GDPR requires a detailed record of data processing activities, which may need to beshared with regulators.

• You need to understand your data in order to comply with various GDPR obligations. Datamapping should be done in order to determine the types of data you are collecting, the

Step 3: Map Your Personal Data


mapping should be done in order to determine the types of data you are collecting, thepurposes for which it is being processed, how it was obtained, and the parties that it isbeing shared with.

› Types of data: Understand types of data recognized by the Regulation (new elements of personal data, sensitivepersonal data, pseudonymous data...)

› Purposes for processing: Assess “grounds for processing” to ensure that it is appropriately limited› How it was collected: Need to know how data was obtained in order to evaluate new consent rules› Parties involved: GDPR includes new obligations with regard to third party contracts, but you also must know

which party bears responsibility for compliance

18

What do I need to “map”?

• Type of data and any classification

• Location of data/nationality of subjects

• Form of collection (or how it is obtained)

• Policies attached to the data and the purposes

How do I “map” it?

• Gather information:

› Make a plan

› Identify and review relevant policies

› Involve key actors and prepare questionnaires and

Step 3: Map Your Personal Data


• Policies attached to the data and the purposesdescribed

• Transfers and disclosures between business andthird-parties

• Details on storage (including where stored and whomanages the system; whether there are back-ups)

• Compiled with other information

• Encryption and destruction schedule

› Involve key actors and prepare questionnaires andinterviews

› Assess where your data is processed and who it is beingshared with

› Ensure mapping is ongoing

• Make it visual (i.e., a map)

• Identify any gaps

19

Step 4Examine the Impact

Step 4: Examine the Impact

• Whether GDPR applies: The information gathered from the personal data mapping exercise shouldbe used to assess which parts of your business and which data processing activities must complywith the GDPR.

Example #1 – Map of non-EU company’s data flows shows collection of personal data on EU subjects throughcommercial website. Is company offering “goods or services” to EU data subjects?

Example #2 – Map of company with physical presence in EU shows collection of sensitive HR data on EU


Example #2 – Map of company with physical presence in EU shows collection of sensitive HR data on EUsubjects. Is company required to appoint DPO?

• Compliance and accountability: Additionally, GDPR ushers in new accountability regime. Good datagovernance practices–including identifying leadership and mapping data–are needed forrecordkeeping to demonstrate compliance, as well as to evaluate the risk-level of processingactivities.

21

Step 5Address the Risks

Step 5: Address the Risks

• Data protection impact assessments (DPIAs) should be conducted to identify and minimize the risksassociated with the processing of personal data by your business, particularly where there are highrisks to the rights and freedoms of the individuals concerned by the activities that are being or aregoing to be carried out.

• A DPIA must be conducted with respect to activities that are likely to result in a high risk to the rightsand freedoms of the individuals concerned, particularly when using new technologies.


and freedoms of the individuals concerned, particularly when using new technologies.

• These include activities that involve:

› Systematic, extensive evaluation of personal aspects of persons based on automated processing – i.e. profiling;

› The processing of sensitive personal data, criminal convictions and offenses;

› Systematic monitoring of publicly accessible areas on a large scale; or

› Other activities identified by national DPAs from time to time.

23


• When conducting a DPIA, data controllers must consult about the proposed processing in certaincircumstances:

› Where appropriate, the data controller must seek the views of data subjects or their representatives on theintended processing

› Where a DPIA indicates that the processing would result in a high risk in the absence of any measures taken tomitigate the risk, the data controller must submit the DPIA and a description of the processing, entities involved


mitigate the risk, the data controller must submit the DPIA and a description of the processing, entities involvedand their responsibilities, measures taken to reduce the risk etc. to the relevant DPA for consultation

› Where the DPA has sufficient information to review the DPIA, the DPA has an eight week period (extendable to14 weeks) to consider it. If the DPA believes the processing would infringe the GDPR, it will provide writtenadvice on how to proceed with the processing/further minimize the risk etc. and can use its powers to ban/suspend the proposed processing.

• Where necessary, the data controller must subsequently review the DPIA where there is a change ofthe risk represented by the processing operations.

24


• No set format for a DPIA, but it must contain:

› A systematic description of the envisaged processing operations and the purposes of the processing, including,where applicable, the legitimate interest pursued by the controller;

› An assessment of the necessity and proportionality of the processing operations in relation to the purposes;

› An assessment of the risks to the rights and freedoms of data subjects; or

› The measures envisaged to address the risks, including safeguards, security measures and mechanisms to


› The measures envisaged to address the risks, including safeguards, security measures and mechanisms toensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account therights and legitimate interests of data subjects and other persons concerned.

• DPIA exercise is typically conducted in two parts:

› A questionnaire for your business representatives to complete

› Carrying out the DPIA itself. The document typically contains a description of the processing activities, dataflows, an assessment of the risk in the form of a risk register and a description of the actions taken/solutionsadopted to reduce or mitigate the risks identified

25

Step 6Review the Grounds for Processing

Step 6: Review the Grounds for Processing

• Using the information collected during the data mapping and DPIA exercise, a reviewshould be conducted into how and the basis under which personal data is being collectedand processed to determine if any changes need to be made for this to continue underthe GDPR, in particular, any processing being conducted that is relying on the followingconditions:


› Consent of the data subject:

• Consent must be an informed, unambiguous and freely given indication by a statement or clear affirmative action, of the datasubject’s consent to processing for specified purposes and it must be capable of being withdrawn at any time. Whether theperformance of a contract is conditional on consent to the processing of personal data that is not necessary for theperformance will be taken into account when assessing if consent has been “freely given.”

• The data controller must be able to demonstrate that consent has been given.

• Where consent is given in a written document, the request for consent must be clearly distinguishable from the other matters,in an intelligible and easily accessible form, using clear and plain language.

27


› “Legitimate interests”:

• The processing must be necessary for the purposes of the legitimate interests pursued by the data controlleror by a third party, except where such interests are overridden by the interests or fundamental rights andfreedoms of the data subject which require protection of personal data, in particular where the data subjectis a child

Requirement to notify the individuals concerned of the details of the legitimate interests being pursued


• Requirement to notify the individuals concerned of the details of the legitimate interests being pursued

28


• Review the categories of data subjects and grounds that your organization may be relying on toprocess their personal data:

› Job applicants, employees, workers, contractors, pension scheme members, their dependents

› Client contacts, their directors, shareholders, beneficial owners

› Supplier personnel, subcontractors, counterparties

› Shareholders and other investors


› Shareholders and other investors

• Consider whether it is necessary to update your notifications. Review:

› The routes through which personal data is provided to your organization

› The manner in which the data subjects are notified of how your organization processes personal data aboutthem

› When the notification is made (it must now be made at the time the information is collected from the relevantindividual or, where collected from a third party, at the time a communication is made to the data subject, thepersonal data is disclosed to another third party or within one month of first receiving it at the latest)

› The form of the notification itself29


• The notification must contain:› The identity and the contact details of the data controller and, where applicable, of the data

controller's representative and the data protection officer

› In the case of personal data provided by a third party, the categories of personal data beingprocessed

›


› The purposes of the processing as well as the legal basis for the processing (consent, legitimateinterests etc). If “legitimate interests”, these must be identified

› The recipients or categories of recipients of the personal data, if any

› Where the personal data is to be transferred outside of the EEA, that fact and the existence orabsence of an adequacy decision by the Commission, or a reference to the appropriate or suitablesafeguards being adopted to protect the transfer (e.g. standard contractual clauses) and themeans by which the data subject can obtain a copy of them or where they have been madeavailable

30


› The period for which the personal data will be stored, or if that is not possible, the criteria used todetermine that period

› A description of the data subject’s rights under the GDPR and their right to complain to a DPA

› Where consent is being relied upon, the right to withdraw it at any time

› Whether the personal data is required to perform a contract / is required by law, whether the


› Whether the personal data is required to perform a contract / is required by law, whether thedata subject is required to provide that personal data and the consequences if they do not (notrequired where personal data received from a third party)

› The existence of automated decision-making and meaningful information about the logicinvolved, as well as the significance and the envisaged consequences of such processing for thedata subject

31

Step 7Update Your Data Governance

Step 7: Update Your Data Governance

• Policies, procedures and other governance controls within your business should beupdated to detail how your organization will practically comply with the newrequirements under the GDPR.

• Consider whether updates to any of the following is required:

› Your global data protection policy or regional, country or business line specific policies to identify


› Your global data protection policy or regional, country or business line specific policies to identifythose parts of your business that are subject to GDPR and how they will comply with it

› Your IT security policy to address how your IT function will manage access to and transfers ofpersonal data subject to the GDPR, respond to subject access requests, the right to be forgotten,data portability etc.

› Your business change/project initiation procedure to detail how you would ensure “privacy bydesign”

33


› Your vendor risk management process to address how your procurement team will assess andensure your suppliers’ compliance with the GDPR

› Your security incident response plan and procedures to detail how your organization wouldcomply with the breach notification requirements under the GDPR and how these would interactwith your organization’s existing notification requirements

Doing Business in a Connected World 34


• Employees should receive regular training on compliance with the GDPR, the policies andprocedures that your organization has in place to ensure this.

• Consider whether any of the following is appropriate:

› “Train the trainer” training for your DPOs and any other senior members of staff that will lead the GDPRcompliance program

› In the first instance, a mandatory “in person” training session on data protection compliance for your


› In the first instance, a mandatory “in person” training session on data protection compliance for youremployees that handle personal data, with case studies tailored to their business lines

› Virtual training for new joiners as part of the induction process and then at regular intervals for existingemployees, using online training courses, exercises or videos

› Providing a reference guide or “playbook” for those who routinely have to deal with or negotiate on dataprotection issues for your business

› Intranet resources detailing the manner in which your organization complies with the GDPR with examplesaligned to your business lines, which can be accessed as and when required for reference purposes

35

Step 8Implement New Compliance Systems

Step 8: Implement New Compliance Systems

• Systems and procedures will likely require changes– these will take time!

› Implement “data protection by design”

› Architect procedures that permit compliance with new data breach reporting requirements(72 hours)

• Need updated data breach response plans and procedures


• Need updated data breach response plans and procedures

• Processors must notify controller without undue delay after becoming aware of the breach

› Respond to data subject rights, including:

• Access to personal data and information about processing

• Right to rectification, completion, erasure and right to be forgotten

• Right to object when processing for public interest, legitimate interests of controller for direct marketingpurposes

• Parental consent for children under the age of 16 (or depending on Member State, as low as 13)

37


• Privacy by design – When designing a product or system, controllers must:

› Take data protection into account in new technologies and systems or services

› Implement appropriate technical and organizational measures to protect the rights of datasubjects and ensure compliance (pseudonymization is encouraged whenever possible)

› Limit processing to minimum extent necessary for the purposes


› Limit processing to minimum extent necessary for the purposes

Example: In designing a new mobile application, controllers must ensure that users receive propernotice and provide consent, that collection, storage and processing of data are in compliance withthe Regulation, that technical and organizational measures are used to protect the data, that databreaches are reported, data transfers are done in accordance with requirements, and data arestored only for so long as necessary, and are used in a manner consistent with the original consentor purpose for processing, among other design elements, that data subject rights (e.g. to beforgotten) are respected, etc.

38


• Data breach notification:

› Report to the competent Supervisory Authority “without undue delay and where feasible no laterthan 72 hours” unless the breach is unlikely to be a risk to individuals

• Describe nature of breach

• Name and contact information of the DPO or other contact point


• Name and contact information of the DPO or other contact point

• Describe consequences of the breach

• Describe mitigating measures

› Report to data subjects if the breach is likely to result in high risk to the rights and freedoms ofthe data subjects

• May be able to avoid notice to individuals if the controller satisfies the SA that, for example, data areunintelligible (through acceptable encryption) or risks have otherwise been mitigated

39


• Right to erasure and to be forgotten – yours systems must be able locate relevant dataand securely disable or otherwise destroy it

› Data are no longer needed for original purpose

› Withdrawal of consent

› Right to object–processing for public interest, legitimate interests of controller for direct


› Right to object–processing for public interest, legitimate interests of controller for directmarketing purposes

› Court holding

› Processing is unlawful

› Data must be erased in order to comply with a legal obligation to which the controller is subject

› Others

40

Step 9Review Your Supply Chain Contracts

Step 9: Review Your Supply Chain Contracts

• Controllers must use a high degree of care in selecting processors who provide sufficientguarantees, in expert knowledge, reliability and resources

• Adherence to codes of conduct or approved certification mechanisms may be used as anelement to demonstrate compliance

• Contracts must be implemented that contain a range of information– e.g., data


• Contracts must be implemented that contain a range of information– e.g., dataprocessed and duration, obligations such as data breach reporting, use of technical andorganization measures, audit assistance obligations, and flow downs to sub-subprocessors

42

Step 9: Review Your Supply Chain Contracts

• Use of standard contractual contract clauses are still good for satisfaction of some of therequirements, but most third party agreements will require some modifications–Commission and Supervisory Authorities are likely to publish approved forms of serviceprovider contract clauses

• Controllers and processors must maintain a record of all categories of processing


• Controllers and processors must maintain a record of all categories of processingactivities carried out on behalf of the controller – records must be available to an SAupon request

• Compliance is likely to have a cost on service provider services, and risk allocation incontracts, including limits of liability, indemnities and similar clauses

43

Step 10Assess Your International Transfers

Step 10: Assess Your International Transfers

• Data transfer restrictions apply to controllers and processors

• Transfer to country with Adequate Protection (same as Directive) OR use of approvedmeans:

› EU Model Clauses (but with caution–Shrems challenge)

› Binding Corporate Rules (BCRs) (intercompany only, available for controller group or processor


› Binding Corporate Rules (BCRs) (intercompany only, available for controller group or processorgroup)

› Derogations (EU Directive derogations continue to apply)

› Data Subject Consent

› Approval from Data Protection Authority (DPA)

› Privacy Shield–NOT Safe Harbor

45

Step 10: Assess Your International Transfers –Privacy Shield

• Replacement mechanism to Safe Harbor that permits transfers of EU personalinformation to the US

• Must be subject to jurisdiction of FTC or DOT to self-certify

• Privacy Shield Principles: Notice; Choice; Accountability for Onward Transfer; Security;Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability


Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability(plus 16 Supplemental Principles)

• Not easy–compliance often requires certain operational and policy changes

• The “Onward Transfer” principle addresses how Privacy Shield-certified companies mustprotect personal information that they transfer onto other data controllers or to third-party agents

46

Thank You

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP, both limited liability partnerships established in Illinois USA;Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer BrownMexico, S.C., a sociedad civil formed under the laws of the State of Durango, Mexico; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. MayerBrown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in theirrespective jurisdictions.


Time in Months (Example GDPR Process Map)

1. Inform your leadership; formulate a plan

2. Decide whether a data protection office should be appointedand a data protection framework created

3. Map personal data that your organization is processing

4. Examine results to determine which of your data processingactivities and business units must comply with GDPR

5. Address risks identified in any data processing activities

6. Evaluate grounds under which personal data is beingprocessed

7. Update your data governance policies and procedures

8. Design and implement new compliance systems to complywith GDPR

9. Review supply chain contacts to endure that your serviceproviders will comply

10. Assess any international transfers of personal data beingconducted by your business

MAR 2017 MAY 2018

1. INFORM2. DECIDE

3. MAP4. EXAMINE

7. UPDATE8. DESIGN AND IMPLEMENT

10. ASSESS

5. ADDRESS6. EVALUATE

9. REVIEW

MAYER BROWN 1

Doing Business in a Connected World The Impact of Cybersecurity, Data Privacy and Social Media GDPR |

DPO Appointment Considerations

Under the GDPR, certain controllers and processors are required to appoint a data protection officer (DPO). Non‐

public bodies are required to appoint a DPO if their “core activities” are to process data on a “large scale” that

either “require regular and systematic monitoring of data subjects” or involve “special categories of data. . .

relating to criminal convictions and offences”. (Article 37)

Article 29 Data Protection Working Party put forth Guidelines on Data Protection Officers, Adopted on December

13, 2016, providing important clarifying information and guidance.

RELEVANT TERMS CLARIFICATION EXAMPLES

“Core activities”

Refers to key operations necessary to achieve business goals or if an “inextricable part of the controller’s or processor’s activity”

• Processing of sensitive data by a hospital • Surveillance by a security company

• operating in public spaces

“Regular and systematic monitoring”

Activity that is repeatable and planned or strategic

• All forms of tracking and profiling on the Internet, including behavioral advertising

• Operating a telecommunications network

• Location tracking through mobile apps

• Wearable fitness trackers

Sensitive categories of data

References Article 9 Personal data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”

“Large scale”

Factors to be considered in determining whether it is “large scale”

• Number of individuals affected (either in abstract or as a proportion of the population)

• Volume of data or categories of data processed

• Duration or permanence of processing

• Geographical extent of the processing activity

• Processing of travel data by a public transport system via tracking cards

• Insurance company or bank processing of customer data in the regular course of business

• Processing of personal data for behavioral advertising by a search engine

MAYER BROWN 2

Other Considerations

• Maintain records of internal decision to appoint, or not appoint, a DPO, and any analysis undertaken in connection

with that decision.

• Voluntary appointment of a DPO, even if not required by the GDPR, results in the business having to comply with all

other DPO requirements.

• Data protection staff or consultants not performing official duties as DPO should be clearly identified as “not a

DPO” in order to avoid any confusion over the specific DPO compliance obligations.

• DPOs must be qualified and have “expert knowledge of data protection laws and practices” relevant to the business

and must be sufficiently independent without instruction or interference from their business.

MAYER BROWN 1


GDPR Data Protection Impact Assessment

Project name:

Completed by:

Date:

Version:

Review cycle:

DPIA tips

• Please assume the reader only has basic knowledge of your sector.

• Not all questions may be relevant to your project. Where a question is not relevant, please answer

“Not applicable” and explain why. • To the extent that questions cannot be answered in the space provided, please answer in a separate

document, attach it to this DPIA and refer to the attachment in the relevant question.

We confirm that the data protection impact of this project to the relevant data subjects has been minimized to

the extent reasonably possible to ensure that the processing of information relating to the data subjects will not

be unwarranted or unfairly prejudice their interests and that it is reasonable and proportionate to take the

remaining risks in all the circumstances. We confirm that the use of the information described in this DPIA for the

purposes of this project is necessary and justified and that the use of this information as part of this project

should comply with all applicable privacy law as at the date of this DPIA.

Project Lead Legal Representative

Signed: Signed:

Name: Name:

Date: Date:

Job title: Job title:

MAYER BROWN 2

Part 1: Data Protection Impact Assessment Screening Questionnaire To be completed by the Project Lead

NO. QUESTION RESPONSE LEGAL COMMENTS/NOTES

1. Is this a project to implement a new initiative or to change/ enhance an existing initiative?

2. Will the project involve the collection of new information about individuals?

3. Will the project compel individuals to provide information about themselves?

4. Will information about individuals be disclosed to organizations or people who have not previously had routine access to the information?

5. Will information about individuals be used for a purpose that it is not currently used for, or in a way it is not currently used?

6. Does the project involve using new technology that might be perceived as being intrusive to individuals’ privacy—for example, by using biometrics, location data or facial recognition?

7. Will the project involve systematic monitoring of a publicly accessible area (e.g., use of CCTV)?

8. Will the project conduct profiling or result in decisions being made or action being taken with respect to individuals in ways that can have a significant impact on them?

9. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private?

10. Will the project require individuals to be contacted in ways that they may find intrusive?

MAYER BROWN 3

Part 2: Data Protection Impact Assessment To be completed by the Legal Representative with the Project Lead

PART A: THE REQUIREMENT TO CONDUCT A DPIA

NO. QUESTION RESPONSE

1. Explain the aims of the project, the anticipated benefits to the organization, to individuals and to other parties.

2. Summarize why the need for a DPIA was identified.

3. Describe the collection, use and deletion of personal data and identify the relevant data controllers and data processors involved. It may be useful to refer to a flow diagram or another way of explaining the data flows.

4. Describe why it is necessary to process personal data for this project. Explain the purposes for which the personal data will be processed, the conditions that are being relied upon to process it and why.

5. How many individuals are likely to be affected by the project?

6. Explain the practical steps that will be taken to ensure that the privacy risks are identified and addressed.

7. Which stakeholders or types of stakeholders should be consulted, internally and externally? How will you carry out the consultation? This should be linked to the relevant stages of the project management process. Consultation can be used at any stage of the DPIA process.

8. Please explain the steps that have been taken to ensure “privacy by design” as part of this project.

9. Please indicate whether it is necessary to consult a data protection authority about the processing activities anticipated under this DPIA. If so, please identify the relevant data protection authority.

MAYER BROWN 4

PART B: THE PRIVACY AND RELATED RISKS

Identify the key privacy risks and the associated compliance and corporate risks.

Risk 1 Risk 2 Risk 3

Privacy issue

Risk to individuals

Compliance Risk

Associated Risk to the Company

PART C: THE POTENTIAL SOLUTIONS Describe the actions that could be taken to reduce the risks identified above and any future steps that would be necessary (e.g., the production of new guidance or future security testing for systems).


Potential solution(s)

Result: Is the risk eliminated, reduced, or accepted if the solution is implemented?

Evaluation: Is the final (i.e., residual) impact on individuals after implementing this solution a justified, compliant and proportionate response to the aims of the project?

Should this solution be implemented? (If not, indicate the reason.)

Decision taken by

MAYER BROWN 5

PART D: DATA PROTECTION AUTHORITY FEEDBACK To the extent that a data protection authority was consulted about the risks of any processing activities, please explain the feedback received from the data protection authority and how any solutions identified above have been modified or any new solutions proposed to take this into account.


Feedback received from a DPA

Result: Is the risk eliminated, reduced, or accepted if the solution is implemented?

Evaluation: Is the final (i.e. residual) impact on individuals after implementing this solution a justified, compliant and proportionate response to the aims of the project?

Should this solution be implemented? (If not, indicate the reason.)

Decision taken by

PART E: THE DPIA OUTCOMES AND INTEGRATION INTO THE PROJECT PLAN Identify the person who has approved the privacy risks involved in the project, the solutions that need to be implemented and how these outcomes are going to be integrated into the project plan.


Approved solution

Approved by

Action/next steps to be taken

Date for completion of action

Responsibility for action

Contact point for future privacy concerns:

MAYER BROWN 1


Data Protection Policy Checklist

NO. REQUIREMENT HEADING TYPICAL CONTENT

1. Responsibility for the policy This section typically identifies the individuals or roles that are responsible for maintaining the policy and supervising compliance with data protection requirements throughout the organization. It also identifies the entity or entities within the company group that will be the data controllers for the personal data subject to the policy.

2. The data protection principles

A summary of the eight data protection principles, together with a brief explanation of the other GDPR requirements that have to be complied with, should be included.

3. Data protection authority registration, notification and filing requirements

This section summarizes the particular registration, notification or other document filing requirements that the organization must comply with when dealing with a European data protection authority in order to process personal data in, or transfer personal data from, the relevant European member state.

4. Requirements when collecting personal data

This section sets out the requirements that the organization must comply with to ensure personal data is collected lawfully. It should explain how the organization ensures that individuals are notified about how their personal data is going to be processed before or at the time their personal data is collected, as well as set out the minimum requirements that must be complied with when providing any notification.

5. Processing activities A high‐level explanation should be included of the processing activities that the organization is conducting, the types of personal data (including sensitive personal data) that are being processed, the purposes for which—and the grounds under which—they are being processed, the types of data subjects affected and the types of third parties with which that personal data may be shared.

6. Data mapping and impact assessments

This section should explain how the organization records the personal data processing activities that it conducts, when it is necessary to conduct a data protection impact assessment and how that should be conducted.

7. Limitations to processing activities

The policy should explain the steps the organization takes to limit the processing activities that it carries out so that personal data is only processed for the purposes that have been stated to the data subjects and so that the organization implements “privacy by design.” An explanation of how the organization ensures the adequacy and relevance of the personal data it holds should be included in order to demonstrate that the organization does not process excessive amounts or types of personal data.

MAYER BROWN 2

NO. REQUIREMENT HEADING TYPICAL CONTENT

8. Retention of personal data A description of how the organization maintains the accuracy of its personal data should be included, together with an explanation of how long records of personal data covered by the policy will be retained and why (by reference to the applicable data retention policy, where relevant).

9. Security of personal data Details of how personal data being processed by the organization is secured and how these security arrangements are reviewed and updated should be included in the policy (by reference to the applicable IT or data security policy, where relevant). An explanation of the requirements that must be complied with should a data breach event be discovered should also be included (with reference to the applicable security breach response plan, where relevant).

10. Dealing with requests from data subjects and data protection authorities

This section should set out the rights that data subjects can exercise in relation to the processing of their personal data (such as the right to make a subject access request, to object to processing, to opt out of automated decision making and to be forgotten, as well as the right to data portability) and how the organization will respond to any request to exercise those rights. An explanation should also be given as to how the organization should respond to any request from a data protection authority for information about its data processing activities.

11. Providing personal data to third parties

A description should be given about the steps that must be taken before personal data can be shared with, or disclosed to, a third party.

12. Transfers of personal data from the EEA

This section should explain the restrictions that apply to transferring personal data from the European Economic Area to recipients located in countries outside of it, how the organization currently conducts such transfers and the steps that must be taken before personal data can be transferred in this way.

13. Other ongoing compliance responsibilities

This section should detail any other ongoing responsibilities in relation to collecting and processing personal data that the organization has implemented, as well as the requirement for all staff involved in the collection and processing of personal data to take part in regular data protection training.

Documents

Data Privacy Bootcamp: GDPR - Mayer Brown · PDF fileGDPR: The Key Changes • A Regulation, not a Directive: The GDPR will be directly applicable in the same form in all EU Member