1 v Privacy Insight Series v
What Does the Proposed EU
Regulation Mean for Business
September 16, 2015
2 v Privacy Insight Series
Today’s Speakers
Dennis Dayman,
Chief Privacy and
Security Officer,
Return Path Inc.
Dr Kai Westerwelle,
Partner,
Taylor Wessing
Mr Andrea Glorioso,
Counselor, Digital Economy /
Cyber Delegation of the
European Union to the USA
Eleanor Treharne-Jones,
Director, EMEA & Global
Communications, TRUSTe
3 v Privacy Insight Series
Today’s Agenda
• Welcome & Introductions Eleanor Treharne-Jones
• Overview of the Main Changes in the Mr Andrea Glorioso
General Data Protection Regulation
• Key Areas in the Regulation - Dr Kai Westerwelle
Legal perspective and Impact on Business
• Actions to Prepare for the GDPR Dennis Dayman
• Q&A All
4 v Privacy Insight Series v
The General Data Protection
Regulation (GDPR) – Overview of
the main changes
Mr Andrea Glorioso, Counselor, Digital Economy / Cyber Delegation
of the European Union to the USA
5 v Privacy Insight Series
The GDPR: timeline
• January 2012: proposal of the European Commission
(draft Regulation + draft Directive on the exchange of
personal data for police and judicial cooperation)
• March 2014: the European Parliament adopts its "first
reading" position
• June 2015: the Council of the European Union adopts its
"general approach"
• July 2015 / ongoing: "trialogues" among the European
Commission, the European Parliament and the Council of
the European Union
• Expected adoption: end of 2015 / beginning of 2016?
6 v Privacy Insight Series
The GDPR: what doesn't change
• The core legal concepts (e.g. definition of "personal data",
"data subject", "data controller", "data processor") do not
massively change compared to the main existing EU
legislation (1995 Directive)
• You still need a "legitimate basis" to process personal
data
• The objective remains the same: minimize differences of
legal treatment among EU Member States in order to
safeguard the internal / common market and ensure a
coherent (and high) level of protection of privacy and
personal data across the European Union
• Extra-EU data transfers still need a legal basis to take
place
7 v Privacy Insight Series
The GDPR: main changes
• It's a Regulation, not a Directive: no need for Member
States to "transpose" it in their national legal systems
• "One-stop shop" system: organizations operating in
multiple Member States are supposed to interact only with
the Data Protection Authority in their "main place of
establishment"
• "Consistency mechanism": the "main" Data Protection
Authority is responsible for interacting with other Member
States' DPAs to ensure coherency and avoid multiple,
contradicting decisions
8 v Privacy Insight Series
The GDPR: main changes
• "Information notices" will become much more detailed and
will have to be in an "intelligible form, using clear and
plain language, and adapted to the data subject".
• "Data processors" (e.g. sub-contractors to the data
controllers) are now subject to much stricter controls,
responsibilities and potential penalties.
• Principle of "accountability": data controllers / processors
must demonstrate existence of appropriate internal and
external processes, control systems, auditing checks,
impact assessment procedures and (in some cases)
appoint a Data Protection Officer.
• "Privacy by design" and "privacy by default"
9 v Privacy Insight Series
The GDPR: main changes
• Certain "data processing" operations are now more strictly
regulated
• E.g. "profiling" which requires explicit consent when
performed on "sensitive data"
• Obligation to notify breaches that lead to the loss or
unauthorized dissemination of personal data
• Jurisdictional scope of application of the GDPR is now
broader: new rules apply also to organizations which are
based outside the EU but are offering goods and services
to EU residents or "monitor the behavior" of EU residents
• Penalties will in general be stiffer: maximum of 2-5% of
the global turnover of a company, or EUR 1 Million,
whichever is higher
10 v Privacy Insight Series
The GDPR: the end of the Internet?
• The GDPR raises the bar of privacy / personal data
protection
• The rules are non-discriminatory: non-EU companies are
not penalized compared to EU companies
• Is this the much needed incentive for "data hygiene"
within data-intensive companies (e.g. nowadays, all
companies)?
11 v Privacy Insight Series
EU-US data transfers
• Umbrella agreement (exchange of data for law
enforcement purposes): agreement reached on
September 8, waiting for "Judicial Redress Act" to be
adopted in the U.S.
• Safe Harbor discussions: final details on "national security
exemption" and "onward transfers", but overall agreement
on the 13 Recommendations of the European
Commission
• Extra-EU transfers of non-personal data was and is still
valid in principle!
• Safe Harbor is not the only mechanism: list of "legitimate
bases" for transfers (e.g. consent, performance of
contract), Binding Corporate Rules, standard contractual
clauses
12 v Privacy Insight Series
More information
• General information: http://ec.europa.eu/justice/data-
protection/
• Supporting documents (fact sheets, background studies,
surveys): http://ec.europa.eu/justice/data-
protection/document/index_en.htm
• Extra-EU data transfers: http://ec.europa.eu/justice/data-
protection/international-transfers/index_en.htm
• Step-by-step timeline: http://eur-
lex.europa.eu/procedure/EN/201286
13 v Privacy Insight Series v
Dr Kai Westerwelle, Partner Taylor Wessing (US) Inc.
Key Areas in the Regulation Legal perspective and impact on business
14 v Privacy Insight Series
Harmonization
• Actual
European privacy laws based on EU DP Directive (to be transferred into local law)
Result: different privacy laws in all European States (even within the states)
Result: different levels of data protection (UK vs. France vs. Germany)
Result: different regulatory requirements (e.g.: applications / registrations)
Result: data protection officers only in some Member States
• Business Impact
European roll-out difficult, time consuming, and cost intensive
Idea: compliance with the strictest regime and roll out to “lower levels” (pyramid)
Highest level might not be required and is costly
Remaining uncertainties
15 v Privacy Insight Series
Harmonization
• Future
Regulation should create more harmonization (no transfer into local law)
Result: the same law in all European states
Result: the same regulatory requirements (e.g.: applications / registrations)
But: room for interpretation by local authorities ?
• Business Impact
European roll-out easy as one-size fits all
One-stop shopping possible
Compliance with European law much less costly
Substantial business advantage (for EU and non-EU entities)
16 v Privacy Insight Series
Harmonization
• Level of data protection
Regulation creates the same level of data protection in all Member States
For most European countries: stricter data protection rules
For some European countries (e.g. Germany): lower standard
Again: room for interpretation by local authorities ?
• Business Impact
Changes required if compliant with lower level (“upgrade” DP level)
Review and amend data protection policies
Review and amend data processing agreements
Install required positions (data protection officer ?)
Establish required data protection measures (e.g. TOMs / certificats)
17 v Privacy Insight Series
Applicability
• To non-EU companies
Non-EU company offering goods or services to an EU data subject
Non-EU company monitoring EU data subjects
Unclear: applicable only to data controllers or also to data processors
• Direct relation
Companies having their seat outside the EU must name a contact person within the EU
Direct claims of EU data subjects in the US (umbrella agreement and US transfer)
18 v Privacy Insight Series
No Changes
• Prohibition with exemption
Collection and processing of personal data forbidden unless permitted
Legitimate basis for processing required (statutory exemptions or consent)
• Group privilege
One of the most important issues in privacy
No exemption for a data transfer to group companies (HR, group services)
Every data transfer within the group is a transfer to a third party
Consequence: HR centralization, group services, etc. are an issue
Exemption has been highly discussed, seems not to be in the actual draft
Business impact: no facilitation – difficult status remains
19 v Privacy Insight Series
Minor Changes
• Commissioned data processing
Most important for any sort of outsourcing, cloud computing, services
The legal concept (no transfer to a third party or general allowance) will not change
Definition of “controller” and “processor” remain about the same
Obligations for “Data Processors” will be stricter (control and penalties, liability)
For Germany substantial change: limitation to the EU / EWR would be erased
• Business Impact
Amendment to the actual processes
For Germany: major facilitation of all outsourcing processes !
20 v Privacy Insight Series
Major Changes
• Right to erasure of personal data / “Right to be Forgotten”
Data subjects have far-reaching rights to erasure of their data
“Right to be Forgotten”
Already somehow in place (Google Spain)
Additionally possible research and clean-up obligation of first publisher
Business impact: technical requirements to safeguard process (technically difficult)
• Right to data transfer
Data subjects have a right to request data transfer to another service provider
Practical impact
Impact on business set-up and terms
Business impact: data might become less valuable
21 v Privacy Insight Series
Major Changes
• Data Protection Authorities
One-stop shopping: interaction between the authorities in the Member States
Main data protection authority clarifies and aligns decisions
Lead authority in case of establishments in different states (main establishment)
“Work behind the scenes”
• Business Impact
Enormous business impact
Facilitation of processes (multi-jurisdictional projects)
Hopefully: speed-up international processes
May lead to substantial savings for companies dealing with international projects
22 v Privacy Insight Series
Major Changes
• Data Protection Officer
New concept to many Member States
Influenced by the strict German data protection law but higher level (50)
Might also have labor law implications
Needs awareness and implementation in company structure
• Certificates (on Technical and Organizational Measures)
Data protection certificates, seals, and marks (unclear relation to ASA or ISO)
“One-stop approach” applies
Supports outsourcing processes (audit requirements)
Particularly supportive to data transfer to non-EU/EEA countries and cloud services
High business impact: enabling / savings / selling advantage / customer requirements
23 v Privacy Insight Series
Data Transfer to non-EU Countries
• No change
Remains generally forbidden
Unless “adequate level of data protection”
• Exceptions
Consent of data subject
Binding Corporate Rules
EU Model Clauses (any changes ?)
USA: Safe Harbor (important for US companies: new umbrella agreement)
New: Data Protection Certificates
24 v Privacy Insight Series v
Dennis Dayman, Chief Privacy and Security Officer, Return Path Inc.
Actions to Prepare for the GDPR -
Key Take-Aways
25 v Privacy Insight Series
• Privacy Policies
• Multiple policies for different product lines
• https://returnpath.com/privacy-policy/
• Required languages for partners or 3rd party developers
• TRUSTe
• Auditor
• Mediator
• Easy to read
• Smaller sections
• Hyper-transparent
• Express Opt-in model
Actions to prepare for the GDPR
26 v Privacy Insight Series
• Privacy by Design
• Taken steps to make sure that our systems and processes,
particularly new ones, deliver data protection compliance as a
matter of course.
• Involved development and program staff
• Reviewing and classify the personal data we hold and why we hold it
to ensure that we can meet the requirement for ‘data minimization’
• Privacy impact assessments
• Performing them on new/old products
Actions to prepare for the GDPR
27 v Privacy Insight Series
• Consent, Control and insight
• Give to visitors and customers 100% control over data / accountability
• Security
• SSAE16 and ISO 27001 audit(s)
• Access limitations/security account based roles/2Fa/OKTA
• Breach management
• Response plan(s)
• Staff
• Education/Certification
• Localization
• Considering EU Data Centre’s
• Admin staff in local countries.
• Corporate data handling directives
• Data treasure maps
• Centralized record of authority which allows us to programmatically manage and perform
compliance on how data is used in the org
Actions to prepare for the GDPR
28 v Privacy Insight Series v
Questions?
29 v Privacy Insight Series v
Andrea Glorioso [email protected]
Kai Westerwelle [email protected]
Dennis Dayman @ddayman
Eleanor Treharne-Jones [email protected]
Contacts
30 v Privacy Insight Series v
Don’t miss the next webinar in the Series – “Building an Effective
Privacy Program – Six Practical Steps” on September 24th
See http://www.truste.com/insightseries for details of future
webinars and recordings.
Thank You!