Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
MARCHMADNESS:EMERGINGLEGALISSUESANDTRENDS
Session 8: 4:30-5:30 Presented by Reed Smith
Title: GDPR and Data Privacy Counseling -
Effective May 2018
Moderator: Thomas J. Quinlan - Partner, Reed Smith LLP
Speakers: Bart W. Huffman - Partner, Reed Smith LLP
Aileen Casanave - Deputy General Counsel, Jiff, Inc.
Dr. Andreas Splittgerber - Partner, Olswang
Page 1 of 4
TF
San Francisco+1 415 659 5979+1 415 391 8269
TF
Silicon Valley+1 650 352 0527+1 650 352 0699
Practice AreasJapan Business Team
Life Sciences
Mergers & Acquisitions
Emerging Growth / VentureCapital
Capital Markets
Health Care Fraud andAbuse
Life Sciences IntellectualProperty
Life Sciences Transactions
Technology Transactions
Life Sciences HealthIndustry Group
Health Care
Corporate & Securities
EducationUniversity of San FranciscoSchool of Law, 1985, J.D.
Santa Clara University,1974, B.S.
ProfessionalAdmissions /QualificationsCalifornia
Thomas J. QuinlanPartner
Overview
Tom is an experienced corporate partner who advises emerging and established technology,healthcare and life science companies. He has organized numerous businesses and joint venturesin many jurisdictions and has advised Boards and management on corporate governance andshareholder rights. Tom has acted as outside general counsel for many private companies.
Tom represents companies in several industries and at many different stages of development. Tomadvises these clients on corporate and securities issues, equity and debt finance and theacquisition and protection of intellectual property. Tom has substantial experience in negotiatingcapital investment, joint ventures, mergers and acquisitions and other complex transactions.
Tom also enjoys the negotiation of technology licenses and development agreements because itoften puts him in close contact with the core business strategy of his clients. Tom has negotiatedmanufacturing and IT outsourcing agreements including many varieties of SaaS, BPaaS and othercloud computing and outsourcing arrangements common in businesses. Many of theseoutsourcing arrangements involve companies in regulated industries that have specialrequirements for product compliance and data security; especially financial institutions andhealthcare and life science companies.
Tom is a CIPP/US (Certified Information Privacy Professional). He advises clients on therequirements of the many laws affecting data security and electronic communications and thetransfer and protection of regulation sensitive information. Tom has advised on complianceregarding privacy policies, data agreements and service arrangements.
Early in his career, Tom was counsel to several hospitals and healthcare related businesses. Tomis very experienced in the laws and regulations specifically affecting healthcare and life sciencebusinesses today, such as HIPAA, anti-kickback statutes, referral prohibitions, and state corporatepractice of medicine provisions.
Tom has substantial experience in mergers and acquisitions, and domestic and internationaldistribution agreements. Examples of recent transactions in which Tom has had a major roleinclude:
Represented buyer (and service provider) in acquisition of technology assets from major healthplan and large multi-year agreement for outsourced BPaaS services to be provided to the healthplan.Represented private equity fund buyer in acquisition of Concord Music Group.Represented founders of a well-regarded “big data” incubator in venture backed financing.Represented perishable fulfillment and logistics SaaS platform in sale to private equity firm formore than $300 million.Represented financial planning and budgeting SaaS provider in $20 million private equity fundinvestment.
Reed Smith
Page 2 of 4
Advised large medical device company in the restructuring of the global distribution network ofan acquired company.Negotiated cross-border manufacturing outsourcing arrangement for large medical devicecompany valued at $100 million a year.Negotiated numerous IT related agreements on behalf of financial services company separatingits IT infrastructure from other affiliates’ due to regulatory sensitivity.Advised large international pharmaceutical company on California aspects of tender offer andpractice of medicine issues relating to a tender offer for a California company.Advised China-based investment fund in acquisition of California development project.Advised California based peer to peer finance company in capital raise.Advised French parent company in reorganization of U.S. affiliates.
Tom is a frequent speaker on the negotiation of intellectual property agreements, protection ofintellectual property, data privacy and legal issues facing early stage and growth companies.
Employment History1985 - Reed Smith LLP1977-1983 - U.S. House of Representatives
Professional AffiliationsEditorial Advisory Board of the BNA Life Science Law & Industry ReportInternational Association of Privacy ProfessionalsAmerican Health Lawyers Association, Chair Life Sciences Practice Group 2012-2014, ViceChair 2008-2012American Bar AssociationBoard of Directors of Junior Achievement of Northern California, pro bono General Counsel
ExperienceRepresented buyer (and service provider) in acquisition of technology assets frommajor health plan and large multi-year agreement for outsourced BPaaS services to beprovided to the health plan.
Represented private equity fund buyer in acquisition of Concord Music Group.
Represented founders of a well-regarded “big data” incubator in venture backedfinancing.
Represented perishable fulfillment and logistics SaaS platform in sale to private equityfirm for more than $300 million.
Represented financial planning and budgeting SaaS provider in $20 million privateequity fund investment.
Advised large medical device company in the restructuring of the global distributionnetwork of an acquired company.
Negotiated cross-border manufacturing outsourcing arrangement for large medicaldevice company valued at $100 million a year.
Negotiated numerous IT related agreements on behalf of financial services companyseparating its IT infrastructure from other affiliates’ due to regulatory sensitivity.
Reed Smith
Page 3 of 4
Advised large international pharmaceutical company on California aspects of tenderoffer and practice of medicine issues relating to a tender offer for a California company.
Advised China-based investment fund in acquisition of California development project.
Advised California based peer to peer finance company in capital raise.
Advised French parent company in reorganization of U.S. affiliates.
News & PublicationsPublications2014 Introduction to the Regulation of Medical Devices
Fundamentals of Life Sciences Law: Drugs, Devices, and Biotech(Second Edition)Articles Published
Speaking Engagements16 October2014
Keiretsu Forum"Opportunities from University Sponsored Incubators"San Francisco, CASeminar
September2014
SVC Wireless Conference"Smart Home, Smart Body and Smart World"Mountain View, CASeminar
23 June 2014 SelectUSA Investment Seminar at BIO 2014"Practical Advice on Investing in the U.S. Life Science Industry:Opportunities, Best Practices, and Challenges"San Diego Convention CenterSan Diego, CASeminar
June 2014 SelectUSA Investment Seminar at BIO 2014"Practical Advice on Investing in the U.S. Life Science Industry:Opportunities, Best Practices, and Challenges"San Diego, CASeminar
16 June 2014 K4 Entrepreneur Academy"Understanding and Negotiating Term Sheets"San Francisco, CASeminar
16 April 2014 Cisco Meetup: Innovation Powered by Internet of Everything and BigDataSanta Clara, CASeminar
Reed Smith
Page 4 of 4
© 2017 Reed Smith LLP. All rights reserve
9 April 2014 Reed Smith’s Big Data Health Care ConferenceQuadrus Conference CenterMenlo Park, CASeminar
17 January2013
MCLE Day 2013"Emerging Issues in Data Privacy and Security Law"Reed SmithSan Francisco, CACLE / CPD
16 January2013
MCLE Day 2013"Emerging Issues in Data Privacy and Security Law"Wells Fargo AtriumLos Angeles, CACLE / CPD
25 April 2007 Life Sciences Law InstituteSan Francisco, CASeminar
September2006
Financial Institutions Committee Meeting, Business Law Section,State Bar of California"2006 Update on Data Security Litigation"Seminar
TF
Houston+1 713 469 3874+1 713 469 3899
Practice AreasInformation Technology,Privacy & Data Security
EducationUniversity of Texas Schoolof Law, J.D., with honors
Princeton University,B.S.E., CivilEngineering/OperationsResearch, cum laude, TauBeta Pi
ProfessionalAdmissions /QualificationsTexas
New York
California
U.S. Patent and TrademarkOffice
Court AdmissionsU.S. Court of Appeals -Fourth Circuit
U.S. Court of Appeals -Fifth Circuit
U.S. Court of Appeals -Seventh Circuit
U.S. Court of Appeals -Ninth Circuit
U.S. Court of Appeals -District of Columbia Circuit
U.S. District Court - EasternDistrict of Texas
U.S. District Court -Northern District of Texas
U.S. District Court -Southern District of Texas
U.S. District Court -Western District of Texas
U.S. Bankruptcy Court -Eastern District of NewYork
Bart W. HuffmanPartner
Overview
Bart is a partner in the firm’s Information Technology, Privacy & Data Security Group. He has asystems engineering background and experience in privacy and information security matters thatspans the modern history of the practice area. Bart provides advice concerning a wide range ofmatters within his field, including cybersecurity program development, enterprise cloudcomputing and other IT services agreements, company policies, information securitypreparedness, and data breach response. He regularly works and speaks on privacy andsecurity matters for the oil & gas industry, transportation, financial services, and other criticalinfrastructure. He also has a proven track record in significant online copyright and litigationmatters, including representation of some of the largest ISPs in various venues and appellatecourts in matters involving Internet subscriber data. Bart holds a J.D. from the University of Texas(with honors) and a B.S.E. from Princeton University (cum laude, Tau Beta Pi) in CivilEngineering & Operations Research with a Certificate in Engineering and Management Systems.
Bart is admitted to practice law in Texas, New York and California, and before the U.S. Patent &Trademark Office. He is also a Certified Information Privacy Professional/US, and serves on theCertifications Advisory Board of the International Association of Privacy Professionals. Bart hasserved as a visiting fellow of the Center for Information Technology at Princeton University, andhe is currently an adjunct professor, teaching Privacy and Cyber Security in the Information Ageat the University of Texas School of Law.
Employment History2017 - Reed SmithLocke Lord
Honors & AwardsListed, Legal 500, Media, technology and telecoms – Technology – data protection and privacy(2016)Martindale-Hubbell•AV- Peer Review RatingSan Antonio Business Journal, "Outstanding Lawyer of the Year - Intellectual Property," (2010)
Professional AffiliationsAdjunct Professor, The University of Texas School of Law
Reed Smith
1 of 3
U.S. District Court -Southern District of Texas
U.S. District Court - EasternDistrict of California
U.S. District Court -Southern District ofCalifornia
U.S. District Court - CentralDistrict of California
U.S. District Court -Northern District of Illinois
U.S. District Court - Districtof Maryland
2014Children's Activities Chair/Co-Chair, Princeton Class of 1988 Reunions Committees for 20th(2008), 25th (2013), and 30th (2018) ReunionsCorporate Committee Member, The McNay Art Museum, 2006-2012President, Princeton Alumni Association of San Antonio and South Texas, 2003-2012Princeton University Alumni Council
Executive Committee, 2005-2009Regional Associations Chair, 2007-2009
San Antonio Convention and Visitors commissionCommissioner, 2003-2007Budget and Finance Chair, 2006-2007
ExperienceGeneral privacy and data security advice for clients in financial, energy, consumerservices, governmental (tolling), and other industries
Represent companies in cybersecurity preparedness, including development of incidentresponse plans, tabletops, and work on information security policies
Data breach response (experience over the course of a decade), and negotiation ofbreach response services contracts
Information technology contract negotiations, including global enterprise cloudcomputing, disaster recovery, forensic consulting, managed security, softwaredevelopment and licensing, and systems integration work
Represent Internet service providers in online copyright and subscriber identificationsdisputes and negotiations, and related internal policies and procedures
Cybersecurity governance and risk management, including compliance and programs forhandling of information by vendors, service providers, and business partners
Privacy impact assessment and related contract negotiations and advice
Internet-based commercial services agreements (browser development, remotetechnology support, mobile-controlled home security, vehicle content delivery, etc.)
Legislative support and testimony before Texas House and Senate committees onprivacy issues
M&A diligence support for privacy and information security
SME support in connection with health data exchange and other cyber insurance policies
Lead counsel for pretexting litigation in Texas and California on behalf of national Internetservice provider
News & PublicationsNews21 February2017
Reed Smith Adds Four More Attorneys in HoustonNew Arrivals, News Releases
Speaking Engagements14 April 2017 UT Law 2017 Oil, Gas and Mineral Law Institute Law
Reed Smith
2 of 3
"Cybersecurity for Oil & Gas Attorneys: Understanding the Ethicaland Legal Obligations"Houston, TXSeminar
25-26 January2017
Cybersecurity and Data Privacy Law Conference, Institute for Law andTechnology"A View from Inside: Perspectives of In-House Counsel Responsiblefor Addressing Cyber and Data Privacy Issues""Communicating with and Protecting Senior Corporate Leadershipfrom Cyber and Privacy Risks"Plano, TXSeminar
19 August2016
University of Texas- Essential Cybersecurity Law Conference"Responding to a Data Breach"Austin, TXSeminar
8 July 2016 International Association of Privacy Professionals AustinKnowledgeNet Chapter Meeting"The Emerging EU-U.S. Privacy Shield Framework and GDPR Update"Austin, TXSeminar
18-19February 2016
Institute for Energy Law, Center for American and International Law,67th Annual Oil & Gas Law Conference"’Reasonable and Appropriate’ Security in the Information Age"Houston, TXSeminar
26 January2016
Cybersecurity and Data Privacy Law Conference, Institute for Law andTechnology"A View from Inside: Perspectives of In-House Counsel Responsiblefor Addressing Cyber and Data Privacy Issues"Plano, TXSeminar
10 July 2015 National Conference of Insurance Guaranty Funds 2015 LegalSeminar"Cyber Liability: Non-Technical Issues in Risk Management"San Francisco, CASeminar
22 May 2015 28th Annual University of Texas Technology Law Conference"Cloud Computing: Critical Business, Technology, Legal, andRegulatory Considerations and Negotiation Strategies""Responses to a Data Breach: Incident Response Planning andAdvanced Preparedness"Seminar
6 May 2015 Oil & Gas Division of the International Association for Contract &Commercial ManagementSan Antonio, TXSeminar
Reed Smith
3 of 3
© 2017 Reed Smith LLP. All rights reserved
SPEAKER BIO: AILEEN CASANAVE
Aileen F. Casanave, Deputy General Counsel, Acting General Counsel and Privacy Counsel Jiff, Inc. Aileen F. Casanave is Deputy General Counsel (acting General Counsel) and Privacy Counsel for Jiff, Inc., an enterprise health benefits platform software services company, where she provides business and legal support to the CEO and CFO and manages the company’s legal, immigration, and regulatory compliance matters. Aileen is also General Counsel to the African American Community Service Agency (AACSA), President of the Santa Clara County Black Lawyers Association (SCCBLA), and Chair of ACC-SFBA’s Career Advancement Committee. For the past three decades, Aileen has worked tirelessly to promote the areas of diversity, global inclusion, social justice and public interest in the community, and the legal sector in particular. She developed numerous diversity and mentoring and programs in and out of the workplace while at Lockheed Martin, Sun Microsystems and TIBCO Software Inc. She serves on multiple boards dedicated to diversity or public interest, including the Public Interest and Social Justice Law Board at Santa Clara Law School, Santa Clara County Black Lawyers Association, California Association of Black Lawyers (CABL), Santa Clara County Bar Association, the Diversity & Inclusion Committee of the Association of Corporate Counsel's San Francisco Bay Area chapter, and from 2010-2016, Aileen served on the USF School of Law Board of Governors (where she continues to serve with the Employment committee as a non-board member). Aileen has taught Critical Race Theory and housing discrimination at Santa Clara Law School and created Law Day events where attorneys of color discuss issue of law with children in underserved grammar and high schools in the bay area. In 2013, she completed an exhibit at San Jose City Hall called And Justice For All, The History of African-Americans in Santa Clara County's Judicial System and has hosted a Gideon Celebration; a Celebration of America's 6th Amendment Right to Counsel honoring the careers of four Public Defenders from the counties of Santa Clara, Alameda, Contra Costa and San Francisco. Aileen was awarded the Women’s Lawyer’s Division of the National Bar Associations’ Lawyer of the Year award and the 2016 California Association of Black Lawyer’s President’s Award, the California Women Lawyers’ Woman of Achievement Award, the Silicon Valley’s Women of Influence Award and was inducted into the Silicon Valley Black Legend’s Hall of Fame in February, 2017.
SPEAKER BIO: ANDREAS SPLITTGERBER
GDPR and Data Privacy Counseling
March 24, 2017
Presented by:
Thomas Quinlan, Reed SmithAileen Casanave, Jiff, Inc.Bart Huffman, Reed SmithAndrew Splittgerber, Olswang
IP, Information & Innovation
Reed Smith LLP
What is Important?• Time for compliance• Extra-territorial applicability• Cultural shift (privacy by design)• Regulatory emphasis within the EU• Fines and private rights of action
Reed Smith LLP
GDPR Timeline
May 24, 2016
• Enter into Force
Today• Getting ready…
May 25, 2018
• GDPR applies
295business days left
427calendar
daysleft
Reed Smith LLP
GDPR and National Laws• Not really a harmonizing EU law• Opening clauses create options for national provisions• Organizations must also consider national laws that will be
introduced within the next 1.5 years• Example GERMANY: German Ministry of Interior has drafted
national "Federal Data Protection Act" to supplement the GDPR
Reed Smith LLP
The Long Arm of the Law: Extra-Territorial ApplicationThe GDPR applies to controllers and processors “regardless of whether the processing takes place in the European Union or not”. The extra-territorial application of the GDPR is triggered when: • goods or services are offered to EU citizens; or• the behaviour of EU citizens is monitored or tracked through the use of
technology.
Organisations which do not have an establishment in the EU – and which consider themselves to operate outside the scope of EU data protection law – are now subject to data protection regulation pursuant to the GDPR.
Reed Smith LLP
Territorial Application of the GDPR
Art. 3 (1) Art. 3(2)
Data controller / data processor Data processingData subject
• data controller or data processor is established in the EU
Irrelevant on which territorypersonal data is actually processed
GPDR will apply if
• data controller or data processor is not established in the EU
• data subject is in the EU; and• data subject’s behavior in the
EU is being monitored.
Art. 3(2)
• data controller or data processor is not established in the EU
• data subject is in the EU; and• goods or services are offered to
data subjects the EU
Reed Smith LLP
Impact for U.S. Companies: GDPR applies to EU subsidiaries
GDPR may apply to U.S. parent entity if scenario 3 (2) above (directed at EU data subjects or monitoring)
U.S. parent or EU sub is• controller (e.g. for HR and customer data) or • processor (e.g. for data stored by customers)
One-stop shop if more than one sub in the EU
Special rules for data transfers from Europe toUS (Privacy Shield, SCC, BCRs, Codes of Conduct, etc.)
Reed Smith LLP
Supervisory Authorities and Sanctions Powers of Supervisory AuthoritiesThe GDPR provides supervisory authorities with robust enforcement powers which go far beyond those under the Data Protection Directive. For example, they can:
• order controllers or processors to provide information;
• access a controller or processor’s premises and equipment;
• issue warnings and reprimands;
• limit or ban data processing; and
• impose administrative fines of up to €20,000,000 EUR or (for undertakings) 4 % of total worldwide turnover.
‘Undertakings’
Administrative fines are applied to ‘undertakings’ – defined by reference to the competition law definition in Articles 101 and 102 TFEU.
This views undertakings as economic units, so potentially includes group companies.
Reed Smith LLP
The Essence of the GDPR: Data Protection PrinciplesArticle 5 of the GDPR sets out the major principles that all organisations are required to comply with when they process personal data.
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Personal data must be accurate, and where necessary, be kept up to date
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Personal data must be processed in a way that ensures appropriate security of personal data
The controller shall be responsible for, and be able to demonstrate, compliance with the principles
Accountability
Reed Smith LLP
Embedding Data Protection in Your OrganisationData protection is set to become an integral part of both the technological development and organisational structure of new products or services.The GDPR introduces Data Protection by Design and by Default, which in practice, means that all organisations must take data protection into consideration from the outset of new projects or initiatives.
Data Protection by DesignAn organisation needs to show that adequate security measures have been implemented and that compliance is monitored. Data Protection is therefore baked in, not bolted on, at the concept phase or any product or service or use of technology that will involve the processing of data.
Data Protection by DefaultThis means that the strictest privacy settings automatically apply once a customer acquires a new product or service. Therefore, by default, only personal data which are necessary for specific identified purposes are processed.
Reed Smith LLP
What is New?
Harmonization of laws and"one stop" enforcement?
Non-EU organizations are caught
Increased rights and remedies for individuals
Stricter rules on governanceand documentation
Higher standard for consentand other conditions
Stronger obligations for processors
Security standards andbreach notification requirements
Impact on international data transfers
Reed Smith LLP
Rights of Individuals The GDPR preserves a number of existing rights of data subjects to access their personal data but importantly, as well as providing further obligations on those existing rights, it also creates new rights:
Right RequirementNew Rights
Right to restrict processing
Controller to cease processing where: (i) accuracy is contested by the data subject; (ii) processing is unlawful but the data subject does not request erasure; (iii) processing is no longer necessary; or (iv) data subject has objected to the processing and controller determines that no overriding legitimate grounds exist.If data disclosed to third party, controller to inform them of restriction unless this is impossible or involves disproportionate effort.
Rights against automated decision making and profiling
Controller to identify whether operations constitute automated decision making and update such operations so as to ensure process allows for human intervention. Exemptions available to controller.
Right to data portability
Controller to provide the personal data (that are processed in an automated way) in a structured, commonly used and machine-readable format and, where requested and technically feasible, transmit them directly to another controller.
Reed Smith LLP
Transparency and Consent• More that ever, transparency will be key, i.e. adequately informing individuals about how their
personal data will be processed by the organisation and offering them control over the processing.
• The GDPR imposes onerous requirements on consent and seeking consent will only be appropriate if the individual has a genuine choice over the matter, e.g. whether to be sent marketing materials.
• Consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes. Top Tips:
– Use plain language – intelligible, accessible form, in clear and plain language.
– Separate – make it distinguishable from the rest of the text, and is not “unbundled’” with other written agreements or declarations.
– Affirmative action – inactivity or silence will not be enough and the use of pre-ticked boxes is not permitted. However, consent through a course of conduct will remain valid.
– Consent to all purposes – separate consents must be obtained for distinct processing purposes
– Can be withdrawn – individual must be able to withdraw consent easily at any time and must be told that before giving consent.
– Not tied to contract – supply of services cannot be made contingent on consent to processing which isn’t necessary to the services being supplied.
– Free choice – could invalidate consent if the individual does not have a genuine free choice or if there is a detriment if they refuse or withdraw consent.
Reed Smith LLP
Data Breach NotificationsThe GDPR will require data breach notification to an organisation’s lead data protection authority and, in certain circumstances, to affected individuals.
New rulesIn the event of a data breach, controllers will be required to notify:• The national supervisory authority where the breach would likely result in the risk to the
rights and freedoms of individuals. • Individuals affected where the breach would likely result in a high risk to their rights and
freedoms.
Notice to the Supervisory AuthorityNotification to the relevant supervisory authority must be within 72 hours of becoming aware of the breach. Failure to notify when required to do so could result in a fine of up to €10 million or 2 per cent of global turnover.When you notify you should include: • the nature of the breach, including categories of individuals and the approximate number of
records involved; • the details of the DPO or another person if there is no DPO; • the likely consequences of the breach; and • a description of any, or proposed, remedial action taken.
Reed Smith LLP
Data Breach Notifications (cont’d)Notices to Affected Individuals
High risk data breaches must be notified to affected individuals without undue delay, unless an exemption applies, and must contain the following information in clear and plain language:
• the nature of the breach; • the likely consequences of the
breach; and • a description of remedial action
taken as well as information about any actions the individual should take to minimise possible adverse effects.
Reed Smith LLP
What to Do?In a nutshell:The GDPR will be fully in force from 25 May 2018 and will apply in the UK and across all EU member states. The countdown has already begun so your organisation must have everything prepared and in place for this seismic shift in the regulatory landscape.
Path to complianceThe ten steps to compliance are: 1. Stakeholder Awareness: Embed data protection in your
organisation2. Data Inventory: Assess and record the personal data being
processed3. GDPR Gap Analysis: Determine what additional steps are required
for GDPR compliance4. Implementation Plan: Create a project plan to address the
compliance gaps5. Governance Structure & DPO: Appoint data protection officer and
create governance structure to support accountability requirements
6. Supply Chain (Processors): Ensure supplier contracts are amended to meet GDPR requirements
7. Cross-Border Transfers: Review cross-border data transfers8. Accountability Processes: Utilise tools and processes to document
compliance9. Data Subjects’ Rights: Put in place policies and procedures to
ensure rights are respected10. Data Breach Notification: Create policy for breach response,
containment, remediation and notifications
Reed Smith LLP
Accountability and GovernanceWhat does accountability mean?
• Under the GDPR, organisations must not only comply with the six general principles, but also be able to demonstrate they comply with them.
• The key to accountability is to embed compliance into your business, by adopting ‘data protection by design’ measures, staff training programmes and undertaking audits.
Data Processing Inventory
• Controllers must keep a record of their data processing activities.
Data Protection Impact Assessments
• Where any new project will involve “high risk” processing (such as monitoring activities, systematic evaluations or processing of sensitive data) it will be mandatory for organisations to carry out a data protection impact assessment.
Codes & Certification
• The GDPR includes the possibility of co-regulation through the development of private sector Codes of Conduct or Certification.
Data Protection Officer
• In some circumstances organisations will be required to appoint a Data Protection Officer to implement and oversee compliance with the GDPR.
Reed Smith LLP
Supply ChainThe greatest impact of the GDPR on a controller’s dealings with its suppliers amounts to ensuring sufficient guarantees of data protection. This was previously being seen in the Data Protection Directive but was not anchored as a legal requirement in such explicit terms as we see now.
Supplier due diligenceControllers are required to carry out due diligence on suppliers (processors) processing personal data on their behalf. They will need to ensure suppliers can provide sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of the Regulation, including measures to ensure the security of processing.
Reed Smith LLP
Supply Chain (cont’d)Supplier obligationsProcessing by a supplier should be governed by a written, binding contract, setting out the subject matter, duration, nature and purposes of the processing, the type of personal data and the data subjects.
Under article 28 of the GDPR the contract must stipulate that the supplier will:
• only processes personal data on documented instructions;• ensure those with access to personal data have committed themselves to
confidentiality;• takes all security measures required under the Regulation;• ensures the same obligations flow down to sub-contractors;• assists the controller with regards compliance with their obligations under the
Regulation, including responses to requests by individuals to exercise their rights under the Regulation;
• deletes or returns all personal data at the end of the arrangement; and• makes available all information necessary to demonstrate compliance with their
obligations.
Reed Smith LLP
International Data Transfers Under the GDPR, data transfers to countries outside of the European Economic Area (EEA) remain subject to restrictions. Restrictions also apply to “onward transfers” of data from an importer to another third country or organisation. International transfers under the GDPR can take place on the following bases:
Adequacy DecisionsIf the European Commission has adopted a decision that the third country, territory or sector involved in the transfer provides an ‘adequate’ level of protection for the data being transferred, data may flow freely between the EEA and country, territory or sector.
Appropriate Safeguards
EU-U.S. Privacy Shield frameworkModel clauses: Model contractual clauses approved by the European Commission may be used in order to legitimise transfers between the contracting parties.
Binding Corporate Rules: Binding Corporate Rules are explicitly recognised in the text of the GDPR, which infers a level of legitimacy. BCRs are a method of legalising the international transfer of personal data within a group of companies and are available for both controllers and processors.
EU Codes of Conduct :The GDPR provides that approved codes of conduct along with binding and enforceable commitments of the controller or processor may be used. No such codes of conduct have yet been approved.
EU Certification: The GDPR also provides for approved certification mechanisms to be used as a basis for data transfers along with binding enforceable commitments with the controller or processor. No such certification mechanisms have yet been approved.
Specific Derogations• Explicit consent• Contract performance• Public interest• Legal claims• Vital interests• Public source
Reed Smith LLP
Questions?
Chapter V: Transfer of
personal data to third
countries or international organizations
Content of the GDPR
Chapter IV: Controller
and processor
Chapter VI: Independent supervisory authorities
Chapter VII: Cooperation
and consistency
Chapter VIII: Remedies,
liability and penalties
Chapter IX: Provisions relating to
specific processing situations
Chapter X: Delegated acts and
implementing acts
Chapter XI: Final
provisions
Chapter II: Principles
Chapter III: Rights of the data subject
Chapter I: General
provisions
Reed Smith LLP
Contact Us
Thomas QuinlanPartnerReed Smith+1 650 352 [email protected]
Aileen CasanaveDeputy General CounselJiff, Inc.+1 408 390 [email protected]
Bart HuffmanPartnerReed Smith+1 713 469 [email protected]
Dr. Andreas SplittgerberPartnerOlswang+49 89 [email protected]
IP, Information and Innovation
Data Protection
GDPR: Preparing for the European General Data
Protection Regulation
The Background: from Directive to Regulation 1
Data Protection Principles 2
Accountability and Governance 3
Rights of Individuals 5
Embedding Data Protection in Your Organisation 7
Data Protection: by Design or by Default? 8
Supply Chain 9
International Data Transfers 10
Data Protection Officers 11
Data Breach Notifications 12
Supervisory Authorities and Sanctions 13
Putting the Theory into Practice: What Next? 14
Our European Team 15
Contents
RePrmacdis
It tGDJoupefo
ThThplawh
•
•
Orto re
T
FocoEuDst
HBab
Wot
eform begarotection Rember sta
ccount for tsposal. Ne
took nearlyDPR or Reg
ournal of theriod of twr 25 May 2
he long ahe GDPR apace in the hen:
goods or
the behav
rganisation operate ogulation p
The Ba
or a little ollection,urope byirective), tates.
How doeBy the time and processbeen assess
We have preorder for yohe data you
an in 2012Regulation,
tes. This rethe rise of w technolo
y four yeargulation) a
he Europeao years wa
2018, when
arm of thpplies to cEuropean
services ar
viour of EU
ns which doutside theursuant to
ackgr
over 20 use and
y the Data adopted
es this af the GDPR ises relatingsed and bro
epared thisou to betteru hold, whe
GDPR: P
aimed at which, as eform alsof personal togy means
rs of consund it was f
an Union oas then agrn the Regu
he law ontrollers Union or n
re offered
U citizens is
o not havee scope of o the GDPR
ound
years, thd processa Protectd and im
ffect yous applied in
g to the colleought into a
publication understan
ether it relat
Preparing for t
harmonisian EU reg
o sought totechnologys new risks
ultation to formally adon 4 May 2reed, durin
ulation bec
and procenot”. The e
to EU citiz
s monitore
e an estabEU data pr
R.
d: from
he protecsing of thtion Direplement
r businen May 2018ection and alignment w
n to lay out d what the tes to your
the European
ng data prulation, wo
o ensure thy and the vs as well as
agree the dopted on 016, enterng which oomes enfo
essors “regextra-territ
zens; or
ed or track
lishment inrotection l
m Dire
ction of iheir persoective (95ed in nat
ess? , you will neuse of pers
with the req
the new ob Regulationemployees
General Data
rotection aould have dhat the govvast array s new ways
General D 27 April 2ring into foorganisatioorceable.
gardless oftorial appli
ked throug
n the EU – aw – are n
ective
ndividuaonal data
5/46/EC) (tional law
eed to makeonal data auirements
bligations b expects fro, customers
Protection Re
across the direct effeverning lawof devices s of collect
Data Protec016 and p
orce 20 dayns would h
f whether tcation of t
h the use o
and whichnow subjec
e to R
als in relaa has bee(the Dataw by all 2
e sure that across your of the new
eing ushereom your bus or supplie
egulation Ree
EU via a Gct across a
w was upda now at thting and us
ction Reguublished inys later. A thave time t
the proceshe GDPR is
of technolo
h consider ct to data p
Regula
ation to ten govera Protect28 EU me
all practice organisatio Regulation
ed in by theusiness in reers.
ed Smith LLP
eneral Datall EU ated to e EU’s sing data.
ulation (then the Offictransitionato prepare
ssing takess triggered
ogy.
themselveprotection
ation
he rned in tion ember
es, policies on have .
e GDPR, in elation to
01
ta
e cial al e
d
es
D
Arre
Data P
rticle 5 ofequired t
Protec
f the GDo comply
GDPR: P
ction
PR sets oy with wh
Preparing for t
Princ
out the mhen they
the European
ciples
major priy process
General Data
nciples ts persona
Protection Re
hat all oral data.
egulation Ree
rganisati
ed Smith LLP
ons are
02
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 03
What will Accountability actually look like under the Regulation? Under the GDPR, there is no change in the definitions of the two key roles of data controller and data processor but how liabilities are negotiated—we expect increased complexity (at least initially)—to change. Why? Simply stated, for the first time data processors will take on a direct regulatory responsibility and, therefore, liability. Supervisory authorities may develop a new ‘contributory negligence’ approach to enforcement and sanctions.
Controller A data controller can be an individual or an entity. Data controllers determine the purposes for and means of processing personal data, and are accountable for compliance with the GDPR principles.
Processor A data processor is an individual or entity which processes personal data on behalf of a controller.
The concept of the data processor is well known from the Data Protection Directive. For the first time, data processors are subject to direct regulation by supervisory authorities under the GDPR. Although processors have several obligations, two of the most notable are:
• Implementation of sufficient security measures, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing.
• Maintenance of records of all categories of processing activities carried out on behalf of a data controller, including details of any international data transfers.
Accountability in practice Data controllers will continue to be responsible and accountable for compliance and governance, with the GDPR elevating the significance of their role.
Data processors will be in line for greater liability now that they will be directly regulated. As a result, we expect to see a significant impact on contracts with service providers.
Data Protection Officers (DPOs) will assume a vital and powerful role. We may see increasingly the voluntary appointment of DPOs as a means of centralising the accountability function.
Governance Accountability means that governance structures must have the spotlight shone on them. With the requirement for some organisations to appoint a DPO – as a minimum governance
Accountability and Governance
Some of the most important new requirements under the GDPR are those pertaining to accountability. Accountability means that organisations must demonstrate compliance with the GDPR.
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 04
requirement – some aspects of governance may become more prescriptive, with some decisions taken out of the hands of business. In practice, organisations will be expected to put into place comprehensive but proportionate governance measures, including: • Appropriate technical and organisational
measures • Recording of processing activities • Appointment of a Data Protection Officer
(where appropriate)
• Implementation of Data Protection by Design and by Default
• Development and use of Data Protection Impact Assessments
Demonstrating Compliance
As part of accountability, organisations must be able to demonstrate not only that they have a compliance framework in place but also that they implement and adhere to these measures.
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 05
Right Requirement
New Rights
Right to restrict processing
Controller to cease processing where: (i) accuracy is contested by the data subject; (ii) processing is unlawful but the data subject does not request erasure; (iii) processing is no longer necessary; or (iv) data subject has objected to the processing and controller determines that no overriding legitimate grounds exist. If data disclosed to third party, controller to inform them of restriction unless this is impossible or involves disproportionate effort.
Rights against automated decision making and profiling
Controller to identify whether operations constitute automated decision making and update such operations so as to ensure process allows for human intervention. Exemptions available to controller.
Right to data portability
Controller to provide the personal data (that are processed in an automated way) in a structured, commonly used and machine-readable format and, where requested and technically feasible, transmit them directly to another controller.
Rights of Individuals
The GDPR preserves a number of existing rights of data subjects to access their personal data but importantly, as well as providing further obligations on those existing rights, it also creates new rights. The below table summarises the impact and key obligations as regards controllers receiving requests from data subjects.
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 06
Right Requirement Changes to existing law(s)
Existing Rights
Right to be informed
Controller to provide data subjects with information relating to the processing of their personal data in a concise, clear and intelligible manner.
More detailed information to be provided and depends on whether data obtained directly from data subject.
Right of access Controllers to confirm whether personal data are being processed, and if so, provide access.
Information to be provided free of charge and within one month of receipt. Where request made electronically, information to be provided in a “commonly used electronic format”.
Right to rectification
Controller to rectify inaccurate or incomplete personal data without undue delay.
Where controller has disclosed personal data to third party, controller to inform them of rectification.
Right to object Controller to cease processing where data subject objection to processing is: (i) based on certain grounds (public interest or legitimate interest); or (ii) for certain purposes (research or statistics). Some exemptions may be available to controller. Data subject has absolute right to object to data processed for direct marketing purposes. No exemptions are available to controller.
Right to object to personal data being used for statistical or research purposes.
Right to erasure (‘right to be forgotten’)
Controller to erase personal data when: (i) no longer necessary; (ii) consent is withdrawn; (iii) data subject objects and controller has no overriding legitimate grounds to hold data; (iv) data is unlawfully processed; (v) necessary to comply with a legal obligation; or (vi) processed in connection with an online service offered to a child.
Broader, more specific rights created. If data disclosed to third party, controller must inform them of erasure unless it is impossible or involves disproportionate effort.
DaDPind• • • •
On•
•
•
•
•
•
PrIn co
E
Daid
W•
ata ProtecPIAs are mdividuals.
New techProfiling ProcessinSystemat
nce the neDescript– Descr– What
Assessme– How m
Identifica– What
Identifica– Evalua– What
Approval– Ensur– Recor
compIntegratio– Imple
projec
rior consu the absen
onsult the
mbed
ata Proteentificat
Worth coOrganisato use fo
ction Impaandatory wExamples
hnologies or automang sensitivtic monitor
eed for a Dtion of proribe how p legitimateent of necmany indivation and steps are ation and ate propos level of risl and recore DPIA recrd decision
pliance on of DPIA
ement, monct and whe
ltation wince of mea superviso
dding
ection Imion, asse
onsiderinations shouor any new
GDPR: P
act Assesswhen proc of “high r ated proceve data (spering of pub
PIA has beocessing oersonal da
e interest iscessity anviduals are assessmetaken to a evaluatiosed measusk is accepording ceives signns taken to
A outcomnitor, re-asen there is
ith lead Dsures to mory autho
Data
mpact Assessment
ng… uld think a process o
Preparing for t
sments cessing posisk” opera ssing ecial categblic areas (
een identifoperationsata is: (i) cos the contrd proport
e likely to bent of dataddress ris
on of data ures and satable?
n-off at theo eliminate
es in the pssess and s a change
ata Protemitigate ris
rity prior
Prote
sessmenand min
bout puttior activity t
the European
ses a “highations incl
gories of dae.g., CCTV/
fied, a nums envisageollected, (ii)roller purstionality oe affecteda protectik to: (i) the protectioafeguards
appropria, mitigate o
project plupdate the of risk
ction Authk where hi to proces
ection
t (DPIA) iimisation
ng a standhat involve
General Data
h risk” to thude:
ata) on a la/video surv
mber of steed and pu) used, anduing?
of process? on risks
e individuaon solution for addres
ate level or accept r
an e DPIA pla
hority gh risk is i
ssing.
n in Yo
is a procn of data
dard temples the proc
Protection Re
he rights an
arge scale veillance)
ps must burposes ofd (iii) delete
ing opera
l, and (ii) thns ssing risk
risk, and d
n over the
dentified, t
our O
ess invola protect
ate in placcessing of
egulation Ree
nd freedom
e taken: f processined
tions
he organis
emonstrat
life-cycle o
the contro
rganis
lving theion risks
ce for theirdata.
ed Smith LLP
ms of
ng
ation?
te
of the
oller must
sation
r business
07
n
DaAnthphApne
It m
• •
DaDacuBypr
Th
• • • •
At• •
D
Dade
ThDepr
F•
ata Protn organisatat complia
hase of anyppropriate ew project,
must be d
Nature, Likelihoo
ata Protata Protectustomer acy default onrocessed.
his applies
Amount Extent oPeriod oAccessib
t what stAt the timAt the co
Data P
ata Proteevelopm
he GDPRefault, wrotection
From theOrganisatmaking it
ection bytion needsance is moy product o technical , service or
emonstrat
scope, cood and sev
ection bytion by Defcquires a nnly person
to:
of personf processin
of time for bility
tage of tme when doncept and
Protec
ection is ent and
R introducwhich, in pn into con
e outset tions must t an integral
GDPR: P
y Designs to show tnitored. Dor service and organr business
ted that su
ntext and verity of r
y Defaulfault mean
new producnal data wh
al data colng storage of
he projeeterminat
d design ph
ction:
set to beorganisa
ces Datapractice, nsiderati
take data p part of the
Preparing for t
n that adequData protecor use of t
nisational m process.
ufficient ac
purposesrisks to rig
lt ns that thect or servic
hich are ne
llection
f personal
ect? ion of the
hase of any
by D
ecome anational st
Protecti means ton from
protection ine project de
the European
uate securiction is batechnologymeasures b
count is ta
s of proceghts and fre
strictest pce. ecessary fo
data
means of y project
Design
n integratructure o
on by Dethat all o the outs
nto considevelopment
General Data
ty measurked in, noty. become pa
aken in reg
ssing eedoms of
privacy sett
or specific i
processing
n or b
al part of of new p
esign andrganisatiset of pro
eration from process… f
Protection Re
es have bet bolted on
art of the d
gard to:
f individua
tings autom
identified p
g is made
by Def
both theproducts
d Data Pions musojects or
m the outsetfrom day o
egulation Ree
een implemn from at th
developme
ls
matically a
purposes a
fault?
e technoor servic
rotectionst take da new init
t of any newone.
ed Smith LLP
mented anhe concep
ent for eac
pply once
are
logical ces.
n by ata iatives.
w project,
08
nd pt
h
a
SuCopeguteinc
SuThsuthsu28
•
•
•
•
S
Thampraswre
HA2
Omdim
upplier dontrollers aersonal datuarantees, chnical ancluding me
upplier ohe processubject matte data sub
upplier and8 of the GD
only procedocumen
ensure thhave comconfident
takes all sthe Regul
ensures tsub-contr
Supply
he greatemounts treviouslys a legal rith sever
egulatory
How doeAll contracts2018 – in ot
Organisatiomost criticadeadline – omposed on
due diligeare requireta on their in particuld organisaeasures to
obligatioing by a suter, duratiobjects. It md the risks DPR the co
esses persted instruc
hose with ammitted the
iality;
security meation;
he same oractors;
y Cha
est impacto ensuriy being serequiremral aspecy guidanc
es this afs involving pther words,
ns should rl services fo
otherwise yon you which
GDPR: P
ence ed to carryr behalf. Thar in term
ational mea ensure th
ns upplier shoon, nature ust also tainvolved tontract mus
sonal data ctions;
access to pemselves t
easures re
obligations
in
ct of the ng sufficeen in th
ment in sts of thece as wel
ffect youpersonal da we are cur
review theiror their busou will risk could be (a
Preparing for t
y out due dhey will nees of expertasures wh
he security
ould be go and purpo
ake into acco the rightst stipulate
on
personal dao
quired und
flow down
GDPR oncient guahe Data Puch expl GDPR, gll as EU m
r busineata handlingrrently in th
r existing ariness operabeing non-ca) non-com
the European
diligence oed to ensut knowledgich will me of process
verned by oses of thecount the s and freee that the s
ata
der
n to
• acRrr
• de
• mto
n a contrrantees
Protectioicit term
greater clmember
ess? g or transfee transition
rangementations. Startcompliant opliant from
General Data
n supplierure suppliege, reliabili
eet the reqsing.
a written, e processinspecific tadoms of thsupplier:
assists the complianceRegulationrequests brights unde
deletes or end of the
makes avaito demonsobligations
roller’s deof data pn Directis as we slarity is estates’ d
ers must comn period.
ts with servit negotiatio
or having th your persp
Protection Re
s (processers can proity and resuirements
binding cong, the typsks and rehe data su
controllere with thei, includingy individuaer the Regu
returns allarrangem
ilable all instrate coms.
ealings wprotectiove but wsee now.expectedelegated
mply with t
ice providerons well in ahird party stpective and/
egulation Ree
sors) proceovide sufficources, to
s of the Reg
ontract, see of perso
esponsibilitbjects. Un
r with regar obligatio responseals to exerculation;
personal ent; and
nformationpliance wit
with its suon. This wwas not a. Howev through
d powers
he GDPR as
rs, starting advance of ttandard ter/or (b) unfa
ed Smith LLP
essing cient implemengulation,
tting out thonal data aties of the der article
rds ns under ts to cise their
data at the
necessaryth their
uppliers was nchored er, as
h s.
s at 25 May
with the the GDPR ms vourable.
09
nt
he nd
the
e
y
y
Int
1 If tinvtra
2 •
•
3 • •
In
UEc“oor
W•
ternationa
Adequathe Europevolved in tansferred,
AppropModel claModel cothe Euroorder to contracti
Binding CBinding Cexplicitly GDPR, whBCRs areinternatiowithin a gavailable processo
SpecificExplicit cContract
ntern
nder theconomic onward trrganisati
Worth noIn exceptspecific d
l transfers
acy Decisean Commhe transfe data may
priate Saauses ontractual pean Comlegitimise ng parties
CorporateCorporate recognisehich infers
e a methodonal transfgroup of co for both c
ors.
c Derogaonsent performa
ation
e GDPR, d Area (EEransfers”on.
oting… ional caseserogation.
GDPR: P
s under the
sions mission has
r providesflow freely
afeguard
clauses apmission mtransfers b.
e Rules Rules (“BCd in the te
s a level of d of legalisifer of persompanies
controllers
ations
ance
al Da
data tranEA) remai” of data
, the contro
Preparing for t
e GDPR ca
s adopted an ‘adequ
y between
s
pproved bymay be used
between th
CRs”) are ext of the legitimacying the onal data and are and
• Public • Legal c
ta Tra
nsfers to in subjec from an
oller may als
the European
n take plac
a decisionuate’ level othe EEA an
y d in he
.
• ET
• ET
interest claims
ansfe
countriect to rest importe
so invoke h
General Data
ce on the f
that the tof protectind country
EU Codes The GDPRof conductenforceabcontroller such codeapproved.
EU CertificThe GDPRcertificatiobasis for denforceabcontroller certificatioapproved.
rs
s outsiderictions.
er to ano
his compelli
Protection Re
following b
hird counton for the y, territory
of ConducR provides t
t along witle commit or process
es of condu
cation R also provion mechandata transfle commit or process
on mechan
• Vital• Publ
e of the E Restrictither thir
ng legitimat
egulation Ree
bases:
try, territor data beingor sector.
ct that approth binding ments of tsor may beuct have ye
ides for apnisms to befers along wments withsor. No su
nisms have
l interestslic source
Europeanons alsod countr
te interest a
ed Smith LLP
ry or sectog
oved codesand
the e used. Noet been
pproved e used as awith bindinh the ch
e yet been
s
n apply to
ry or
as a new
10
r
s
o
a ng
o
Co•
•
•
Thco
Thda
DThobco
Thlawas
PoOrdishig
D
W(Dth
CLasLa
Ad
ontrollerthe proce
the core scope or large sca
the core a
he DPO canorporate gr
he DPO muata protect
PO respohe DPO wilbligations, aooperating
he DPO muws, and witssigning re
osition organisationsmissed orghest leve
Data P
Whilst somDPO) as phe appoin
Case StuLiveWell, Incacross the gsurveys andLimited, a claccess to da
As yet theredata, proces
rs and pressing is ca
activities purposesale; or
activities co
n be an emroup can a
ust be desition knowle
onsibilitil be respoadvising o with the s
ust monitoth their orgesponsibil
of the DPns must enr penalisedel of mana
Protec
me organpart of thntment o
dy… c. is a U.S. hglobe, includd trials for re
oud providata for man
e is no regussed by Live
GDPR: P
rocessorarried out b
of the con, requires
onsist of p
mployee ofappoint a s
ignated onedge and a
ies nsible for n the perfo
supervisory
or compliaganisationlities, rais
PO nsure that d for carryagement.
ction
nisations heir accouof a DPO
headquarteding to 650esearch ander in Irelan
nagement a
latory guidaeWell could
Preparing for t
rs must aby a public
ntroller or pregular an
processing
f the organsingle DPO
n the basis ability to fu
informing ormance oy authority
ance with ’s policies ing aware
the DPO cing out the
Office
can voluuntability is mand
red busines0,000 customd product dd, though cnd IT opera
ance, but thd make it su
the European
appoint ac authorit
processor nd system
g on a large
nisation or .
of professulfil their D
and advisiof data proy.
the GDPR,on the pro
eness and
can operateir respons
ers
unarily apy prograatory.
ss offering hmers in thedevelopmencertain busiations. Will
he potentialbject to the
General Data
a DPO wty;
consist of matic mon
e scale of
hired exte
sional qualDPO respon
ng on the otection im
, with otheotection of staff train
e indepensibilities an
ppoint a mme, in
health and EU. LiveWent purposesness functiLiveWell n
l volume of e DPO requ
Protection Re
where:
processinitoring of
special ca
ernally, and
lities, in pansibilities.
organisatimpact asses
er EU or naf personal ning.
dently of ind is to rep
data pro certain c
wellness prell regularlys. Data are ons in the Ueed to app
data, includirement.
egulation Ree
g which, bf data subj
ategories
d compani
articular th
on’s data pssments, a
ational datadata. This
nstructionport direc
otection ocircumst
roducts andy carries outhosted by C
United Statepoint a DPO
ding sensiti
ed Smith LLP
y its naturjects on a
of data.
es within a
eir expert
protectionand
a protectio includes
, cannot bctly to the
officer ances
d services t customer Cirrus es have O?
ve persona
11
e,
a
on
e
al
Thpr
NIn
•
•
NNoof m
W
•
• • •
NHiex
• • •
D
Ho•
•
he GDPRrotection
ew rules the event
The natiorights an
Individualfreedoms
otice to otification t the breacillion or 2 p
hen you n
the naturof recordthe detaithe likely a descrip
otices togh risk dat
xemption a
the naturthe likely a descripindividua
Data B
ow to preTraining adata is aw
Responsedetection
R will requn authori
s of a data b
onal supervd freedoms affected s.
the Supeto the releh. Failure tper cent of
otify you s
re of the bds involvedls of the D conseque
ption of any
o Affecteta breacheapplies, an
re of the b conseque
ption of remal should ta
Breac
epare and awareare of wha
e plan: havmethods,
GDPR: P
uire dataty and, in
breach, co
visory authms of individ
where the
ervisory evant supeto notify wf global tu
hould inclu
reach, incld; DPO or anoences of thy, or propo
ed Individes must bed must co
reach; ences of thmedial actiake to min
h Not
eness: ensat amounts
ve an interinvestigati
Preparing for t
a breach n certain
ntrollers w
hority wheduals. e breach w
Authoritrvisory aut
when requirrnover.
ude:
uding cate
other persohe breach; osed, reme
duals e notified tontain the f
he breach; ion taken aimise poss
tificat
sure everyos to a brea
nal breachons and a
the European
notificatn circums
will be requ
re the bre
would likely
ty thority mured to do s
egories of
on if there and edial action
o affected following in
and as well as isible adver
tions
one in youach.
h responsen internal
General Data
ion to anstances, t
uired to no
ach would
y result in a
st be withso could re
individuals
is no DPO
n taken.
individualsnformation
nformatiorse effects.
ur organisa
e plan that reporting
Protection Re
n organisto affecte
otify:
d likely resu
a high risk
in 72 houresult in a fi
s and the a
O;
s without un in clear a
n about an.
ation who h
provides fprocedure
egulation Ree
sation’s leed individ
ult in the ri
to their rig
rs of becomine of up t
approxima
undue deland plain la
ny actions
handles pe
for robust e.
ed Smith LLP
ead dataduals.
sk to the
ghts and
ming awareo €10
te number
ay, unless anguage:
the
ersonal
breach
12
a
e
r
an
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 13
Controllers and processors must have a “lead supervisory authority” located in the jurisdiction where they have their main or sole establishment. There are complex rules in place to govern cooperation between an entity’s lead supervisory authority and other supervisory authorities, which take effect where a complaint is made by a data subject. There are also mutual assistance provisions in place, and supervisory authorities may operate jointly to conduct investigations and take enforcement action.
A European Data Protection Board, tasked with ensuring the consistent application of the GDPR, will also be established. The Board will have a number of responsibilities, including issuing guidance on a number of topics and resolving disputes between supervisory authorities.
Powers of Supervisory Authorities
Supervisory authorities have robust enforcement powers which go far beyond those under the Data Protection Directive. Supervisory authorities may, for example:
• order controllers or processors to provide information
• access a controller or processor’s premises and equipment
• issue warnings and reprimands;
• limit or ban data processing
• impose administrative fines of up to €20,000,000 or 4 per cent of total worldwide turnover.
The scope of enforcement powers available to supervisory authorities and their implications for businesses will ensure that GDPR compliance remains a board-level concern.
Supervisory Authorities and Sanctions
Supervisory authorities will continue to play a vital role under the GDPR. Each member state must have established at least one independent supervisory authority which will be responsible for enforcing the GDPR.
InThmpr
PaTh
1
2
3
4
5
6
7
8
9
10
P
n a nutshhe GDPR wember sta
repared an
ath to cohe ten step
Stakeho
Data Inv
GDPR G
Implem
Governstructur
Supply requirem
Cross-B
Accoun
Data Surespecte
0 Data Brand not
Putting
hell: will be fully
tes. The cond in place
ompliancps to comp
older Awa
ventory: A
Gap Analys
mentation
ance Strure to suppo
Chain (Proments
Border Tra
tability Pr
ubjects’ Riged
reach Notifications
g the
GDPR: P
in force froountdown for this se
ce pliance are
reness: Em
Assess and
sis: Determ
Plan: Crea
cture & Dort accoun
ocessors):
ansfers: Re
rocesses:
ghts: Put i
ification: C
Theo
Preparing for t
om 25 May has alread
eismic shift
:
mbed data
d record th
mine what
ate a proje
DPO : Appontability req
: Ensure su
eview cros
Utilise too
n place po
Create pol
ory int
the European
y 2018 anddy begun st in the reg
a protectio
he persona
additional
ect plan to
int data prquirement
upplier con
s-border d
ls and pro
olicies and
icy for bre
to Pra
General Data
d will applyso your orggulatory lan
on in your o
al data bein
l steps are
address th
rotection os
ntracts are
data transf
cesses to
procedure
each respo
actice
Protection Re
y in the UKganisation ndscape.
organisatio
ng process
required f
he complia
officer and
e amended
fers
document
es to ensu
nse, conta
e: Wha
egulation Ree
K and acros must have
on
sed
for GDPR c
ance gaps
create gov
d to meet G
t complian
re rights a
ainment, re
at Ne
ed Smith LLP
ss all EU e everythin
complianc
vernance
GDPR
ce
re
emediation
ext?
14
ng
e
n
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 15
London
United States
Our European Team
As part of the IP, Information and Innovation Group, our IT, Privacy and Data Security team brings strength and increased connectivity in today’s information economy by developing a collaborative, cross-discipline practice focusing on data security, information governance, technology, and intellectual property services.
Cynthia O’Donoghue Partner, International Head of IT, Privacy & Data Security London +44 (0)203 116 3494 [email protected]
Philip Thomas Counsel London +44 (0)203 116 3526 [email protected]
Katalina Bateman Senior Associate London +44 (0)203 116 2866 [email protected]
Chantelle Taylor Associate London +44 (0)203 116 3481 [email protected]
Curtis McCluskey Associate London +44 (0)203 116 3467 [email protected]
Tom Evans Associate London +44 (0)203 116 3653 [email protected]
Mark Melodia Partner New York +1 212 205 6078 [email protected]
Bart Huffman Partner Houston +1 713 469 3874 [email protected]
Thomas Quinlan Partner Silicon Valley +1 650 352 0527 [email protected]
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 16
Paris
Munich
Athens
Thought Leadership For more insight into the GDPR and other Data and Technology related matters, please take a look at our blog, the Technology Law Dispatch, at: www.technologylawdispatch.com
Recognition Our team has been recognised over a number of years with rankings in both the Chambers and Legal 500 directories.
"The team is responsive and approachable, very helpful and makes an effort to keep us updated about the latest important developments." Chambers & Partners 2017
Daniel Kadar Partner Paris +33 (0)1 76 70 40 86 [email protected]
Caroline Gouraud Associate Paris +33 (0)1 76 70 40 34 [email protected]
Thomas Fischl Counsel Munich +49 (0)89 20304 178 [email protected]
Alexander Hardinghaus Associate Munich +49 (0)89 20304 134 [email protected]
Anthony Poulopoulos Partner Athens +30 (0)210 41 99 423 [email protected]
Doretta Frangaki Associate Athens +30 (0)210 41 99 425 [email protected]
ABU DHABI
ATHENS
BEIJING
CENTURY CITY
CHICAGO
DUBAI
FRANKFURT
HONG KONG
HOUSTON
KAZAKHSTAN
LONDON
LOS ANGELES
MUNICH
NEW YORK
PARIS
PHILADELPHIA
PITTSBURGH
PRINCETON
RICHMOND
SAN FRANCISCO
SHANGHAI
SILICON VALLEY
SINGAPORE
TYSONS
WASHINGTON, D.C.
WILMINGTON
reedsmith.com
Reed Smith is a global relationship law firm with more than 1,800 lawyers in 26 offices throughout the United States, Europe, Asia and the Middle East.
Founded in 1877, the firm represents leading international businesses, from Fortune 100 corporations to mid-market and emerging enterprises. Its lawyers provide litigation and other dispute-resolution services in multi-jurisdictional and high-stakes matters, deliver regulatory counsel, and execute the full range of strategic domestic and cross-border transactions. Reed Smith is a preeminent advisor to industries including financial services, life sciences, health care, advertising, entertainment and media, shipping and transport, energy and natural resources, real estate, manufacturing and technology, and education.
This document is not intended to provide legal advice to be used in a specific fact situation; the contents are for informational purposes only. “Reed Smith” refers to Reed Smith LLP and related entities. © Reed Smith LLP 2016
NOTES
________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________