The EU GDPR: How Can Information. Governance Policies Help? The EU GDPR:

Transcription

1 The EU GDPR: How Can The EU GDPR: How Can Information Governance Policies Help? Information Governance Policies Help? ACC/IG Committee Webinar Jason R. Baron Peter Blenkinsop Daniel Miller Amie Taal June 28, 2017

2 ACC/IG Committee Webinar Speakers Jason R. Baron, Of Counsel, Drinker Biddle, Washington, D.C. (moderator) Peter Blenkinsop, Partner, Drinker Biddle, Washington, D.C. Daniel Miller, Senior Director, EMEA Legal, CBRE, London Amie Taal, Vice President, Deutsche Bank AG, Filiale New York Disclaimer: The views expressed by the speakers are their own, and do not necessarily reflect the views of any firm or institution with which they may be affiliated. 2

3 Agenda Introduction Level setting: A brief overview of the main provisions of GDPR and how we got here IG-Related Issues Raised by GDPR Takeaways Q&A 3

4 Overview The new EU General Data Protection Regulation (GDPR) was published in EU Official Journal on May 4, 2016 and will apply across the EU from May 25, The GDPR will replace the existing Data Protection Directive 95/46/EC and be directly applicable to all processing of personal data in the EU / collected from EU data subjects. (Now a regulation, not a directive ) The GDPR applies to processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. 4

5 Overview (con t) Regulation includes significant escalation in potential penalties as compared to current law. Violations can result in fines of up to 4% of an entity s global revenues. In theory, a goal of the Regulation is to achieve greater harmonization of requirements across EU. However, in many contexts, potential for variation exists. 5

6 A comment about the prior Safe Harbor Provisions relationship to the GDPR The Safe Harbor Provisions Schrems v. Data Protection Commissioner (Case C- 362/14, Oct 6, 2015) (ruling US-EU Safe Harbor Framework invalid) GDPR already in the works at the time of Schrems 6

7 7

8 One-Stop- Shop Complaint Handling Data Protection Officer Audits Record- Keeping Training and Awareness Key Issues and Requirements Data Protection Impact Assessments Third-Party Management Privacy by Design Breach Notification Notice & Consent 8 Data Subject Rights

9 GDPR: What s New* *See Appendix for supplemental material Scope of Personal Data what qualifies as identifiable information and therefore personal data Privacy By Design (PbD) Data Protection Impact Assessments (DPIAs) Accountability: appointment of a Data Protection Officer (DPO) Breach notification 72 hr rule One Stop Shop (one Data Protection Authority or DPA as lead) 9

10 GDPR: What s New* *See Appendix for supplemental material Compensation and Judicial Redress for data subjects Data Portability International Transfers Commission s adequacy decisions re-examined periodically (once every four years) Commission will identify jurisdictions offering adequate data protection Safeguards for transfers to inadequate jurisdictions Binding corporate rules incorporated into text of legislation Standard contractual clauses Certification seals for recipient entities Approved industry codes of conduct 10

11 What s new: Sanctions Violations of a controller s obligations with respect to record-keeping, security, breach notification, and privacy impact assessments are subject to a maximum administrative penalty of 10 million or 2% of the entity s global gross revenue, whichever is higher. Violations of a controller s obligations with respect to having a legal justification for processing, complying with the rights of data subjects, and cross-border data transfers are subject to a maximum penalty of 20 million or 4% of the entity s global gross revenue, whichever is higher. 11

12 One-Stop- Shop Complaint Handling Data Protection Officer Audits Record- Keeping Training and Awareness Key Issues and Requirements Data Protection Impact Assessments Third-Party Management Privacy by Design Breach Notification Notice & Consent 12 Data Subject Rights

13 IG ISSUES RAISED BY THE GDPR AND PRACTICAL ADVICE 13

14 1.Internal Review & Awareness Review GDPR and its requirements, and ensure that key decision makers and privacy/security-related personnel are made aware of GDPR s requirements and overall impact on the organization s processing activities. Preliminary Gap Assessment At a high-level, compare GDPR requirements to existing organizational policies, procedures, and practices, in order to develop a rough estimate of the effort necessary to get the organization GDPR-ready. 1 2 Project Plan and Resources Prepare GDPR implementation project plan, with expected milestones and estimated resources needed. Identify executive project champion. IG Checklist DPO Selection If required, (1) determine how to structure DPO position within the organization (including the DPO s relationship to the organization s privacy office); (2) identify and interview potential DPO candidates based on criteria set forth in GDPR; (3) select and hire DPO

15 Inventory of Processing Activities & Personal Data Conduct an inventory of the organization s data processing activities (including the personal data processed) and determine whether the expanded scope of GDPR applies to such processing activities. Compliance Gap Assessment Assess gaps between the organization s current compliance mechanisms and practices under the EU Directive and compliance mechanisms and practices required under GDPR (e.g., the legal bases relied upon for processing, consent mechanisms utilized, privacy notices and policies, access request handling procedures, data minimization practices, etc.). 5 6 Legal Basis for Processing Identify and document legal bases for all relevant processing activities. IG Checklist DPIAs For current (and future) high-risk data processing activities, conduct a DPIA to analyze the associated risks and determine whether there are technical or organizational ways to reduce the risks, such as minimizing the personal data processed or pseudonymizing data

16 Notice Consent Review and update notices provided to data subjects to ensure compliance with heightened notice requirements under GDPR. 9 Review and update consent mechanisms (if relied upon) to comply with heightened GDPR requirements. To the extent consent was relied upon previously and such consent does not comply with the requirements under GDPR, obtain fresh consent from relevant data subjects. 10 Individual Rights Review and update all policies and procedures covering data subjects rights. Data Breaches Develop and implement policies and procedures to comply with the data breach notification requirements under GDPR. IG Checklist

17 Update/Develop Other Policies & Procedures In addition to the policies and procedures identified above, update/ develop and implement any other necessary policies and procedures to ensure compliance with GDPR (e.g., HR policies, IT policies, etc.). 13 IG Checklist 17

18 IG Scenarios US corporation with European footprint (including data in EU countries): what steps need to be taken? EU corporation with US footprint: same question 18

19 PRIVACY SHIELD ELEMENTS: --Informing individuals about data processing --Providing free and accessible dispute resolution --Cooperating with Department of Commerce --Maintaining data integrity and purpose limitation --Ensuring accountability for data transferred to 3 rd parties --Transparency related to enforcement actions --Ensuring commitments are kept as long as data is held See --State of Implementation 19

20 RECONCILING BREXIT WITH THE GDPR: THOUGHTS 20

21 Takeaways To meet the GDPR May 2018 deadline, corporations should now be engaging in IG discussions aimed at meeting GDPR compliance expectations. It will be critical to find, inventory, and track sensitive data across the enterprise Corporations should be considering the designation of a DPO with responsibility for GDPR compliance as part of an overall IG program. Corporations should be evaluating the costs of setting up an IG program versus the financial risk of non-compliance with GDPR and other legal requirements. 21

22 Q&A 22

23 Contact information Jason R. Baron, Of Counsel, Drinker Biddle, Washington, D.C. (moderator) Peter Blenkinsop, Partner, Drinker Biddle, Washington, D.C. Daniel Miller, Senior Director, EMEA Legal, CBRE, London Amie Taal, Vice President, Deutsche Bank AG, Filiale New York

24 Appendix In depth discussions of key topics References 24

25 Scope of personal data Personal data: Any information relating to an identified or identifiable natural person. Identifiable person: Someone who can be directly or indirectly identified, including by reference to a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person. 25

26 Data Subject Rights All processing of personal data requires a legal basis. Data subjects also have the right to receive a data privacy notice when data is collected about them, as well as to request and obtain copies of data held about them, to obtain correction of inaccurate data, and, in certain cases, to object to the processing, to request erasure of data about them, or to request that data about them be sent to a third party. 26

27 Privacy by Design (PbD) and Data Protection Impact Assessments (DPIAs) Data protection must be considered (and such considerations documented) in the design of all new processes and technologies for the processing of personal data. Written DPIAs required whenever processing sensitive data and whenever automated processing results in decisions having legal effect. DPIA may evaluate an entire category of processing operations if they are sufficiently similar. DPIA must identify specific risks and describe privacy and security measures implemented to mitigate them. Mandatory consultation with data protection authority where processing poses high level of risk to data subjects that cannot be adequately mitigated. 27

28 Accountability Companies that process sensitive data or whose core activities involve regular and systematic monitoring of data subjects must appoint a data protection officer that reports to the highest levels of management; corporate groups may appoint a single, shared DPO. DPO must be appointed for fixed term; may be dismissed only for failure to perform duties. DPO may perform other duties provided that they do not cause a conflict of interest. Data controllers must maintain detailed records on all data processing operations. Record-keeping replaces the registration requirements currently in place in some EU countries. 28

29 Breach Notification Data controllers must notify the competent data protection authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach, unless it is unlikely to result in a risk to data subjects. Risks include, inter alia, physical, material or moral damage to individuals such as discrimination, identity theft or fraud, financial loss, and damage to reputation. Data controllers must notify data subjects without undue delay of breaches that are likely to result in a high risk to them. 29

30 One Stop Shop Where processing of personal data spans multiple member states, the DPA of the entity s European headquarters (or, if different, the DPA of the establishment where decisions concerning the purposes and means of the processing of personal data are taken), shall be the lead DPA for oversight and enforcement. Nevertheless, each DPA has a defined level of competency to deal with a complaint or possible violation where the subject matter of the complaint/violation concerns only an establishment in the member state of that DPA or substantially affects data subjects only in that member state. A cooperation mechanism exists where the lead DPA and other concerned DPAs disagree as to how to handle a case. 30

31 Compensation and Judicial Redress Data subjects have the right to compensation for any material or immaterial damage resulting from a violation of the Regulation. Data subjects can bring proceedings in the courts where they reside or where the controller or processor has an establishment in order to enforce their rights, enjoin violative activity, and obtain compensation. Data subjects can authorize non-profit, public interest bodies to bring complaints on their behalf for the same purposes. Member states are permitted to allow such bodies to independently bring complaints on behalf of data subjects in order to enforce data subject rights and enjoin violations. Where more than one controller or processor are jointly responsible for violating the Regulation, each can be held liable for the entire damage. 31

32 International Transfers Commission will identify jurisdictions offering adequate data protection; decisions must be reviewed every four years. Appropriate safeguards for transfers to inadequate jurisdictions will include: Binding corporate rules Standard contractual contracts Certification seals for recipient entities Approved industry codes of conduct 32

33 Consent Must be freely-given, specific, informed and unambiguous, either by statement or affirmative action. Consent does not provide a valid legal justification for processing where there is an imbalance that makes it unlikely that consent was given freely (e.g., employer-employee situations). Where performance of a contract or receipt of a service is made conditional on consent to processing for purposes other than those that are necessary to performance of the contract or providing the service, such consent may not be considered freely given. Consent can be withdrawn at any time. 33

34 Data Protection Principles 34

35 Legal Basis for Processing All processing of personal data requires a legal justification. Legal justifications include: the clear, unambiguous, affirmative consent of the data subject to processing for one or more specific purposes, and processing that is necessary: for the performance of a contract to which the data subject is a party or to take pre-contractual measures; for compliance with a legal obligation arising under EU or member state law; to protect the vital interests of the data subject or another person; for the performance of a task carried out in the public interest, where such processing is laid down in EU or member state law; and for the purposes of the legitimate interests pursued by the controller or a third party, except where the data subject s interests are overriding. 35

36 Consent Must be freely-given, specific, informed and unambiguous, either by statement or affirmative action. Consent does not provide a valid legal justification for processing where there is an imbalance that makes it unlikely that consent was given freely (e.g., employer-employee situations). Where performance of a contract or receipt of a service is made conditional on consent to processing for purposes other than those that are necessary to performance of the contract or providing the service, such consent may not be considered freely given. Consent can be withdrawn at any time. 36

37 Legitimate Interests Where the legitimate interests of the controller are relied upon as a legal basis for processing, these interests must be stated in the notice provided to data subjects. 37

38 Processing of Sensitive Data Stricter requirements apply to processing of sensitive categories of personal data, including data concerning: race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, unique biometric data, health data, data concerning sexual orientation and sexual activity. data relating to criminal convictions or offences. 38

39 Processing of Sensitive Data The processing is necessary for reasons of substantial public interest, where such public interest is based in EU or member state laws. The processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of health care or treatment, or the management of health care systems and services, where such processing is (i) based on EU or member state laws, or (ii) conducted pursuant to a contract with a health professional subject to an obligation of professional secrecy under EU or member state laws or rules established by national competent bodies. The processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, where such processing is based on EU or member state laws. The processing is necessary for scientific research purposes, where such processing is based on EU or member state laws. 39

40 Purpose Limitation Personal data can only be collected for specified purposes and may not be further processed in a manner incompatible with those purposes. In determining compatibility of further processing, considerations include not only the reasonable expectations of data subjects based on their relationship with the controller, but also: the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in the intended further processing. 40

41 Data Minimization Collection, use, storage, and other processing of personal data must be limited to that which is necessary for the specified purposes. 41

42 Accountability 42

43 Data Protection Officer The GDPR requires that an organization appoint a DPO if processing sensitive personal data on large scale or engaged in regular and systematic monitoring of data subjects on a large scale (Art. 37). A single DPO may be appointed for a group of companies, provided the DPO is readily accessible from each of the group s establishments. Where a DPO is required, this person must report directly to the highest management level. DPO must be in a position to perform tasks in an independent manner, should not receive any instructions regarding the exercise of his/her tasks, and may not be dismissed or penalized for performing those tasks. 43

44 Data Protection Officer When Required & Qualifications Must appoint DPO if processing sensitive personal data on large scale or engaged in monitoring on large scale. Single DPO may be appointed for group of companies, provided the DPO is readily accessible from each of the group s establishments. DPO must have expert knowledge of data protection law and practices. Independence, Reporting & Resources DPO must perform responsibilities on basis of independent judgment and cannot be dismissed or penalized for performing his duties. Must report to executive management. DPO must be given sufficient resources to carry out his duties. Responsibilities Responsible for ensuring that processing operations comply with the law. Awareness raising, training of staff involved in the processing, development of policies and procedures, maintenance of compliance documentation, advising on privacy impact assessments, conducting internal audits, serving as the contact point for communication with data protection authorities and data subjects, etc. The DPO can perform other duties, as long as these do not result in a conflict of interest. 44

45 Data Protection Impact Assessments Assessment of privacy risks required when processing is likely to result in a high risk for the rights and freedoms of data subjects. In particular, DPIA required where processing includes profiling which produces legal effects or significantly affects individuals or where processing sensitive personal data on large scale. DPO must be consulted on the DPIA. Assessments may be conducted based on a category of data processing where processing operations are similar and present similar risks (as opposed to separate assessments for each processing operation). Exception to DPIA requirement is provided where processing is for performance of a task in the public interest or for compliance with a legal requirement, and such law regulates the specific processing. The assessment must address safeguards, security measures and mechanisms that will be implemented to reduce the privacy risks to data subjects. Compliance with approved codes of conduct can be taken into account in the DPIA. Data controllers should consult, where appropriate, with data subjects or their representatives concerning their views on the intended processing. When there is a change of risk represented by the processing operation, or otherwise where necessary, data controllers should carry out a review to assess if processing is compliant with the DPIA. 45

46 Consultation with Data Protection Authorities Data controller must consult with DPA where DPIA indicates a high level of risk to data subjects in the absence of mitigation controls. Supervisory authority has 8 weeks, with a further 6 week extension available, to give an opinion on whether the risk mitigation controls are adequate. 46

47 Record-Keeping Data controllers with more than 250 employees must maintain records (and make them available to the DPA, upon request) including: categories of personal data being processed; purposes of the processing; categories of recipients of the data; where possible, the data retention period; where possible, a general description of the security measures; and any international data transfers. Record-keeping replaces the registration requirements currently in place in some EU countries. 47

48 Data Subject Rights & Breach Notification 48

49 Notice (I) Data subjects must be provided with information as to: Identity and contact details of the controller; Contact details of DPO; Purposes of the processing and legal bases. If legitimate interests are being relied upon as the legal basis, these must be explained. If consent is being relied upon, the right to withdraw consent must be explained, without affecting the lawfulness of the processing prior to withdrawal; Expected retention period; Recipients or categories of recipients; Whether the data will be transferred to a recipient in a third country, and if so, the legal grounds for the transfer; Whether the provision of personal data is voluntary or mandatory; Whether the processing involves profiling, and if so, the logical involved and envisaged effects on the data subject; The existence of the rights of access, rectification, erasure, restriction of processing, and objection to processing; and The right to file a complaint with the supervisory authority. 49

50 Notice (II) Timing This notice must be provided at the time of data collection, as well as in response to any data subject requests. Further processing Where a data controller intends to process personal data for a purpose other than the one for which the data were collected, the controller must provide the data subject with information on that processing before it occurs. Receipt from 3rd Party Where a data controller obtains personal data from a third party, the controller must also provide the data subject with information on the source of the data. The notice to the data subject must occur within a reasonable time period after obtaining the data, at least within one month. If the data are to be used for communication with the data subject, the notice must occur at the latest at the time of the first communication. If a disclosure to another recipient is envisaged, the notice must occur at the latest when the data are first disclosed. Notice in these circumstances is not required if it would require disproportionate efforts and the controller has taken other measures to protect data subjects rights and interests, including making the information publicly available. 50

51 Access Right Data subjects have right to obtain copies of personal data being processed about them. They have the right to request copies of the data in electronic form, where possible. Timing Data controllers must respond to a request for access within one month. For complex requests, this period may be extended for up to two additional months, with notice to the data subject. Costs Unless manifestly excessive (i.e., due to repetitive nature), access must be provided free of charge. Exceptions The data controller can request additional information from the person making the request to prove the requester s identity. An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. 51

52 Portability Where data subjects have directly provided their data to a controller, they can demand that the controller transfer their data to another controller, where this is technically feasible, and where the processing is carried out by automatic means and is based on consent or processing necessary to facilitate a contract. 52

53 Rectification Right The data subject has the right to request correction of inaccurate data, as well as completion of incomplete data, having regard to the purposes for which the data are processed. Where the accuracy of the data is contested, the data subject has the right to request that the data controller suspend processing while the accuracy of the data is being verified. The data controller must communicate rectification requests to all recipients of the data, unless this would involve disproportionate efforts. Exceptions An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. 53

54 Erasure (I) Right The data subject has the right to request erasure of data about himself. The controller must erase the data where: they are no longer necessary for the purposes for which they were collected or otherwise processed; the data subject withdraws consent and there is no other legal basis to process the data; or the data subject objects to the processing and there is no overriding legitimate grounds for the processing. Exceptions An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. The data controller is not obliged to erase personal data where it is: Necessary for scientific research purposes. Necessary for public health purposes. Necessary for compliance with a legal obligation. In such cases, the processing must be restricted to the above purposes. 54

55 Erasure (II) Forwarding Requests The data controller must communicate erasure requests to all recipients of the data, unless this would involve disproportionate efforts. Where the data controller has made the personal data publicly available, the controller must take reasonable steps to communicate erasure requests to controllers who are processing the data, taking into account available technology and costs. 55

56 Objection Right The data subject has the right to object on grounds relating to his/her particular situation to the processing of personal data where the legal basis for the processing is based on public interests or the controller s legitimate interests. The controller must cease processing the data unless the controller can demonstrate compelling legitimate grounds which override the data subject s interests or processing is for the establishment, exercise or defence of legal claims. Specific Applications The data subject has, in particular, the right to object to the processing of his personal data for marketing and the right to object to profiling which produces legal effects or significantly affects him. The data subject must be informed of these rights. The data subject has the right to object to the processing of personal data for scientific purposes on grounds relating to his/her particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest. Exceptions An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. 56

57 Breach Notification - DPA (I) Obligation Notification to DPA required of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed ( personal data breach ), unless the controller can demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. Risks include, inter alia, physical, material or moral damage to individuals such as discrimination, identity theft or fraud, financial loss, and damage to reputation. Timing Notification to DPA must be made without undue delay and, where feasible, within 72 hours of becoming aware of a breach, unless controller can demonstrate that the breach is unlikely to result in a risk to data subjects. Where notification cannot be achieved within 72 hours, an explanation for the delay should accompany the notification. 57

58 Breach Notification - DPA (II) Content of Notification Notification to DPA must include: the nature of the breach; where possible, approximate categories and number of data subjects concerned and the categories and approximate number of data records concerned; contact point at data controller; likely consequences of breach, as identified by data controller; measures that could be taken to mitigate adverse effects of the breach. Notification can be made in phases if all information is not available in the first report. Documentation Controller must document facts surrounding the breach, notifications provided, and remedial actions taken. 58

59 Breach Notification Data Subjects Obligation Notification to affected data subjects required when breach likely to result in a high risk for the rights and freedoms of individuals. Timing Notification to data subjects required without undue delay Exceptions Notification to data subjects not required if it would involve disproportionate effort; in such a case, a public communication is required. 59

60 Cross-Border Data Transfers 60

61 Adequacy Determinations The Commission is authorized to determine whether jurisdictions outside of the EU, or a specific sector within a foreign jurisdiction, offer an adequate level of data protection (i.e., a level of data protection essentially equivalent to that in the EU) and to publish a list of such decisions. In making such decisions, the Commission must consider, inter alia: the data protection laws in that jurisdiction, effective and enforceable data subject rights and administrative and judicial redress for data subjects whose data is transferred, and the existence and effective functioning of independent supervisory authorities. Such decisions must be reviewed at least every four years. 61

62 Adequate Safeguards If a data controller wishes to transfer personal data to a data recipient in a nonadequate jurisdiction, alternative appropriate safeguards must be relied upon. These alternative safeguards include: execution of model contractual clauses approved by the Commission, execution of model contractual clauses adopted by a DPA, approval of binding corporate rules for the transfer of personal data among affiliates, and use of non-standard contractual clauses approved by a supervisory authority. Transfers also be permitted to recipients in third countries who have obtained a data protection certification seal or pursuant to an approved industry code of conduct, together with binding and enforceable commitments of the recipients in the third country. For transfers pursuant to the model contractual clauses approved by the Commission or pursuant to approved BCRs, no further approval of a supervisory authority is necessary before transferring the data. 62

63 Derogations Transfers permitted in certain situations, including: Where the data subject has provided explicit consent (after having been informed of the risks of transfers to non-adequate jurisdictions), Where the transfer is necessary for fulfillment of a contract with the data subject, Where the transfer is necessary for important reasons of public interest (as recognized in law), Where the transfer is necessary for the establishment, exercise or defence of legal claims, and Where the transfer is necessary to protect the vital interests of the data subject or another person and the data subject is unable to provide consent. Transfers are also permitted based on the compelling legitimate interests of the controller provided that they involve only a limited number of data subjects, are not repetitive, another legal basis cannot be relied upon, and where a balancing of interests has been conducted. This assessment must be documented. 63

64 Transfers at Request of Foreign Authority Any order of a court, tribunal, or administrative authority of a foreign jurisdiction to transfer or disclose personal data shall not be enforceable unless based on an international agreement, unless the transfer or disclosure otherwise complies with the Regulation. UK has opted out of this provision, per the terms of its EU membership. 64

65 DERIVATION OF DATA INVENTORY & DATA MAPPING REQUIREMENT 65

66 Art. 30: Records of processing activities (I) Each controller shall maintain a record of processing activities under its responsibility, including: name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; purposes of the processing; description of the categories of data subjects and of the categories of personal data; categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country, including the identification of that third country and the transfer mechanism relied upon; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organisational security measures 66

67 Art. 30: Records of processing activities (II) Each processor shall maintain a record of all categories of processing activities carried out on behalf of a controller, including: name and contact details of the processor or processors and of each controller on whose behalf the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country, including the identification of that third country and the transfer mechanism relied upon; where possible, a general description of the technical and organisational security measures 67

68 Art. 7: Conditions for consent Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 68

69 Articles 13 & 14: Information to be provided to data subjects (I) Controller must provide data subjects with a notice containing, inter alia: identity and the contact details of the controller and, where applicable, of the controller's representative; contact details of the data protection officer, where applicable; purposes of the processing for which the personal data are intended as well as the legal basis for the processing; where the processing is based on legitimate interests, the legitimate interests pursued by the controller or by a third party; the recipients or categories of recipients of the personal data, if any; where applicable, the fact that the controller intends to transfer personal data to a third country, the existence or absence of an adequacy decision by the Commission, and the legal mechanism to be relied upon for the transfer 69

70 Articles 13 & 14: Information to be provided to data subjects (II) period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; if the data were obtained from a source other than the data subject, the source of the data, and if applicable, whether it came from publicly accessible sources. 70

71 Art. 15: Right of access by the data subject Data subject has the right to request and receive a copy of the data being processed. 71

72 APPROACHES TO DATA MAPPING 72

73 Approaches Questionnaires and interviews Pros: Enables thorough collection of information needed for GDPR compliance Cons: Time and labor intensive Automated scanning Pros: Fast and relatively inexpensive Cons: Limited ability to collect info outside of data location, volume, encryption, and rough classification 73

74 Questionnaires and Interviews Determine person/ team responsible for creating and maintaining the data map. Ideally, representatives of business units involved in data processing activities should be on team. E.g., HR, marketing, procurement, etc. Determine scope, priorities, timeline, and responsibilities. E.g., prioritization of high-risk data processing activities and business-critical data processing activities 74

75 Questionnaires (I) What is the name of the system/repository where data elements are collected, stored, and shared? Who is the system owner (i.e., the executive sponsor of the system)? What is the size of the system (e.g., in terms of volume, number of records, etc.)? What is the name of the business function that uses the system (for example: HR, marketing, procurement, etc.)? Is this a business-critical system? What is the main purpose of the system (for example: , marketing, employee benefits, etc.)? What is the type/functionality of the system (e.g., device, server, directory, application, website, mobile app)? Who is designated as the system administrator responsible for granting access to the system? Who is the IT contact for the system? What is the physical location of the system's server (country and city)? Is the system hosted by company or a third party? (If third party, who?) 75

76 Questionnaires (II) Does the system process personal data? Personal data: Any information relating to an identified or identifiable natural person. Identifiable person: Someone who can be directly or indirectly identified, including by reference to a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person. Does the data include any of the following types of information? Race, ethnic origin, political opinions, religious or philosophical beliefs, tradeunion membership, genetic data, unique biometric data, health data, data concerning sexual orientation and sexual activity. Data relating to criminal convictions or offences. Is PII data transferred across national borders (and, if so, from where to where)? Is system access reviewed and what is the frequency of the review? Is a data retention policy followed for this system and what is the retention period? 76

77 Questionnaires (III) Does this system receive data from or send data to an external third party (if so, from/to whom)? Is third party use of data covered by a written contract? What internal systems feed information into this system? What internal systems receive information from this system? Is there any role or department based privacy training conducted for individuals? If so, with what frequency and is there documentation? If the system were breached, what would be the anticipated consequences? 77

78 Interviews - 5 W s Why is personal data processed? For each reason for processing: whose personal data is processed? what personal data is processed? Identify type of personal data, source, and legal basis. when is personal data processed? When is personal data obtained/updated? What disclosures occur, to whom, and in what circumstances? How long is data retained and what determines the retention period? where is personal data processed? Manual records location, electronic records format(s), systems/services used How is personal data protected i.e., what controls exist? 78

79 Why is personal data processed? For example: HR administration Customer relationship management Legal obligations Provision of goods or services Direct marketing activities Provision of processing services to a third party General Rule: The more detail that can be obtained, the better for purposes of assessing the data processing activity. 79

80 Whose personal data is processed? For example: Staff (current / potential / former) Relatives Customers (current / potential / former) Business contacts /suppliers Complainants, correspondents, enquirers Stakeholders Thought leaders 80

81 What personal data is processed? (I) For example: Personal details - name, address, , telephone, date of birth, emergency contact, race, ethnicity, etc. Financial details - bank account, credit card details, tax id, etc. Health information Images, voice recordings Passport, driving license, national ID card details IP address Criminal convictions/offences Biometrics - Finger print, retinal scan Education & training Employment details (specify CV, references, annual appraisals, employment status, work permit, leave, sickness, etc.) 81

82 What personal data is processed? (II) Source of the data Individual themselves Third-party individual Other sources, e.g.: Credit reference agency Criminal record check Internet / social media Public records Private investigators Legal basis for processing 82

83 Maintenance Determine method for keeping the data maps current. Consider: Part of data protection impact assessment process? Periodic review? How frequent? Responsibility for maintenance Automated processes 83

84 GDPR RECENT DEVELOPMENTS 84

85 A.29 Guidance from Dec Main establishment and lead authority (i.e., one-stopshop) Data protection officers Right of data portabililty 85

86 A.29 Working Plan for 2017 Completion of work started in 2016 on: certification processing likely to result in a high risk Data Protection Impact Assessments administrative fines setting up the European Data Protection Board (EDPB) structure in terms of administration (e.g. IT, human resources, service level agreements and budget) preparation of the one stop shop and the EDPB consistency mechanism New guidelines on the topics of: consent profiling transparency Update existing opinions and referentials on: data transfers to third countries data breach notifications 86

87 Recent Member State Guidance CNIL Consultation Data Breach Notification (23 February 2017) Profiling (23 February 2017) Consent (23 February 2017) CNIL Methodology for Preparing for the GDPR (15 March 2017) (Available in French here) UK ICO Guidance on Consent (2 March 2017) (Available here) Irish Data Protection Commissioner Consultation on Consent, Profiling, Breach Notification, and Certification (16 March 2017) (Available here) Belgian Privacy Commission Consultation on Privacy Impact Assessments (20 December 2016) (Available in French here and Dutch here) North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information (LDI NRW) GDPR Recommendations (7 March 2017) (Available in German here) FAQs on DPO Appointment (23 March 2017) (Available in German here) Bavarian State Commissioner for Data Protection (BayLDA) Papers on: DPIAs (22 March 2017) (Available in German here) Codes of Conduct (27 February 2017) (Available in German here) Data Subjects Rights (22 February 2017) (Available in German here) 87

88 Contact information Jason R. Baron, Of Counsel, Drinker Biddle, Washington, D.C. (moderator) Peter Blenkinsop, Partner, Drinker Biddle, Washington, D.C. Daniel Miller, Senior Director, EMEA Legal, CBRE, London Amie Taal, Vice President, Deutsche Bank AG, Filiale New York