Upload
lenard-fields
View
230
Download
4
Tags:
Embed Size (px)
Citation preview
Gary Chun, Senior Corporate Counsel, Covance Inc.
Laura Hamady, Assistant General Counsel Privacy, eCommerce & Retail, Levi Strauss & Co.
Mark Diamond, President & CEO, Contoural, Inc.
Tom Mighell, Senior Consultant, Contoural, Inc.
307 - Preparing for EU 2015 Data Protection Rules
Legal Information Is Not Legal AdviceContoural provides information regarding business, compliance and litigation trends and issues for educational and planning purposes. However, legal information is not the same as legal advice -- the application of law to an individual or organization's specific circumstances. Contoural and its consultants do not provide legal advice. Clients should consult with competent legal counsel for professional assurance that our information, and any interpretation of it, is appropriate to each client's particular situation.
EU DP Directive (1995) Personal data Controller and Processor – where data is
processed in the EU Transfers of personal data outside the EU Model clause agreements and US Safe Harbor Different laws within Europe and different DPAs
and standards
EU Data Protection Directive
Privacy Principlesnotice
purpose
consent
security
disclosure
access
accountability2012 – draft EU DP regulation
Ongoing negotiations between EU Parliament Counsel and Commission
Expected adoption in 2015
Expected enforcement in 2017
Who Are You
• US Company?• US Company with EU Affiliates?
What Should You Already Be Doing to Comply with Current Requirements?
• Privacy Policy and Procedures
• Privacy Governance Organization
• Training for Employees
• Privacy Notices
• Information Security
• Audit Procedure
• Breach Response Process
• Directive to regulation – harmonize regulations across the EU
• Extends to all foreign companies processing data of EU residents
• Incorporate privacy by design• Significant penalties – up to 5% of annual
worldwide turnover (revenues)• Notification of data breaches• Data Protection Officer• Right to be forgotten/erasure
Proposed Changes to EU Data Protection Regulation
What’s Driving the Changes?
• Desire to harmonize regulations across the
EU – the Directive relies on individual countries
to enact laws, the regulation will be consistent
across boarders• The 1995 Directive isn’t up to date with current
technology• Unhappiness on EU side for Safe Harbor• Concern about privacy standards and abuses in other
territories• Protectionism
Estimated Timeline for Regulation Implementation
2014 2015 2016 2017
Negotiations on Amendments
Finalize Regulation
Regulation Becomes Law
Member States have 2 years from enactment to bring regulation into effect
Right to Be ForgottenNew Article 17:
The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of that data….
Who is the controller? Does this apply to third parties?
Non-European companies must apply EU rules when offering services to European consumers
Burden of proof reversed – now burden on the controller to prove data is still relevant
Balance against freedom of expression and the press
Google Spain v AEPD and Mario Costeja Gonzále (2014)
• González lodged complaint with Spanish Data Projection Agency asking that link to a newspaper article about him be removed
• European Court of Justice ruled that an internet search engine must consider requests from individuals to remove links to freely accessible web pages resulting from a search on their name
• Ruling related solely to allowing people to request that their names not show up in search results when the information is “inadequate, irrelevant or no longer relevant.”
• Google and other providers creating processes to allow individuals to have links to their names removed
• Proposed EU Data Protection Regulation would be much more broadly interpreted
Be Prepared for Right to be Forgotten and Subject Access
Requests• Establish a chain of command
– Train customer service and any other employees who may receive such requests
• Understand where the data is– Which databases, which backups, etc.
• Create a response timeline– Be able to respond quickly
What Do You Need to Know?• What data you have?
• PII? Sensitive PII?
• How you receive the data you have?• Directly from the data subjects? From a third party?
• Whose data you have?• Who are your data subjects?
• Who can access the data?• What access controls are in place?
• Where the data is stored?• Cloud? Servers? File Shares? BYOD?
• How long data is kept?• Is there a record retention schedule in place?
What Do You Need to Do? • Locally (in the EU)
• Local filings• Local Notices• Safe Harbor
• US HQ• Rest of the World• Make sure that you have made all currently required
disclosures and that they are accurate• Follow current regulations until the Regulation is finalized
and implemented – the one-stop shop principal is controversial
• Binding Corporate Rules
• SCC/Model Clauses
Understanding Data Practices
Internal audits
Identify data collection points
Locate databases
Map data flows
Creating a Data MapA Data Map is an inventory of the data sources that inform prevention activities. It tells you what you have, where it is, and who is responsible for managing it.
Common types of data maps include:
Application & Infrastructure eDiscoveryRecords & Content ManagementCompliancePrivacy & Sensitive Information
A Data Map may be a document, a diagram, a database, or an application.
The Future of Safe Harbor
• Recent calls for suspension by EU – complaints about lack of US enforcement and oversight
• Self-Certification is not trusted – perception vs. reality?
• EU recommendations for improving Safe Harbor – Transparency, Redress, Enforcement, Access by US Authorities
• Prediction: Safe Harbor will survive
• But see “Schrems vs. Facebook” – is Safe Harbor incompatible with European human rights standards?
Impact on Binding Corporate Rules
• Expressly validated by Draft Regulation
• Strong backing by EU data protection authorities
• Safe Harbor under increasing strain, and even model contracts are scrutinized more
• Binding Corporate Rules (BCRs) are now more familiar to companies and consumers
• BCRs are easier to get than before – 12-18 months vs. 4 years
What is happening with data transfer agreements?
The Draft Regulation offers 3 data transfer solutions:• Adequate Countries• Appropriate Safeguards (like BCRs, SCCs,
Safe Harbor)• Clearly Defined Specific Situations (such as
during an investigation)
Impact on Data Transfer Agreements
• Data residency requirements apply to cloud storage• Cloud solutions need to support:
Data residency Appropriate security controls Ability to search for PII within individual documents Support better metadata
Impact on Storing Data in the Cloud
Vendors are often Part of the Gap
Does the vendor have a Records Retention Policy that is enforced? What does the Service Level Agreement with the vendor say regarding record
retention? Has the vendor been audited by internal self-audit or external regulatory authority
regarding its data privacy protections? Does the vendor have a written Information Security Program applicable to all
records potentially subject to privacy regulations? Does the vendor have U.S. Safe Harbor Certification?
EMA policy on clinical trial data transparencyDelayed to Oct 2 meeting (*need to update based on
meeting)Considering impact on R&D and industry concernsNeed to protect patient data and commercial
confidential informationMay be inconsistent with the scope of the consent in
informed consent forms
Conflict or Inconsistency with Other Regulations within the EU
Revelations of massive government surveillance is a major source of conflict with non-EU countries, particularly the US
Conflict or Inconsistency with Jurisdictions Outside the EU
• US Patriot Act Dissatisfaction with US safe harbor
• Encryption restrictions in territories (Russia)
What You Should do NOW:• Update (or create) your
Breach Notification Process• Conduct a data protection
audit – identify potential weaknesses
• Assess / enhance detection and response capabilities
Impact of Dealing with Data Breaches
Best Practice for Breach Response:• Isolate compromised systems• Preserve relevant information• Required disclosure(s)• Investigate cause of breach and
remediate
New Regulation: Notice of a data breach must be disclosed to the supervisory authority within 24 hours of detection if feasible.
What do I need to update or change?• Follow local laws until Regulation passes• Consider holding off on BCRs – you may
need to start the process over, and the Regulation will likely make the process easier
• Remember that the Regulation isn’t final yet
• Get serious about information governance
Is It Time to Rethink Your Privacy Strategy?
Privacy by Design
• Safeguards built into products/services• Privacy-friendly default settings (Hello,
Facebook)• Collaboration with IT• Duty to remediate existing systems?
Article 23: The controller shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for the purposes of the processing are processed.
Addressing the Middle
Breach Response Plan
Security Policies
Key Application Monitoring and Breach Response
Data Privacy Compliance
Gap
Employee BYOD
Data ExtractsUnstructured Data on File Shares,
Cloud, SharePoint
Paper Records
Documents to Third-
PartyVendors
Policies – Updating your policies
Clean Up – fix any problems that present themselves in audits and create strict access controls
Train People – create data privacy trainings
Processes – Subject Access Requests, Right to be Forgotten
Audit – create a team to monitor and audit compliance with the procedures you create
Privacy by Design – Design forward to incorporate your knowledge
Documentation – practices need to be established to provide guidance on how to handle data in accordance with the EU directive
Making Everything Right, Preparing for the Regulation
Discovery
Disposition
Privacy
Records
Is It Time for Information Governance?• Ensure Records Policies are up to date• Harmonize records policies with
privacy policies• Strengthen legal hold processes• Better manage data with a data
placement strategy• Leveraging data map develop defensible disposition
processes• Develop a “Culture of Compliance” through
Information Governance Behavior Change Management• Rolling out a Policy and Procedures with no Change
Management is not enough
Additional Resources
Free Recorded Webinars at www.contoural.com Preparing for the EU 2015 Data Protection Rules: What You Need to Know Taking a Metrics Approach to Information Governance Creating a Records Management Project Plan
ACC Information Governance eGroupJoin the discussion
ARMA Information Management Magazine October 2014 Issue All In One: Creating a Super Data Map and Schedule
ACC Docket Magazine October 2014 Issue Building a Business Case for an Information Governance Program
Thank You and Questions
• Gary Chun, Senior Corporate Counsel, Covance Inc.
• Laura Hamady, Assistant General Counsel Privacy, eCommerce & Retail, Levi Strauss & Co.
• Mark Diamond, President & CEO, Contoural, Inc.
• Tom Mighell, Senior Consultant, Contoural, Inc.