MARCHMADNESS:EMERGINGLEGALISSUESANDTRENDS

Session 8: 4:30-5:30 Presented by Reed Smith

Title: GDPR and Data Privacy Counseling -

Effective May 2018

Moderator: Thomas J. Quinlan - Partner, Reed Smith LLP

Speakers: Bart W. Huffman - Partner, Reed Smith LLP

Aileen Casanave - Deputy General Counsel, Jiff, Inc.

Dr. Andreas Splittgerber - Partner, Olswang

Page 1 of 4

TF

San Francisco+1 415 659 5979+1 415 391 8269

TF

Silicon Valley+1 650 352 0527+1 650 352 0699

Practice AreasJapan Business Team

Life Sciences

Mergers & Acquisitions

Emerging Growth / VentureCapital

Capital Markets

Health Care Fraud andAbuse

Life Sciences IntellectualProperty

Life Sciences Transactions

Technology Transactions

Life Sciences HealthIndustry Group

Health Care

Corporate & Securities

EducationUniversity of San FranciscoSchool of Law, 1985, J.D.

Santa Clara University,1974, B.S.

ProfessionalAdmissions /QualificationsCalifornia

Thomas J. QuinlanPartner

tquinlan@reedsmith.com

Overview

Tom is an experienced corporate partner who advises emerging and established technology,healthcare and life science companies. He has organized numerous businesses and joint venturesin many jurisdictions and has advised Boards and management on corporate governance andshareholder rights. Tom has acted as outside general counsel for many private companies.

Tom represents companies in several industries and at many different stages of development. Tomadvises these clients on corporate and securities issues, equity and debt finance and theacquisition and protection of intellectual property. Tom has substantial experience in negotiatingcapital investment, joint ventures, mergers and acquisitions and other complex transactions.

Tom also enjoys the negotiation of technology licenses and development agreements because itoften puts him in close contact with the core business strategy of his clients. Tom has negotiatedmanufacturing and IT outsourcing agreements including many varieties of SaaS, BPaaS and othercloud computing and outsourcing arrangements common in businesses. Many of theseoutsourcing arrangements involve companies in regulated industries that have specialrequirements for product compliance and data security; especially financial institutions andhealthcare and life science companies.

Tom is a CIPP/US (Certified Information Privacy Professional). He advises clients on therequirements of the many laws affecting data security and electronic communications and thetransfer and protection of regulation sensitive information. Tom has advised on complianceregarding privacy policies, data agreements and service arrangements.

Early in his career, Tom was counsel to several hospitals and healthcare related businesses. Tomis very experienced in the laws and regulations specifically affecting healthcare and life sciencebusinesses today, such as HIPAA, anti-kickback statutes, referral prohibitions, and state corporatepractice of medicine provisions.

Tom has substantial experience in mergers and acquisitions, and domestic and internationaldistribution agreements. Examples of recent transactions in which Tom has had a major roleinclude:

Represented buyer (and service provider) in acquisition of technology assets from major healthplan and large multi-year agreement for outsourced BPaaS services to be provided to the healthplan.Represented private equity fund buyer in acquisition of Concord Music Group.Represented founders of a well-regarded “big data” incubator in venture backed financing.Represented perishable fulfillment and logistics SaaS platform in sale to private equity firm formore than $300 million.Represented financial planning and budgeting SaaS provider in $20 million private equity fundinvestment.

Reed Smith

Page 2 of 4

Advised large medical device company in the restructuring of the global distribution network ofan acquired company.Negotiated cross-border manufacturing outsourcing arrangement for large medical devicecompany valued at $100 million a year.Negotiated numerous IT related agreements on behalf of financial services company separatingits IT infrastructure from other affiliates’ due to regulatory sensitivity.Advised large international pharmaceutical company on California aspects of tender offer andpractice of medicine issues relating to a tender offer for a California company.Advised China-based investment fund in acquisition of California development project.Advised California based peer to peer finance company in capital raise.Advised French parent company in reorganization of U.S. affiliates.

Tom is a frequent speaker on the negotiation of intellectual property agreements, protection ofintellectual property, data privacy and legal issues facing early stage and growth companies.

Employment History1985 - Reed Smith LLP1977-1983 - U.S. House of Representatives

Professional AffiliationsEditorial Advisory Board of the BNA Life Science Law & Industry ReportInternational Association of Privacy ProfessionalsAmerican Health Lawyers Association, Chair Life Sciences Practice Group 2012-2014, ViceChair 2008-2012American Bar AssociationBoard of Directors of Junior Achievement of Northern California, pro bono General Counsel

ExperienceRepresented buyer (and service provider) in acquisition of technology assets frommajor health plan and large multi-year agreement for outsourced BPaaS services to beprovided to the health plan.

Represented private equity fund buyer in acquisition of Concord Music Group.

Represented founders of a well-regarded “big data” incubator in venture backedfinancing.

Represented perishable fulfillment and logistics SaaS platform in sale to private equityfirm for more than $300 million.

Represented financial planning and budgeting SaaS provider in $20 million privateequity fund investment.

Advised large medical device company in the restructuring of the global distributionnetwork of an acquired company.

Negotiated cross-border manufacturing outsourcing arrangement for large medicaldevice company valued at $100 million a year.

Negotiated numerous IT related agreements on behalf of financial services companyseparating its IT infrastructure from other affiliates’ due to regulatory sensitivity.

Reed Smith

Page 3 of 4

Advised large international pharmaceutical company on California aspects of tenderoffer and practice of medicine issues relating to a tender offer for a California company.

Advised China-based investment fund in acquisition of California development project.

Advised California based peer to peer finance company in capital raise.

Advised French parent company in reorganization of U.S. affiliates.

News & PublicationsPublications2014 Introduction to the Regulation of Medical Devices

Fundamentals of Life Sciences Law: Drugs, Devices, and Biotech(Second Edition)Articles Published

Speaking Engagements16 October2014

Keiretsu Forum"Opportunities from University Sponsored Incubators"San Francisco, CASeminar

September2014

SVC Wireless Conference"Smart Home, Smart Body and Smart World"Mountain View, CASeminar

23 June 2014 SelectUSA Investment Seminar at BIO 2014"Practical Advice on Investing in the U.S. Life Science Industry:Opportunities, Best Practices, and Challenges"San Diego Convention CenterSan Diego, CASeminar

June 2014 SelectUSA Investment Seminar at BIO 2014"Practical Advice on Investing in the U.S. Life Science Industry:Opportunities, Best Practices, and Challenges"San Diego, CASeminar

16 June 2014 K4 Entrepreneur Academy"Understanding and Negotiating Term Sheets"San Francisco, CASeminar

16 April 2014 Cisco Meetup: Innovation Powered by Internet of Everything and BigDataSanta Clara, CASeminar

Reed Smith

Page 4 of 4

© 2017 Reed Smith LLP. All rights reserve

9 April 2014 Reed Smith’s Big Data Health Care ConferenceQuadrus Conference CenterMenlo Park, CASeminar

17 January2013

MCLE Day 2013"Emerging Issues in Data Privacy and Security Law"Reed SmithSan Francisco, CACLE / CPD

16 January2013

MCLE Day 2013"Emerging Issues in Data Privacy and Security Law"Wells Fargo AtriumLos Angeles, CACLE / CPD

25 April 2007 Life Sciences Law InstituteSan Francisco, CASeminar

September2006

Financial Institutions Committee Meeting, Business Law Section,State Bar of California"2006 Update on Data Security Litigation"Seminar

TF

Houston+1 713 469 3874+1 713 469 3899

Practice AreasInformation Technology,Privacy & Data Security

EducationUniversity of Texas Schoolof Law, J.D., with honors

Princeton University,B.S.E., CivilEngineering/OperationsResearch, cum laude, TauBeta Pi

ProfessionalAdmissions /QualificationsTexas

New York

California

U.S. Patent and TrademarkOffice

Court AdmissionsU.S. Court of Appeals -Fourth Circuit

U.S. Court of Appeals -Fifth Circuit

U.S. Court of Appeals -Seventh Circuit

U.S. Court of Appeals -Ninth Circuit

U.S. Court of Appeals -District of Columbia Circuit

U.S. District Court - EasternDistrict of Texas

U.S. District Court -Northern District of Texas

U.S. District Court -Southern District of Texas

U.S. District Court -Western District of Texas

U.S. Bankruptcy Court -Eastern District of NewYork

Bart W. HuffmanPartner

Overview

Bart is a partner in the firm’s Information Technology, Privacy & Data Security Group. He has asystems engineering background and experience in privacy and information security matters thatspans the modern history of the practice area. Bart provides advice concerning a wide range ofmatters within his field, including cybersecurity program development, enterprise cloudcomputing and other IT services agreements, company policies, information securitypreparedness, and data breach response. He regularly works and speaks on privacy andsecurity matters for the oil & gas industry, transportation, financial services, and other criticalinfrastructure. He also has a proven track record in significant online copyright and litigationmatters, including representation of some of the largest ISPs in various venues and appellatecourts in matters involving Internet subscriber data. Bart holds a J.D. from the University of Texas(with honors) and a B.S.E. from Princeton University (cum laude, Tau Beta Pi) in CivilEngineering & Operations Research with a Certificate in Engineering and Management Systems.

Bart is admitted to practice law in Texas, New York and California, and before the U.S. Patent &Trademark Office. He is also a Certified Information Privacy Professional/US, and serves on theCertifications Advisory Board of the International Association of Privacy Professionals. Bart hasserved as a visiting fellow of the Center for Information Technology at Princeton University, andhe is currently an adjunct professor, teaching Privacy and Cyber Security in the Information Ageat the University of Texas School of Law.

Employment History2017 - Reed SmithLocke Lord

Honors & AwardsListed, Legal 500, Media, technology and telecoms – Technology – data protection and privacy(2016)Martindale-Hubbell•AV- Peer Review RatingSan Antonio Business Journal, "Outstanding Lawyer of the Year - Intellectual Property," (2010)

Professional AffiliationsAdjunct Professor, The University of Texas School of Law

Reed Smith

1 of 3

U.S. District Court -Southern District of Texas

U.S. District Court - EasternDistrict of California

U.S. District Court -Southern District ofCalifornia

U.S. District Court - CentralDistrict of California

U.S. District Court -Northern District of Illinois

U.S. District Court - Districtof Maryland

2014Children's Activities Chair/Co-Chair, Princeton Class of 1988 Reunions Committees for 20th(2008), 25th (2013), and 30th (2018) ReunionsCorporate Committee Member, The McNay Art Museum, 2006-2012President, Princeton Alumni Association of San Antonio and South Texas, 2003-2012Princeton University Alumni Council

Executive Committee, 2005-2009Regional Associations Chair, 2007-2009

San Antonio Convention and Visitors commissionCommissioner, 2003-2007Budget and Finance Chair, 2006-2007

ExperienceGeneral privacy and data security advice for clients in financial, energy, consumerservices, governmental (tolling), and other industries

Represent companies in cybersecurity preparedness, including development of incidentresponse plans, tabletops, and work on information security policies

Data breach response (experience over the course of a decade), and negotiation ofbreach response services contracts

Information technology contract negotiations, including global enterprise cloudcomputing, disaster recovery, forensic consulting, managed security, softwaredevelopment and licensing, and systems integration work

Represent Internet service providers in online copyright and subscriber identificationsdisputes and negotiations, and related internal policies and procedures

Cybersecurity governance and risk management, including compliance and programs forhandling of information by vendors, service providers, and business partners

Privacy impact assessment and related contract negotiations and advice

Internet-based commercial services agreements (browser development, remotetechnology support, mobile-controlled home security, vehicle content delivery, etc.)

Legislative support and testimony before Texas House and Senate committees onprivacy issues

M&A diligence support for privacy and information security

SME support in connection with health data exchange and other cyber insurance policies

Lead counsel for pretexting litigation in Texas and California on behalf of national Internetservice provider

News & PublicationsNews21 February2017

Reed Smith Adds Four More Attorneys in HoustonNew Arrivals, News Releases

Speaking Engagements14 April 2017 UT Law 2017 Oil, Gas and Mineral Law Institute Law

Reed Smith

2 of 3

"Cybersecurity for Oil & Gas Attorneys: Understanding the Ethicaland Legal Obligations"Houston, TXSeminar

25-26 January2017

Cybersecurity and Data Privacy Law Conference, Institute for Law andTechnology"A View from Inside: Perspectives of In-House Counsel Responsiblefor Addressing Cyber and Data Privacy Issues""Communicating with and Protecting Senior Corporate Leadershipfrom Cyber and Privacy Risks"Plano, TXSeminar

19 August2016

University of Texas- Essential Cybersecurity Law Conference"Responding to a Data Breach"Austin, TXSeminar

8 July 2016 International Association of Privacy Professionals AustinKnowledgeNet Chapter Meeting"The Emerging EU-U.S. Privacy Shield Framework and GDPR Update"Austin, TXSeminar

18-19February 2016

Institute for Energy Law, Center for American and International Law,67th Annual Oil & Gas Law Conference"’Reasonable and Appropriate’ Security in the Information Age"Houston, TXSeminar

26 January2016

Cybersecurity and Data Privacy Law Conference, Institute for Law andTechnology"A View from Inside: Perspectives of In-House Counsel Responsiblefor Addressing Cyber and Data Privacy Issues"Plano, TXSeminar

10 July 2015 National Conference of Insurance Guaranty Funds 2015 LegalSeminar"Cyber Liability: Non-Technical Issues in Risk Management"San Francisco, CASeminar

22 May 2015 28th Annual University of Texas Technology Law Conference"Cloud Computing: Critical Business, Technology, Legal, andRegulatory Considerations and Negotiation Strategies""Responses to a Data Breach: Incident Response Planning andAdvanced Preparedness"Seminar

6 May 2015 Oil & Gas Division of the International Association for Contract &Commercial ManagementSan Antonio, TXSeminar

Reed Smith

3 of 3

© 2017 Reed Smith LLP. All rights reserved

SPEAKER BIO: AILEEN CASANAVE

Aileen F. Casanave, Deputy General Counsel, Acting General Counsel and Privacy Counsel Jiff, Inc. Aileen F. Casanave is Deputy General Counsel (acting General Counsel) and Privacy Counsel for Jiff, Inc., an enterprise health benefits platform software services company, where she provides business and legal support to the CEO and CFO and manages the company’s legal, immigration, and regulatory compliance matters. Aileen is also General Counsel to the African American Community Service Agency (AACSA), President of the Santa Clara County Black Lawyers Association (SCCBLA), and Chair of ACC-SFBA’s Career Advancement Committee. For the past three decades, Aileen has worked tirelessly to promote the areas of diversity, global inclusion, social justice and public interest in the community, and the legal sector in particular. She developed numerous diversity and mentoring and programs in and out of the workplace while at Lockheed Martin, Sun Microsystems and TIBCO Software Inc. She serves on multiple boards dedicated to diversity or public interest, including the Public Interest and Social Justice Law Board at Santa Clara Law School, Santa Clara County Black Lawyers Association, California Association of Black Lawyers (CABL), Santa Clara County Bar Association, the Diversity & Inclusion Committee of the Association of Corporate Counsel's San Francisco Bay Area chapter, and from 2010-2016, Aileen served on the USF School of Law Board of Governors (where she continues to serve with the Employment committee as a non-board member). Aileen has taught Critical Race Theory and housing discrimination at Santa Clara Law School and created Law Day events where attorneys of color discuss issue of law with children in underserved grammar and high schools in the bay area. In 2013, she completed an exhibit at San Jose City Hall called And Justice For All, The History of African-Americans in Santa Clara County's Judicial System and has hosted a Gideon Celebration; a Celebration of America's 6th Amendment Right to Counsel honoring the careers of four Public Defenders from the counties of Santa Clara, Alameda, Contra Costa and San Francisco. Aileen was awarded the Women’s Lawyer’s Division of the National Bar Associations’ Lawyer of the Year award and the 2016 California Association of Black Lawyer’s President’s Award, the California Women Lawyers’ Woman of Achievement Award, the Silicon Valley’s Women of Influence Award and was inducted into the Silicon Valley Black Legend’s Hall of Fame in February, 2017.

SPEAKER BIO: ANDREAS SPLITTGERBER

GDPR and Data Privacy Counseling

March 24, 2017

Presented by:

Thomas Quinlan, Reed SmithAileen Casanave, Jiff, Inc.Bart Huffman, Reed SmithAndrew Splittgerber, Olswang

IP, Information & Innovation

Reed Smith LLP

What is Important?• Time for compliance• Extra-territorial applicability• Cultural shift (privacy by design)• Regulatory emphasis within the EU• Fines and private rights of action

Reed Smith LLP

GDPR Timeline

May 24, 2016

• Enter into Force

Today• Getting ready…

May 25, 2018

• GDPR applies

295business days left

427calendar

daysleft

Reed Smith LLP

GDPR and National Laws• Not really a harmonizing EU law• Opening clauses create options for national provisions• Organizations must also consider national laws that will be

introduced within the next 1.5 years• Example GERMANY: German Ministry of Interior has drafted

national "Federal Data Protection Act" to supplement the GDPR

Reed Smith LLP

The Long Arm of the Law: Extra-Territorial ApplicationThe GDPR applies to controllers and processors “regardless of whether the processing takes place in the European Union or not”. The extra-territorial application of the GDPR is triggered when: • goods or services are offered to EU citizens; or• the behaviour of EU citizens is monitored or tracked through the use of

technology.

Organisations which do not have an establishment in the EU – and which consider themselves to operate outside the scope of EU data protection law – are now subject to data protection regulation pursuant to the GDPR.

Reed Smith LLP

Territorial Application of the GDPR

Art. 3 (1) Art. 3(2)

Data controller / data processor Data processingData subject

• data controller or data processor is established in the EU

Irrelevant on which territorypersonal data is actually processed

GPDR will apply if

• data controller or data processor is not established in the EU

• data subject is in the EU; and• data subject’s behavior in the

EU is being monitored.

Art. 3(2)

• data controller or data processor is not established in the EU

• data subject is in the EU; and• goods or services are offered to

data subjects the EU

Reed Smith LLP

Impact for U.S. Companies: GDPR applies to EU subsidiaries

GDPR may apply to U.S. parent entity if scenario 3 (2) above (directed at EU data subjects or monitoring)

U.S. parent or EU sub is• controller (e.g. for HR and customer data) or • processor (e.g. for data stored by customers)

One-stop shop if more than one sub in the EU

Special rules for data transfers from Europe toUS (Privacy Shield, SCC, BCRs, Codes of Conduct, etc.)

Reed Smith LLP

Supervisory Authorities and Sanctions Powers of Supervisory AuthoritiesThe GDPR provides supervisory authorities with robust enforcement powers which go far beyond those under the Data Protection Directive. For example, they can:

• order controllers or processors to provide information;

• access a controller or processor’s premises and equipment;

• issue warnings and reprimands;

• limit or ban data processing; and

• impose administrative fines of up to €20,000,000 EUR or (for undertakings) 4 % of total worldwide turnover.

‘Undertakings’

Administrative fines are applied to ‘undertakings’ – defined by reference to the competition law definition in Articles 101 and 102 TFEU.

This views undertakings as economic units, so potentially includes group companies.

Reed Smith LLP

The Essence of the GDPR: Data Protection PrinciplesArticle 5 of the GDPR sets out the major principles that all organisations are required to comply with when they process personal data.

Lawfulness, fairness and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation

Integrity and confidentiality

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Personal data must be accurate, and where necessary, be kept up to date

Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Personal data must be processed in a way that ensures appropriate security of personal data

The controller shall be responsible for, and be able to demonstrate, compliance with the principles

Accountability

Reed Smith LLP

Embedding Data Protection in Your OrganisationData protection is set to become an integral part of both the technological development and organisational structure of new products or services.The GDPR introduces Data Protection by Design and by Default, which in practice, means that all organisations must take data protection into consideration from the outset of new projects or initiatives.

Data Protection by DesignAn organisation needs to show that adequate security measures have been implemented and that compliance is monitored. Data Protection is therefore baked in, not bolted on, at the concept phase or any product or service or use of technology that will involve the processing of data.

Data Protection by DefaultThis means that the strictest privacy settings automatically apply once a customer acquires a new product or service. Therefore, by default, only personal data which are necessary for specific identified purposes are processed.

Reed Smith LLP

What is New?

Harmonization of laws and"one stop" enforcement?

Non-EU organizations are caught

Increased rights and remedies for individuals

Stricter rules on governanceand documentation

Higher standard for consentand other conditions

Stronger obligations for processors

Security standards andbreach notification requirements

Impact on international data transfers

Reed Smith LLP

Rights of Individuals The GDPR preserves a number of existing rights of data subjects to access their personal data but importantly, as well as providing further obligations on those existing rights, it also creates new rights:

Right RequirementNew Rights

Right to restrict processing

Controller to cease processing where: (i) accuracy is contested by the data subject; (ii) processing is unlawful but the data subject does not request erasure; (iii) processing is no longer necessary; or (iv) data subject has objected to the processing and controller determines that no overriding legitimate grounds exist.If data disclosed to third party, controller to inform them of restriction unless this is impossible or involves disproportionate effort.

Rights against automated decision making and profiling

Controller to identify whether operations constitute automated decision making and update such operations so as to ensure process allows for human intervention. Exemptions available to controller.

Right to data portability

Controller to provide the personal data (that are processed in an automated way) in a structured, commonly used and machine-readable format and, where requested and technically feasible, transmit them directly to another controller.

Reed Smith LLP

Transparency and Consent• More that ever, transparency will be key, i.e. adequately informing individuals about how their

personal data will be processed by the organisation and offering them control over the processing.

• The GDPR imposes onerous requirements on consent and seeking consent will only be appropriate if the individual has a genuine choice over the matter, e.g. whether to be sent marketing materials.

• Consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes. Top Tips:

– Use plain language – intelligible, accessible form, in clear and plain language.

– Separate – make it distinguishable from the rest of the text, and is not “unbundled’” with other written agreements or declarations.

– Affirmative action – inactivity or silence will not be enough and the use of pre-ticked boxes is not permitted. However, consent through a course of conduct will remain valid.

– Consent to all purposes – separate consents must be obtained for distinct processing purposes

– Can be withdrawn – individual must be able to withdraw consent easily at any time and must be told that before giving consent.

– Not tied to contract – supply of services cannot be made contingent on consent to processing which isn’t necessary to the services being supplied.

– Free choice – could invalidate consent if the individual does not have a genuine free choice or if there is a detriment if they refuse or withdraw consent.

Reed Smith LLP

Data Breach NotificationsThe GDPR will require data breach notification to an organisation’s lead data protection authority and, in certain circumstances, to affected individuals.

New rulesIn the event of a data breach, controllers will be required to notify:• The national supervisory authority where the breach would likely result in the risk to the

rights and freedoms of individuals. • Individuals affected where the breach would likely result in a high risk to their rights and

freedoms.

Notice to the Supervisory AuthorityNotification to the relevant supervisory authority must be within 72 hours of becoming aware of the breach. Failure to notify when required to do so could result in a fine of up to €10 million or 2 per cent of global turnover.When you notify you should include: • the nature of the breach, including categories of individuals and the approximate number of

records involved; • the details of the DPO or another person if there is no DPO; • the likely consequences of the breach; and • a description of any, or proposed, remedial action taken.

Reed Smith LLP

Data Breach Notifications (cont’d)Notices to Affected Individuals

High risk data breaches must be notified to affected individuals without undue delay, unless an exemption applies, and must contain the following information in clear and plain language:

• the nature of the breach; • the likely consequences of the

breach; and • a description of remedial action

taken as well as information about any actions the individual should take to minimise possible adverse effects.

Reed Smith LLP

What to Do?In a nutshell:The GDPR will be fully in force from 25 May 2018 and will apply in the UK and across all EU member states. The countdown has already begun so your organisation must have everything prepared and in place for this seismic shift in the regulatory landscape.

Path to complianceThe ten steps to compliance are: 1. Stakeholder Awareness: Embed data protection in your

organisation2. Data Inventory: Assess and record the personal data being

processed3. GDPR Gap Analysis: Determine what additional steps are required

for GDPR compliance4. Implementation Plan: Create a project plan to address the

compliance gaps5. Governance Structure & DPO: Appoint data protection officer and

create governance structure to support accountability requirements

6. Supply Chain (Processors): Ensure supplier contracts are amended to meet GDPR requirements

7. Cross-Border Transfers: Review cross-border data transfers8. Accountability Processes: Utilise tools and processes to document

compliance9. Data Subjects’ Rights: Put in place policies and procedures to

ensure rights are respected10. Data Breach Notification: Create policy for breach response,

containment, remediation and notifications

Reed Smith LLP

Accountability and GovernanceWhat does accountability mean?

• Under the GDPR, organisations must not only comply with the six general principles, but also be able to demonstrate they comply with them.

• The key to accountability is to embed compliance into your business, by adopting ‘data protection by design’ measures, staff training programmes and undertaking audits.

Data Processing Inventory

• Controllers must keep a record of their data processing activities.

Data Protection Impact Assessments

• Where any new project will involve “high risk” processing (such as monitoring activities, systematic evaluations or processing of sensitive data) it will be mandatory for organisations to carry out a data protection impact assessment.

Codes & Certification

• The GDPR includes the possibility of co-regulation through the development of private sector Codes of Conduct or Certification.

Data Protection Officer

• In some circumstances organisations will be required to appoint a Data Protection Officer to implement and oversee compliance with the GDPR.

Reed Smith LLP

Supply ChainThe greatest impact of the GDPR on a controller’s dealings with its suppliers amounts to ensuring sufficient guarantees of data protection. This was previously being seen in the Data Protection Directive but was not anchored as a legal requirement in such explicit terms as we see now.

Supplier due diligenceControllers are required to carry out due diligence on suppliers (processors) processing personal data on their behalf. They will need to ensure suppliers can provide sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of the Regulation, including measures to ensure the security of processing.

Reed Smith LLP

Supply Chain (cont’d)Supplier obligationsProcessing by a supplier should be governed by a written, binding contract, setting out the subject matter, duration, nature and purposes of the processing, the type of personal data and the data subjects.

Under article 28 of the GDPR the contract must stipulate that the supplier will:

• only processes personal data on documented instructions;• ensure those with access to personal data have committed themselves to

confidentiality;• takes all security measures required under the Regulation;• ensures the same obligations flow down to sub-contractors;• assists the controller with regards compliance with their obligations under the

Regulation, including responses to requests by individuals to exercise their rights under the Regulation;

• deletes or returns all personal data at the end of the arrangement; and• makes available all information necessary to demonstrate compliance with their

obligations.

Reed Smith LLP

International Data Transfers Under the GDPR, data transfers to countries outside of the European Economic Area (EEA) remain subject to restrictions. Restrictions also apply to “onward transfers” of data from an importer to another third country or organisation. International transfers under the GDPR can take place on the following bases:

Adequacy DecisionsIf the European Commission has adopted a decision that the third country, territory or sector involved in the transfer provides an ‘adequate’ level of protection for the data being transferred, data may flow freely between the EEA and country, territory or sector.

Appropriate Safeguards

EU-U.S. Privacy Shield frameworkModel clauses: Model contractual clauses approved by the European Commission may be used in order to legitimise transfers between the contracting parties.

Binding Corporate Rules: Binding Corporate Rules are explicitly recognised in the text of the GDPR, which infers a level of legitimacy. BCRs are a method of legalising the international transfer of personal data within a group of companies and are available for both controllers and processors.

EU Codes of Conduct :The GDPR provides that approved codes of conduct along with binding and enforceable commitments of the controller or processor may be used. No such codes of conduct have yet been approved.

EU Certification: The GDPR also provides for approved certification mechanisms to be used as a basis for data transfers along with binding enforceable commitments with the controller or processor. No such certification mechanisms have yet been approved.

Specific Derogations• Explicit consent• Contract performance• Public interest• Legal claims• Vital interests• Public source

Reed Smith LLP

Questions?

Chapter V: Transfer of

personal data to third

countries or international organizations

Content of the GDPR

Chapter IV: Controller

and processor

Chapter VI: Independent supervisory authorities

Chapter VII: Cooperation

and consistency

Chapter VIII: Remedies,

liability and penalties

Chapter IX: Provisions relating to

specific processing situations

Chapter X: Delegated acts and

implementing acts

Chapter XI: Final

provisions

Chapter II: Principles

Chapter III: Rights of the data subject

Chapter I: General

provisions

Reed Smith LLP

Contact Us

Thomas QuinlanPartnerReed Smith+1 650 352 0527tquinlan@reedsmith.com

Aileen CasanaveDeputy General CounselJiff, Inc.+1 408 390 8623afcasanave@gmail.com

Bart HuffmanPartnerReed Smith+1 713 469 3874bhuffman@reedsmith.com

Dr. Andreas SplittgerberPartnerOlswang+49 89 206028-404andreas.splittgerber@olswang.com

IP, Information and Innovation

Data Protection

GDPR: Preparing for the European General Data

Protection Regulation

The Background: from Directive to Regulation 1

Data Protection Principles 2

Accountability and Governance 3

Rights of Individuals 5

Embedding Data Protection in Your Organisation 7

Data Protection: by Design or by Default? 8

Supply Chain 9

International Data Transfers 10

Data Protection Officers 11

Data Breach Notifications 12

Supervisory Authorities and Sanctions 13

Putting the Theory into Practice: What Next? 14

Our European Team 15

Contents

RePrmacdis

It tGDJoupefo

ThThplawh

•

•

Orto re

T

FocoEuDst

HBab

Wot

eform begarotection Rember sta

ccount for tsposal. Ne

took nearlyDPR or Reg

ournal of theriod of twr 25 May 2

he long ahe GDPR apace in the hen:

goods or

the behav

rganisation operate ogulation p

The Ba

or a little ollection,urope byirective), tates.

How doeBy the time and processbeen assess

We have preorder for yohe data you

an in 2012Regulation,

tes. This rethe rise of w technolo

y four yeargulation) a

he Europeao years wa

2018, when

arm of thpplies to cEuropean

services ar

viour of EU

ns which doutside theursuant to

ackgr

over 20 use and

y the Data adopted

es this af the GDPR ises relatingsed and bro

epared thisou to betteru hold, whe

GDPR: P

aimed at which, as eform alsof personal togy means

rs of consund it was f

an Union oas then agrn the Regu

he law ontrollers Union or n

re offered

U citizens is

o not havee scope of o the GDPR

ound

years, thd processa Protectd and im

ffect yous applied in

g to the colleought into a

publication understan

ether it relat

Preparing for t

harmonisian EU reg

o sought totechnologys new risks

ultation to formally adon 4 May 2reed, durin

ulation bec

and procenot”. The e

to EU citiz

s monitore

e an estabEU data pr

R.

d: from

he protecsing of thtion Direplement

r businen May 2018ection and alignment w

n to lay out d what the tes to your

the European

ng data prulation, wo

o ensure thy and the vs as well as

agree the dopted on 016, enterng which oomes enfo

essors “regextra-territ

zens; or

ed or track

lishment inrotection l

m Dire

ction of iheir persoective (95ed in nat

ess? , you will neuse of pers

with the req

the new ob Regulationemployees

General Data

rotection aould have dhat the govvast array s new ways

General D 27 April 2ring into foorganisatioorceable.

gardless oftorial appli

ked throug

n the EU – aw – are n

ective

ndividuaonal data

5/46/EC) (tional law

eed to makeonal data auirements

bligations b expects fro, customers

Protection Re

across the direct effeverning lawof devices s of collect

Data Protec016 and p

orce 20 dayns would h

f whether tcation of t

h the use o

and whichnow subjec

e to R

als in relaa has bee(the Dataw by all 2

e sure that across your of the new

eing ushereom your bus or supplie

egulation Ree

EU via a Gct across a

w was upda now at thting and us

ction Reguublished inys later. A thave time t

the proceshe GDPR is

of technolo

h consider ct to data p

Regula

ation to ten govera Protect28 EU me

all practice organisatio Regulation

ed in by theusiness in reers.

ed Smith LLP

eneral Datall EU ated to e EU’s sing data.

ulation (then the Offictransitionato prepare

ssing takess triggered

ogy.

themselveprotection

ation

he rned in tion ember

es, policies on have .

e GDPR, in elation to

01

ta

e cial al e

d

es

D

Arre

Data P

rticle 5 ofequired t

Protec

f the GDo comply

GDPR: P

ction

PR sets oy with wh

Preparing for t

Princ

out the mhen they

the European

ciples

major priy process

General Data

nciples ts persona

Protection Re

hat all oral data.

egulation Ree

rganisati

ed Smith LLP

ons are

02

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 03

What will Accountability actually look like under the Regulation? Under the GDPR, there is no change in the definitions of the two key roles of data controller and data processor but how liabilities are negotiated—we expect increased complexity (at least initially)—to change. Why? Simply stated, for the first time data processors will take on a direct regulatory responsibility and, therefore, liability. Supervisory authorities may develop a new ‘contributory negligence’ approach to enforcement and sanctions.

Controller A data controller can be an individual or an entity. Data controllers determine the purposes for and means of processing personal data, and are accountable for compliance with the GDPR principles.

Processor A data processor is an individual or entity which processes personal data on behalf of a controller.

The concept of the data processor is well known from the Data Protection Directive. For the first time, data processors are subject to direct regulation by supervisory authorities under the GDPR. Although processors have several obligations, two of the most notable are:

• Implementation of sufficient security measures, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing.

• Maintenance of records of all categories of processing activities carried out on behalf of a data controller, including details of any international data transfers.

Accountability in practice Data controllers will continue to be responsible and accountable for compliance and governance, with the GDPR elevating the significance of their role.

Data processors will be in line for greater liability now that they will be directly regulated. As a result, we expect to see a significant impact on contracts with service providers.

Data Protection Officers (DPOs) will assume a vital and powerful role. We may see increasingly the voluntary appointment of DPOs as a means of centralising the accountability function.

Governance Accountability means that governance structures must have the spotlight shone on them. With the requirement for some organisations to appoint a DPO – as a minimum governance

Accountability and Governance

Some of the most important new requirements under the GDPR are those pertaining to accountability. Accountability means that organisations must demonstrate compliance with the GDPR.

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 04

requirement – some aspects of governance may become more prescriptive, with some decisions taken out of the hands of business. In practice, organisations will be expected to put into place comprehensive but proportionate governance measures, including: • Appropriate technical and organisational

measures • Recording of processing activities • Appointment of a Data Protection Officer

(where appropriate)

• Implementation of Data Protection by Design and by Default

• Development and use of Data Protection Impact Assessments

Demonstrating Compliance

As part of accountability, organisations must be able to demonstrate not only that they have a compliance framework in place but also that they implement and adhere to these measures.

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 05

Right Requirement

New Rights

Right to restrict processing

Controller to cease processing where: (i) accuracy is contested by the data subject; (ii) processing is unlawful but the data subject does not request erasure; (iii) processing is no longer necessary; or (iv) data subject has objected to the processing and controller determines that no overriding legitimate grounds exist. If data disclosed to third party, controller to inform them of restriction unless this is impossible or involves disproportionate effort.

Rights against automated decision making and profiling

Controller to identify whether operations constitute automated decision making and update such operations so as to ensure process allows for human intervention. Exemptions available to controller.

Right to data portability

Controller to provide the personal data (that are processed in an automated way) in a structured, commonly used and machine-readable format and, where requested and technically feasible, transmit them directly to another controller.

Rights of Individuals

The GDPR preserves a number of existing rights of data subjects to access their personal data but importantly, as well as providing further obligations on those existing rights, it also creates new rights. The below table summarises the impact and key obligations as regards controllers receiving requests from data subjects.

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 06

Right Requirement Changes to existing law(s)

Existing Rights

Right to be informed

Controller to provide data subjects with information relating to the processing of their personal data in a concise, clear and intelligible manner.

More detailed information to be provided and depends on whether data obtained directly from data subject.

Right of access Controllers to confirm whether personal data are being processed, and if so, provide access.

Information to be provided free of charge and within one month of receipt. Where request made electronically, information to be provided in a “commonly used electronic format”.

Right to rectification

Controller to rectify inaccurate or incomplete personal data without undue delay.

Where controller has disclosed personal data to third party, controller to inform them of rectification.

Right to object Controller to cease processing where data subject objection to processing is: (i) based on certain grounds (public interest or legitimate interest); or (ii) for certain purposes (research or statistics). Some exemptions may be available to controller. Data subject has absolute right to object to data processed for direct marketing purposes. No exemptions are available to controller.

Right to object to personal data being used for statistical or research purposes.

Right to erasure (‘right to be forgotten’)

Controller to erase personal data when: (i) no longer necessary; (ii) consent is withdrawn; (iii) data subject objects and controller has no overriding legitimate grounds to hold data; (iv) data is unlawfully processed; (v) necessary to comply with a legal obligation; or (vi) processed in connection with an online service offered to a child.

Broader, more specific rights created. If data disclosed to third party, controller must inform them of erasure unless it is impossible or involves disproportionate effort.

DaDPind• • • •

On•

•

•

•

•

•

PrIn co

E

Daid

W•

ata ProtecPIAs are mdividuals.

New techProfiling ProcessinSystemat

nce the neDescript– Descr– What

Assessme– How m

Identifica– What

Identifica– Evalua– What

Approval– Ensur– Recor

compIntegratio– Imple

projec

rior consu the absen

onsult the

mbed

ata Proteentificat

Worth coOrganisato use fo

ction Impaandatory wExamples

hnologies or automang sensitivtic monitor

eed for a Dtion of proribe how p legitimateent of necmany indivation and steps are ation and ate propos level of risl and recore DPIA recrd decision

pliance on of DPIA

ement, monct and whe

ltation wince of mea superviso

dding

ection Imion, asse

onsiderinations shouor any new

GDPR: P

act Assesswhen proc of “high r ated proceve data (spering of pub

PIA has beocessing oersonal da

e interest iscessity anviduals are assessmetaken to a evaluatiosed measusk is accepording ceives signns taken to

A outcomnitor, re-asen there is

ith lead Dsures to mory autho

Data

mpact Assessment

ng… uld think a process o

Preparing for t

sments cessing posisk” opera ssing ecial categblic areas (

een identifoperationsata is: (i) cos the contrd proport

e likely to bent of dataddress ris

on of data ures and satable?

n-off at theo eliminate

es in the pssess and s a change

ata Protemitigate ris

rity prior

Prote

sessmenand min

bout puttior activity t

the European

ses a “highations incl

gories of dae.g., CCTV/

fied, a nums envisageollected, (ii)roller purstionality oe affecteda protectik to: (i) the protectioafeguards

appropria, mitigate o

project plupdate the of risk

ction Authk where hi to proces

ection

t (DPIA) iimisation

ng a standhat involve

General Data

h risk” to thude:

ata) on a la/video surv

mber of steed and pu) used, anduing?

of process? on risks

e individuaon solution for addres

ate level or accept r

an e DPIA pla

hority gh risk is i

ssing.

n in Yo

is a procn of data

dard temples the proc

Protection Re

he rights an

arge scale veillance)

ps must burposes ofd (iii) delete

ing opera

l, and (ii) thns ssing risk

risk, and d

n over the

dentified, t

our O

ess invola protect

ate in placcessing of

egulation Ree

nd freedom

e taken: f processined

tions

he organis

emonstrat

life-cycle o

the contro

rganis

lving theion risks

ce for theirdata.

ed Smith LLP

ms of

ng

ation?

te

of the

oller must

sation

r business

07

n

DaAnthphApne

It m

• •

DaDacuBypr

Th

• • • •

At• •

D

Dade

ThDepr

F•

ata Protn organisatat complia

hase of anyppropriate ew project,

must be d

Nature, Likelihoo

ata Protata Protectustomer acy default onrocessed.

his applies

Amount Extent oPeriod oAccessib

t what stAt the timAt the co

Data P

ata Proteevelopm

he GDPRefault, wrotection

From theOrganisatmaking it

ection bytion needsance is moy product o technical , service or

emonstrat

scope, cood and sev

ection bytion by Defcquires a nnly person

to:

of personf processin

of time for bility

tage of tme when doncept and

Protec

ection is ent and

R introducwhich, in pn into con

e outset tions must t an integral

GDPR: P

y Designs to show tnitored. Dor service and organr business

ted that su

ntext and verity of r

y Defaulfault mean

new producnal data wh

al data colng storage of

he projeeterminat

d design ph

ction:

set to beorganisa

ces Datapractice, nsiderati

take data p part of the

Preparing for t

n that adequData protecor use of t

nisational m process.

ufficient ac

purposesrisks to rig

lt ns that thect or servic

hich are ne

llection

f personal

ect? ion of the

hase of any

by D

ecome anational st

Protecti means ton from

protection ine project de

the European

uate securiction is batechnologymeasures b

count is ta

s of proceghts and fre

strictest pce. ecessary fo

data

means of y project

Design

n integratructure o

on by Dethat all o the outs

nto considevelopment

General Data

ty measurked in, noty. become pa

aken in reg

ssing eedoms of

privacy sett

or specific i

processing

n or b

al part of of new p

esign andrganisatiset of pro

eration from process… f

Protection Re

es have bet bolted on

art of the d

gard to:

f individua

tings autom

identified p

g is made

by Def

both theproducts

d Data Pions musojects or

m the outsetfrom day o

egulation Ree

een implemn from at th

developme

ls

matically a

purposes a

fault?

e technoor servic

rotectionst take da new init

t of any newone.

ed Smith LLP

mented anhe concep

ent for eac

pply once

are

logical ces.

n by ata iatives.

w project,

08

nd pt

h

a

SuCopeguteinc

SuThsuthsu28

•

•

•

•

S

Thampraswre

HA2

Omdim

upplier dontrollers aersonal datuarantees, chnical ancluding me

upplier ohe processubject matte data sub

upplier and8 of the GD

only procedocumen

ensure thhave comconfident

takes all sthe Regul

ensures tsub-contr

Supply

he greatemounts treviouslys a legal rith sever

egulatory

How doeAll contracts2018 – in ot

Organisatiomost criticadeadline – omposed on

due diligeare requireta on their in particuld organisaeasures to

obligatioing by a suter, duratiobjects. It md the risks DPR the co

esses persted instruc

hose with ammitted the

iality;

security meation;

he same oractors;

y Cha

est impacto ensuriy being serequiremral aspecy guidanc

es this afs involving pther words,

ns should rl services fo

otherwise yon you which

GDPR: P

ence ed to carryr behalf. Thar in term

ational mea ensure th

ns upplier shoon, nature ust also tainvolved tontract mus

sonal data ctions;

access to pemselves t

easures re

obligations

in

ct of the ng sufficeen in th

ment in sts of thece as wel

ffect youpersonal da we are cur

review theiror their busou will risk could be (a

Preparing for t

y out due dhey will nees of expertasures wh

he security

ould be go and purpo

ake into acco the rightst stipulate

on

personal dao

quired und

flow down

GDPR oncient guahe Data Puch expl GDPR, gll as EU m

r busineata handlingrrently in th

r existing ariness operabeing non-ca) non-com

the European

diligence oed to ensut knowledgich will me of process

verned by oses of thecount the s and freee that the s

ata

der

n to

• acRrr

• de

• mto

n a contrrantees

Protectioicit term

greater clmember

ess? g or transfee transition

rangementations. Startcompliant opliant from

General Data

n supplierure suppliege, reliabili

eet the reqsing.

a written, e processinspecific tadoms of thsupplier:

assists the complianceRegulationrequests brights unde

deletes or end of the

makes avaito demonsobligations

roller’s deof data pn Directis as we slarity is estates’ d

ers must comn period.

ts with servit negotiatio

or having th your persp

Protection Re

s (processers can proity and resuirements

binding cong, the typsks and rehe data su

controllere with thei, includingy individuaer the Regu

returns allarrangem

ilable all instrate coms.

ealings wprotectiove but wsee now.expectedelegated

mply with t

ice providerons well in ahird party stpective and/

egulation Ree

sors) proceovide sufficources, to

s of the Reg

ontract, see of perso

esponsibilitbjects. Un

r with regar obligatio responseals to exerculation;

personal ent; and

nformationpliance wit

with its suon. This wwas not a. Howev through

d powers

he GDPR as

rs, starting advance of ttandard ter/or (b) unfa

ed Smith LLP

essing cient implemengulation,

tting out thonal data aties of the der article

rds ns under ts to cise their

data at the

necessaryth their

uppliers was nchored er, as

h s.

s at 25 May

with the the GDPR ms vourable.

09

nt

he nd

the

e

y

y

Int

1 If tinvtra

2 •

•

3 • •

In

UEc“oor

W•

ternationa

Adequathe Europevolved in tansferred,

AppropModel claModel cothe Euroorder to contracti

Binding CBinding Cexplicitly GDPR, whBCRs areinternatiowithin a gavailable processo

SpecificExplicit cContract

ntern

nder theconomic onward trrganisati

Worth noIn exceptspecific d

l transfers

acy Decisean Commhe transfe data may

priate Saauses ontractual pean Comlegitimise ng parties

CorporateCorporate recognisehich infers

e a methodonal transfgroup of co for both c

ors.

c Derogaonsent performa

ation

e GDPR, d Area (EEransfers”on.

oting… ional caseserogation.

GDPR: P

s under the

sions mission has

r providesflow freely

afeguard

clauses apmission mtransfers b.

e Rules Rules (“BCd in the te

s a level of d of legalisifer of persompanies

controllers

ations

ance

al Da

data tranEA) remai” of data

, the contro

Preparing for t

e GDPR ca

s adopted an ‘adequ

y between

s

pproved bymay be used

between th

CRs”) are ext of the legitimacying the onal data and are and

• Public • Legal c

ta Tra

nsfers to in subjec from an

oller may als

the European

n take plac

a decisionuate’ level othe EEA an

y d in he

.

• ET

• ET

interest claims

ansfe

countriect to rest importe

so invoke h

General Data

ce on the f

that the tof protectind country

EU Codes The GDPRof conductenforceabcontroller such codeapproved.

EU CertificThe GDPRcertificatiobasis for denforceabcontroller certificatioapproved.

rs

s outsiderictions.

er to ano

his compelli

Protection Re

following b

hird counton for the y, territory

of ConducR provides t

t along witle commit or process

es of condu

cation R also provion mechandata transfle commit or process

on mechan

• Vital• Publ

e of the E Restrictither thir

ng legitimat

egulation Ree

bases:

try, territor data beingor sector.

ct that approth binding ments of tsor may beuct have ye

ides for apnisms to befers along wments withsor. No su

nisms have

l interestslic source

Europeanons alsod countr

te interest a

ed Smith LLP

ry or sectog

oved codesand

the e used. Noet been

pproved e used as awith bindinh the ch

e yet been

s

n apply to

ry or

as a new

10

r

s

o

a ng

o

Co•

•

•

Thco

Thda

DThobco

Thlawas

PoOrdishig

D

W(Dth

CLasLa

Ad

ontrollerthe proce

the core scope or large sca

the core a

he DPO canorporate gr

he DPO muata protect

PO respohe DPO wilbligations, aooperating

he DPO muws, and witssigning re

osition organisationsmissed orghest leve

Data P

Whilst somDPO) as phe appoin

Case StuLiveWell, Incacross the gsurveys andLimited, a claccess to da

As yet theredata, proces

rs and pressing is ca

activities purposesale; or

activities co

n be an emroup can a

ust be desition knowle

onsibilitil be respoadvising o with the s

ust monitoth their orgesponsibil

of the DPns must enr penalisedel of mana

Protec

me organpart of thntment o

dy… c. is a U.S. hglobe, includd trials for re

oud providata for man

e is no regussed by Live

GDPR: P

rocessorarried out b

of the con, requires

onsist of p

mployee ofappoint a s

ignated onedge and a

ies nsible for n the perfo

supervisory

or compliaganisationlities, rais

PO nsure that d for carryagement.

ction

nisations heir accouof a DPO

headquarteding to 650esearch ander in Irelan

nagement a

latory guidaeWell could

Preparing for t

rs must aby a public

ntroller or pregular an

processing

f the organsingle DPO

n the basis ability to fu

informing ormance oy authority

ance with ’s policies ing aware

the DPO cing out the

Office

can voluuntability is mand

red busines0,000 customd product dd, though cnd IT opera

ance, but thd make it su

the European

appoint ac authorit

processor nd system

g on a large

nisation or .

of professulfil their D

and advisiof data proy.

the GDPR,on the pro

eness and

can operateir respons

ers

unarily apy prograatory.

ss offering hmers in thedevelopmencertain busiations. Will

he potentialbject to the

General Data

a DPO wty;

consist of matic mon

e scale of

hired exte

sional qualDPO respon

ng on the otection im

, with otheotection of staff train

e indepensibilities an

ppoint a mme, in

health and EU. LiveWent purposesness functiLiveWell n

l volume of e DPO requ

Protection Re

where:

processinitoring of

special ca

ernally, and

lities, in pansibilities.

organisatimpact asses

er EU or naf personal ning.

dently of ind is to rep

data pro certain c

wellness prell regularlys. Data are ons in the Ueed to app

data, includirement.

egulation Ree

g which, bf data subj

ategories

d compani

articular th

on’s data pssments, a

ational datadata. This

nstructionport direc

otection ocircumst

roducts andy carries outhosted by C

United Statepoint a DPO

ding sensiti

ed Smith LLP

y its naturjects on a

of data.

es within a

eir expert

protectionand

a protectio includes

, cannot bctly to the

officer ances

d services t customer Cirrus es have O?

ve persona

11

e,

a

on

e

al

Thpr

NIn

•

•

NNoof m

W

•

• • •

NHiex

• • •

D

Ho•

•

he GDPRrotection

ew rules the event

The natiorights an

Individualfreedoms

otice to otification t the breacillion or 2 p

hen you n

the naturof recordthe detaithe likely a descrip

otices togh risk dat

xemption a

the naturthe likely a descripindividua

Data B

ow to preTraining adata is aw

Responsedetection

R will requn authori

s of a data b

onal supervd freedoms affected s.

the Supeto the releh. Failure tper cent of

otify you s

re of the bds involvedls of the D conseque

ption of any

o Affecteta breacheapplies, an

re of the b conseque

ption of remal should ta

Breac

epare and awareare of wha

e plan: havmethods,

GDPR: P

uire dataty and, in

breach, co

visory authms of individ

where the

ervisory evant supeto notify wf global tu

hould inclu

reach, incld; DPO or anoences of thy, or propo

ed Individes must bed must co

reach; ences of thmedial actiake to min

h Not

eness: ensat amounts

ve an interinvestigati

Preparing for t

a breach n certain

ntrollers w

hority wheduals. e breach w

Authoritrvisory aut

when requirrnover.

ude:

uding cate

other persohe breach; osed, reme

duals e notified tontain the f

he breach; ion taken aimise poss

tificat

sure everyos to a brea

nal breachons and a

the European

notificatn circums

will be requ

re the bre

would likely

ty thority mured to do s

egories of

on if there and edial action

o affected following in

and as well as isible adver

tions

one in youach.

h responsen internal

General Data

ion to anstances, t

uired to no

ach would

y result in a

st be withso could re

individuals

is no DPO

n taken.

individualsnformation

nformatiorse effects.

ur organisa

e plan that reporting

Protection Re

n organisto affecte

otify:

d likely resu

a high risk

in 72 houresult in a fi

s and the a

O;

s without un in clear a

n about an.

ation who h

provides fprocedure

egulation Ree

sation’s leed individ

ult in the ri

to their rig

rs of becomine of up t

approxima

undue deland plain la

ny actions

handles pe

for robust e.

ed Smith LLP

ead dataduals.

sk to the

ghts and

ming awareo €10

te number

ay, unless anguage:

the

ersonal

breach

12

a

e

r

an

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 13

Controllers and processors must have a “lead supervisory authority” located in the jurisdiction where they have their main or sole establishment. There are complex rules in place to govern cooperation between an entity’s lead supervisory authority and other supervisory authorities, which take effect where a complaint is made by a data subject. There are also mutual assistance provisions in place, and supervisory authorities may operate jointly to conduct investigations and take enforcement action.

A European Data Protection Board, tasked with ensuring the consistent application of the GDPR, will also be established. The Board will have a number of responsibilities, including issuing guidance on a number of topics and resolving disputes between supervisory authorities.

Powers of Supervisory Authorities

Supervisory authorities have robust enforcement powers which go far beyond those under the Data Protection Directive. Supervisory authorities may, for example:

• order controllers or processors to provide information

• access a controller or processor’s premises and equipment

• issue warnings and reprimands;

• limit or ban data processing

• impose administrative fines of up to €20,000,000 or 4 per cent of total worldwide turnover.

The scope of enforcement powers available to supervisory authorities and their implications for businesses will ensure that GDPR compliance remains a board-level concern.

Supervisory Authorities and Sanctions

Supervisory authorities will continue to play a vital role under the GDPR. Each member state must have established at least one independent supervisory authority which will be responsible for enforcing the GDPR.

InThmpr

PaTh

1

2

3

4

5

6

7

8

9

10

P

n a nutshhe GDPR wember sta

repared an

ath to cohe ten step

Stakeho

Data Inv

GDPR G

Implem

Governstructur

Supply requirem

Cross-B

Accoun

Data Surespecte

0 Data Brand not

Putting

hell: will be fully

tes. The cond in place

ompliancps to comp

older Awa

ventory: A

Gap Analys

mentation

ance Strure to suppo

Chain (Proments

Border Tra

tability Pr

ubjects’ Riged

reach Notifications

g the

GDPR: P

in force froountdown for this se

ce pliance are

reness: Em

Assess and

sis: Determ

Plan: Crea

cture & Dort accoun

ocessors):

ansfers: Re

rocesses:

ghts: Put i

ification: C

Theo

Preparing for t

om 25 May has alread

eismic shift

:

mbed data

d record th

mine what

ate a proje

DPO : Appontability req

: Ensure su

eview cros

Utilise too

n place po

Create pol

ory int

the European

y 2018 anddy begun st in the reg

a protectio

he persona

additional

ect plan to

int data prquirement

upplier con

s-border d

ls and pro

olicies and

icy for bre

to Pra

General Data

d will applyso your orggulatory lan

on in your o

al data bein

l steps are

address th

rotection os

ntracts are

data transf

cesses to

procedure

each respo

actice

Protection Re

y in the UKganisation ndscape.

organisatio

ng process

required f

he complia

officer and

e amended

fers

document

es to ensu

nse, conta

e: Wha

egulation Ree

K and acros must have

on

sed

for GDPR c

ance gaps

create gov

d to meet G

t complian

re rights a

ainment, re

at Ne

ed Smith LLP

ss all EU e everythin

complianc

vernance

GDPR

ce

re

emediation

ext?

14

ng

e

n

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 15

London

United States

Our European Team

As part of the IP, Information and Innovation Group, our IT, Privacy and Data Security team brings strength and increased connectivity in today’s information economy by developing a collaborative, cross-discipline practice focusing on data security, information governance, technology, and intellectual property services.

Cynthia O’Donoghue Partner, International Head of IT, Privacy & Data Security London +44 (0)203 116 3494 codonoghue@reedsmith.com

Philip Thomas Counsel London +44 (0)203 116 3526 pthomas@reedsmith.com

Katalina Bateman Senior Associate London +44 (0)203 116 2866 kbateman@reedsmith.com

Chantelle Taylor Associate London +44 (0)203 116 3481 ctaylor@reedsmith.com

Curtis McCluskey Associate London +44 (0)203 116 3467 cmccluskey@reedsmith.com

Tom Evans Associate London +44 (0)203 116 3653 tevans@reedsmith.com

Mark Melodia Partner New York +1 212 205 6078 mmelodia@reedsmith.com

Bart Huffman Partner Houston +1 713 469 3874 bhuffman@reedsmith.com

Thomas Quinlan Partner Silicon Valley +1 650 352 0527 tquinlan@reedsmith.com

GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 16

Paris

Munich

Athens

Thought Leadership For more insight into the GDPR and other Data and Technology related matters, please take a look at our blog, the Technology Law Dispatch, at: www.technologylawdispatch.com

Recognition Our team has been recognised over a number of years with rankings in both the Chambers and Legal 500 directories.

"The team is responsive and approachable, very helpful and makes an effort to keep us updated about the latest important developments." Chambers & Partners 2017

Daniel Kadar Partner Paris +33 (0)1 76 70 40 86 dkadar@reedsmith.com

Caroline Gouraud Associate Paris +33 (0)1 76 70 40 34 cgouraud@reedsmith.com

Thomas Fischl Counsel Munich +49 (0)89 20304 178 tfischl@reedsmith.com

Alexander Hardinghaus Associate Munich +49 (0)89 20304 134 ahardinghaus@reedsmith.com

Anthony Poulopoulos Partner Athens +30 (0)210 41 99 423 apoulopoulos@reedsmith.com

Doretta Frangaki Associate Athens +30 (0)210 41 99 425 dfrangaki@reedsmith.com

ABU DHABI

ATHENS

BEIJING

CENTURY CITY

CHICAGO

DUBAI

FRANKFURT

HONG KONG

HOUSTON

KAZAKHSTAN

LONDON

LOS ANGELES

MUNICH

NEW YORK

PARIS

PHILADELPHIA

PITTSBURGH

PRINCETON

RICHMOND

SAN FRANCISCO

SHANGHAI

SILICON VALLEY

SINGAPORE

TYSONS

WASHINGTON, D.C.

WILMINGTON

reedsmith.com

Reed Smith is a global relationship law firm with more than 1,800 lawyers in 26 offices throughout the United States, Europe, Asia and the Middle East.

Founded in 1877, the firm represents leading international businesses, from Fortune 100 corporations to mid-market and emerging enterprises. Its lawyers provide litigation and other dispute-resolution services in multi-jurisdictional and high-stakes matters, deliver regulatory counsel, and execute the full range of strategic domestic and cross-border transactions. Reed Smith is a preeminent advisor to industries including financial services, life sciences, health care, advertising, entertainment and media, shipping and transport, energy and natural resources, real estate, manufacturing and technology, and education.

This document is not intended to provide legal advice to be used in a specific fact situation; the contents are for informational purposes only. “Reed Smith” refers to Reed Smith LLP and related entities. © Reed Smith LLP 2016

NOTES

________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________