GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

Transcription

1 Webinar 1: Overview of Preparing for the T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop

2 Agenda Introduction (5 mins) Level setting: Brief overview of main provisions of (25 mins) Plan for preparation (30 mins) Guidance expected (5 mins) Overview of webinar series (5 mins) Q&A (20 mins) Drinker Biddle Reath LLP 2

3 Brief Overview 11:05-11:30 Drinker Biddle Reath LLP 3

4 Overview New EU General Data Protection Regulation () published in EU Official Journal on May 4, 2016 and will apply across the EU from May 25,. Regulation will replace the existing Data Protection Directive and be directly applicable to all processing of personal data in the EU / collected from EU data subjects. In theory, a goal of the Regulation is to achieve greater harmonization of requirements across EU. However, in many contexts, potential for variation exists. Regulation includes significant escalation in potential penalties as compared to current law. Violations can result in fines of up to 4% of an entity s global revenues. Drinker Biddle Reath LLP 4

5 Scope Geography Regulation applies to processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. Also applies where a controller or processor is not established in the EU but its processing activities are related to offering of goods or services to, or monitoring the behavior of, EU residents, regardless of whether payment is provided. Drinker Biddle Reath LLP 5

6 Scope Personal Data Personal data: Any information relating to an identified or identifiable natural person. Identifiable person: Someone who can be directly or indirectly identified, including by reference to a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person. Drinker Biddle Reath LLP 6

7 Data Subject Rights All processing of personal data requires a legal basis. Data subjects also have the right to receive a data privacy notice when data is collected about them, as well as to request and obtain copies of data held about them, to obtain correction of inaccurate data, and, in certain cases, to object to the processing, to request erasure of data about them, or to request that data about them be sent to a third party. Drinker Biddle Reath LLP 7

8 Consent Legitimate Interests Performance of Contract Lawfulness of Processing Public Interest Compliance with Legal Obligation Vital Interests Drinker Biddle Reath LLP 8

9 Consent Scientific Research Employment Law Public Health Vital Interests Processing of Sensitive Data Medical Purposes Charity / Not-for- Profits Substantial public Interest Legal Claims Public Data Drinker Biddle Reath LLP 9

10 Notice Right to Object Access Data Subject Rights Erasure Rectification Drinker Biddle Reath LLP 10 Data Portability

11 Privacy by Design (PbD) and Data Protection Impact Assessments (DPIAs) Data protection must be considered (and such considerations documented) in the design of all new processes and technologies for the processing of personal data. Written DPIAs required whenever processing sensitive data and whenever automated processing results in decisions having legal effect. DPIA may evaluate an entire category of processing operations if they are sufficiently similar. DPIA must identify specific risks and describe privacy and security measures implemented to mitigate them. Mandatory consultation with data protection authority where processing poses high level of risk to data subjects that cannot be adequately mitigated. Drinker Biddle Reath LLP 11

12 Accountability Companies that process sensitive data or whose core activities involve regular and systematic monitoring of data subjects must appoint a data protection officer that reports to the highest levels of management; corporate groups may appoint a single, shared DPO. DPO must be appointed for fixed term; may be dismissed only for failure to perform duties. DPO may perform other duties provided that they do not cause a conflict of interest. Data controllers must maintain detailed records on all data processing operations. Record-keeping replaces the registration requirements currently in place in some EU countries. Drinker Biddle Reath LLP 12

13 Breach Notification Data controllers must notify the competent data protection authority without undue delay and, where feasibe, within 72 hours of becoming aware of a breach, unless it is unlikely to result in a risk to data subjects. Risks include, inter alia, physical, material or moral damage to individuals such as discrimination, identity theft or fraud, financial loss, and damage to reputation. Data controllers must notify data subjects without undue delay of breaches that are likely to result in a high risk to them. Drinker Biddle Reath LLP 13

14 One Stop Shop Where processing of personal data spans multiple member states, the DPA of the entity s European headquarters (or, if different, the DPA of the establishment where decisions concerning the purposes and means of the processing of personal data are taken), shall be the lead DPA for oversight and enforcement. Nevertheless, each DPA has a defined level of competency to deal with a complaint or possible violation where the subject matter of the complaint/violation concerns only an establishment in the member state of that DPA or substantially affects data subjects only in that member state. A cooperation mechanism exists where the lead DPA and other concerned DPAs disagree as to how to handle a case. Drinker Biddle Reath LLP 14

15 Sanctions Violations of a controller s obligations with respect to record-keeping, security, breach notification, and privacy impact assessments are subject to a maximum administrative penalty of 10 million or 2% of the entity s global gross revenue, whichever is higher. Violations of a controller s obligations with respect to having a legal justification for processing, complying with the rights of data subjects, and cross-border data transfers are subject to a maximum penalty of 20 million or 4% of the entity s global gross revenue, whichever is higher. Drinker Biddle Reath LLP 15

16 Compensation and Judicial Redress Data subjects have the right to compensation for any material or immaterial damage resulting from a violation of the Regulation. Data subjects can bring proceedings in the courts where they reside or where the controller or processor has an establishment in order to enforce their rights, enjoin violative activity, and obtain compensation. Data subjects can authorize non-profit, public interest bodies to bring complaints on their behalf for the same purposes. Member states are permitted to allow such bodies to independently bring complaints on behalf of data subjects in order to enforce data subject rights and enjoin violations. Where more than one controller or processor are jointly responsible for violating the Regulation, each can be held liable for the entire damage. Drinker Biddle Reath LLP 16

17 International Transfers Commission will identify jurisdictions offering adequate data protection; decisions must be reviewed every four years. Appropriate safeguards for transfers to inadequate jurisdictions will include: Binding corporate rules Standard contractual contracts Certification seals for recipient entities Approved industry codes of conduct Drinker Biddle Reath LLP 17

18 Plan for Preparation 11:30-12:00 Drinker Biddle Reath LLP 18

19 One-Stop- Shop Complaint Handling Data Protection Officer Audits Record- Keeping Training and Awareness Key Issues and Requirements Data Protection Impact Assessments Third-Party Management Privacy by Design Breach Notification Data Subject Rights Drinker Biddle Reath LLP 19 Notice & Consent

20 1.Internal Review & Awareness Review and its requirements, and ensure that key decision makers and privacy/security-related personnel are made aware of s requirements and overall impact on the organization s processing activities. Preliminary Gap Assessment At a high-level, compare requirements to existing organizational policies, procedures, and practices, in order to develop a rough estimate of the effort necessary to get the organization -ready. 1 2 Project Plan and Resources Prepare implementation project plan, with expected milestones and estimated resources needed. Identify executive project champion. DPO Selection If required, (1) determine how to structure DPO position within the organization (including the DPO s relationship to the organization s privacy office); (2) identify and interview potential DPO candidates based on criteria set forth in ; (3) select and hire DPO. 3 4 Implementation Checklist Drinker Biddle Reath LLP 20 Click for more info

21 Inventory of Processing Activities & Personal Data Conduct an inventory of the organization s data processing activities (including the personal data processed) and determine whether the expanded scope of applies to such processing activities. Compliance Gap Assessment Assess gaps between the organization s current compliance mechanisms and practices under the EU Directive and compliance mechanisms and practices required under (e.g., the legal bases relied upon for processing, consent mechanisms utilized, privacy notices and policies, access request handling procedures, data minimization practices, etc.). 5 6 Legal Basis for Processing Identify and document legal bases for all relevant processing activities. DPIAs For current (and future) high-risk data processing activities, conduct a DPIA to analyze the associated risks and determine whether there are technical or organizational ways to reduce the risks, such as minimizing the personal data processed or pseudonymizing data. 7 8 Implementation Checklist Drinker Biddle Reath LLP 21

22 Notice Review and update notices provided to data subjects to ensure compliance with heightened notice requirements under. 9 Consent Review and update consent mechanisms (if relied upon) to comply with heightened requirements. To the extent consent was relied upon previously and such consent does not comply with the requirements under, obtain fresh consent from relevant data subjects. 10 Individual Rights Review and update all policies and procedures covering data subjects rights. Data Breaches Develop and implement policies and procedures to comply with the data breach notification requirements under Implementation Checklist Drinker Biddle Reath LLP 22

23 Update/Develop Other Policies & Procedures In addition to the policies and procedures identified above, update/develop and implement any other necessary policies and procedures to ensure compliance with (e.g., HR policies, IT policies, etc.). 13 Implementation Checklist Drinker Biddle Reath LLP 23

24 Guidance Expected 12:00-12:05 Drinker Biddle Reath LLP 24

25 A.29 Guidance from Dec Main establishment and lead authority (i.e., onestop-shop) Data protection officers Right of data portabililty Drinker Biddle Reath LLP 25

26 A.29 Working Plan for 2017 Completion of work started in 2016 on: certification processing likely to result in a high risk Data Protection Impact Assessments administrative fines setting up the European Data Protection Board (EDPB) structure in terms of administration (e.g. IT, human resources, service level agreements and budget) preparation of the one stop shop and the EDPB consistency mechanism New guidelines on the topics of: consent profiling transparency Update existing opinions and referentials on: data transfers to third countries data breach notifications Next Fablab with interested stakeholders on 5-6 April Drinker Biddle Reath LLP 26

27 Webinar Series 12:05-12:10 Drinker Biddle Reath LLP 27

28 Initial Schedule (11:00 a.m. 12:30 p.m. U.S. Eastern Time) Through June March 30 Conducting a Data Inventory and Mapping: We will guide you through how to conduct a data inventory and mapping, including identifying what personal data is collected, where it is stored, how it is being used, and how long it is being retained. April 27 Establishing a Data Protection Officer: We will discuss the requirements concerning appointment of a DPO, options for structuring the role (e.g., individual versus team), required skills and training, and restrictions relating to conflicts of interest. May 25 Conducting Data Protection Impact Assessments: We will walk you through the content of a DPIA and suggest options for implementing an internal DPIA process. We will also highlight when a DPIA must be submitted to data protection authorities. June 22 Determining Your Lead Data Protection Authority: We will guide you in determining your lead data protection authority and discuss options for companies whose existing structures do not allow them to take advantage of this one-stop-shop mechanism. Drinker Biddle Reath LLP 28

29 Your Vote Counts Let us know what you want us to cover after this initial schedule. If we receive lots of suggestions, we ll poll you on your priorities and schedule accordingly. Drinker Biddle Reath LLP 29

30 Q&A 12:10-12:30 Drinker Biddle Reath LLP 30

31 Drinker Biddle Reath LLP 31

32 Data Protection Principles Drinker Biddle Reath LLP 32

33 Legal Basis for Processing All processing of personal data requires a legal justification. Legal justifications include: the clear, unambiguous, affirmative consent of the data subject to processing for one or more specific purposes, and processing that is necessary: for the performance of a contract to which the data subject is a party or to take pre-contractual measures; for compliance with a legal obligation arising under EU or member state law; to protect the vital interests of the data subject or another person; for the performance of a task carried out in the public interest, where such processing is laid down in EU or member state law; and for the purposes of the legitimate interests pursued by the controller or a third party, except where the data subject s interests are overriding. Drinker Biddle Reath LLP 33

34 Consent Must be freely-given, specific, informed and unambiguous, either by statement or affirmative action. Consent does not provide a valid legal justification for processing where there is an imbalance that makes it unlikely that consent was given freely (e.g., employeremployee situations). Where performance of a contract or receipt of a service is made conditional on consent to processing for purposes other than those that are necessary to performance of the contract or providing the service, such consent may not be considered freely given. Consent can be withdrawn at any time. Drinker Biddle Reath LLP 34

35 Legitimate Interests Where the legitimate interests of the controller are relied upon as a legal basis for processing, these interests must be stated in the notice provided to data subjects. Drinker Biddle Reath LLP 35

36 Processing of Sensitive Data Stricter requirements apply to processing of sensitive categories of personal data, including data concerning: race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, unique biometric data, health data, data concerning sexual orientation and sexual activity. data relating to criminal convictions or offences. Drinker Biddle Reath LLP 36

37 Processing of Sensitive Data The processing is necessary for reasons of substantial public interest, where such public interest is based in EU or member state laws. The processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of health care or treatment, or the management of health care systems and services, where such processing is (i) based on EU or member state laws, or (ii) conducted pursuant to a contract with a health professional subject to an obligation of professional secrecy under EU or member state laws or rules established by national competent bodies. The processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, where such processing is based on EU or member state laws. The processing is necessary for scientific research purposes, where such processing is based on EU or member state laws. Drinker Biddle Reath LLP 37

38 Purpose Limitation Back to Implementation Checklist Personal data can only be collected for specified purposes and may not be further processed in a manner incompatible with those purposes. In determining compatibility of further processing, considerations include not only the reasonable expectations of data subjects based on their relationship with the controller, but also: the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in the intended further processing. Drinker Biddle Reath LLP 38

39 Accountability Drinker Biddle Reath LLP 39

40 Data Protection Officer The requires that an organization appoint a DPO if processing sensitive personal data on large scale or engaged in regular and systematic monitoring of data subjects on a large scale (Art. 37). A single DPO may be appointed for a group of companies, provided the DPO is readily accessible from each of the group s establishments. Where a DPO is required, this person must report directly to the highest management level. DPO must be in a position to perform tasks in an independent manner, should not receive any instructions regarding the exercise of his/her tasks, and may not be dismissed or penalized for performing those tasks. Drinker Biddle Reath LLP 40

41 Data Protection Officer Back to Implementation Checklist When Required & Qualifications Must appoint DPO if processing sensitive personal data on large scale or engaged in monitoring on large scale. Single DPO may be appointed for group of companies, provided the DPO is readily accessible from each of the group s establishments. DPO must have expert knowledge of data protection law and practices. Independence, Reporting & Resources DPO must perform responsibilities on basis of independent judgment and cannot be dismissed or penalized for performing his duties. Must report to executive management. DPO must be given sufficient resources to carry out his duties. Responsibilities Responsible for ensuring that processing operations comply with the law. Awareness raising, training of staff involved in the processing, development of policies and procedures, maintenance of compliance documentation, advising on privacy impact assessments, conducting internal audits, serving as the contact point for communication with data protection authorities and data subjects, etc. The DPO can perform other duties, as long as these do not result in a conflict of interest. Drinker Biddle Reath LLP 41

42 Data Protection Impact Assessments Assessment of privacy risks required when processing is likely to result in a high risk for the rights and freedoms of data subjects. In particular, DPIA required where processing includes profiling which produces legal effects or significantly affects individuals or where processing sensitive personal data on large scale. DPO must be consulted on the DPIA. Assessments may be conducted based on a category of data processing where processing operations are similar and present similar risks (as opposed to separate assessments for each processing operation). Exception to DPIA requirement is provided where processing is for performance of a task in the public interest or for compliance with a legal requirement, and such law regulates the specific processing. The assessment must address safeguards, security measures and mechanisms that will be implemented to reduce the privacy risks to data subjects. Compliance with approved codes of conduct can be taken into account in the DPIA. Data controllers should consult, where appropriate, with data subjects or their representatives concerning their views on the intended processing. When there is a change of risk represented by the processing operation, or otherwise where necessary, data controllers should carry out a review to assess if processing is compliant with the DPIA. Drinker Biddle Reath LLP 42

43 Consultation with Data Protection Authorities Back to Implementation Checklist Data controller must consult with DPA where DPIA indicates a high level of risk to data subjects in the absence of mitigation controls. Supervisory authority has 8 weeks, with a further 6 week extension available, to give an opinion on whether the risk mitigation controls are adequate. Drinker Biddle Reath LLP 43

44 Record-Keeping Back to Implementation Checklist Data controllers with more than 250 employees must maintain records (and make them available to the DPA, upon request) including: categories of personal data being processed; purposes of the processing; categories of recipients of the data; where possible, the data retention period; where possible, a general description of the security measures; and any international data transfers. Record-keeping replaces the registration requirements currently in place in some EU countries. Drinker Biddle Reath LLP 44

45 Data Subject Rights & Breach Notification Drinker Biddle Reath LLP 45

46 Notice (I) Data subjects must be provided with information as to: Identity and contact details of the controller; Contact details of DPO; Purposes of the processing and legal bases. If legitimate interests are being relied upon as the legal basis, these must be explained. If consent is being relied upon, the right to withdraw consent must be explained, without affecting the lawfulness of the processing prior to withdrawal; Expected retention period; Recipients or categories of recipients; Whether the data will be transferred to a recipient in a third country, and if so, the legal grounds for the transfer; Whether the provision of personal data is voluntary or mandatory; Whether the processing involves profiling, and if so, the logical involved and envisaged effects on the data subject; The existence of the rights of access, rectification, erasure, restriction of processing, and objection to processing; and The right to file a complaint with the supervisory authority. Drinker Biddle Reath LLP 46

47 Notice (II) Back to Implementation Checklist Timing This notice must be provided at the time of data collection, as well as in response to any data subject requests. Further processing Where a data controller intends to process personal data for a purpose other than the one for which the data were collected, the controller must provide the data subject with information on that processing before it occurs. Receipt from 3rd Party Where a data controller obtains personal data from a third party, the controller must also provide the data subject with information on the source of the data. The notice to the data subject must occur within a reasonable time period after obtaining the data, at least within one month. If the data are to be used for communication with the data subject, the notice must occur at the latest at the time of the first communication. If a disclosure to another recipient is envisaged, the notice must occur at the latest when the data are first disclosed. Notice in these circumstances is not required if it would require disproportionate efforts and the controller has taken other measures to protect data subjects rights and interests, including making the information publicly available. Drinker Biddle Reath LLP 47

48 Access Right Data subjects have right to obtain copies of personal data being processed about them. They have the right to request copies of the data in electronic form, where possible. Timing Data controllers must respond to a request for access within one month. For complex requests, this period may be extended for up to two additional months, with notice to the data subject. Costs Unless manifestly excessive (i.e., due to repetitive nature), access must be provided free of charge. Exceptions The data controller can request additional information from the person making the request to prove the requester s identity. An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. Drinker Biddle Reath LLP 48

49 Portability Where data subjects have directly provided their data to a controller, they can demand that the controller transfer their data to another controller, where this is technically feasible, and where the processing is carried out by automatic means and is based on consent or processing necessary to facilitate a contract. Drinker Biddle Reath LLP 49

50 Rectification Right The data subject has the right to request correction of inaccurate data, as well as completion of incomplete data, having regard to the purposes for which the data are processed. Where the accuracy of the data is contested, the data subject has the right to request that the data controller suspend processing while the accuracy of the data is being verified. The data controller must communicate rectification requests to all recipients of the data, unless this would involve disproportionate efforts. Exceptions An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. Drinker Biddle Reath LLP 50

51 Erasure (I) Right The data subject has the right to request erasure of data about himself. The controller must erase the data where: they are no longer necessary for the purposes for which they were collected or otherwise processed; the data subject withdraws consent and there is no other legal basis to process the data; or the data subject objects to the processing and there is no overriding legitimate grounds for the processing. Exceptions An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. The data controller is not obliged to erase personal data where it is: Necessary for scientific research purposes. Necessary for public health purposes. Necessary for compliance with a legal obligation. In such cases, the processing must be restricted to the above purposes. Drinker Biddle Reath LLP 51

52 Erasure (II) Forwarding Requests The data controller must communicate erasure requests to all recipients of the data, unless this would involve disproportionate efforts. Where the data controller has made the personal data publicly available, the controller must take reasonable steps to communicate erasure requests to controllers who are processing the data, taking into account available technology and costs. Drinker Biddle Reath LLP 52

53 Objection Back to Implementation Checklist Right The data subject has the right to object on grounds relating to his/her particular situation to the processing of personal data where the legal basis for the processing is based on public interests or the controller s legitimate interests. The controller must cease processing the data unless the controller can demonstrate compelling legitimate grounds which override the data subject s interests or processing is for the establishment, exercise or defence of legal claims. Specific Applications The data subject has, in particular, the right to object to the processing of his personal data for marketing and the right to object to profiling which produces legal effects or significantly affects him. The data subject must be informed of these rights. The data subject has the right to object to the processing of personal data for scientific purposes on grounds relating to his/her particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest. Exceptions An explicit exception to the data controller s obligations is allowed in circumstances in which the data controller does not process data allowing identification of data subjects. Drinker Biddle Reath LLP 53

54 Breach Notification - DPA (I) Obligation Notification to DPA required of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed ( personal data breach ), unless the controller can demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. Risks include, inter alia, physical, material or moral damage to individuals such as discrimination, identity theft or fraud, financial loss, and damage to reputation. Timing Notification to DPA must be made without undue delay and, where feasible, within 72 hours of becoming aware of a breach, unless controller can demonstrate that the breach is unlikely to result in a risk to data subjects. Where notification cannot be achieved within 72 hours, an explanation for the delay should accompany the notification. Drinker Biddle Reath LLP 54

55 Breach Notification - DPA (II) Content of Notification Notification to DPA must include: the nature of the breach; where possible, approximate categories and number of data subjects concerned and the categories and approximate number of data records concerned; contact point at data controller; likely consequences of breach, as identified by data controller; measures that could be taken to mitigate adverse effects of the breach. Notification can be made in phases if all information is not available in the first report. Documentation Controller must document facts surrounding the breach, notifications provided, and remedial actions taken. Drinker Biddle Reath LLP 55

56 Breach Notification Data Subjects Back to Implementation Checklist Obligation Notification to affected data subjects required when breach likely to result in a high risk for the rights and freedoms of individuals. Timing Notification to data subjects required without undue delay Exceptions Notification to data subjects not required if it would involve disproportionate effort; in such a case, a public communication is required. Drinker Biddle Reath LLP 56