Data Privacy Bootcamp: GDPR

Transcription

1 Data Privacy Bootcamp: GDPR preparing for the general data protection regulation

2 Data Privacy Bootcamp: GDPR Preparing for the General Data Protection Regulation Rebecca Eisner Partner Mayer Brown Oliver Yaros Partner Mayer Brown Kendall Burman Counsel Mayer Brown

3 Topics We Will Cover Today Data protection: The current framework and concepts The GDPR: The upcoming changes to data protection law Do you need to comply? Assessing whether the GDPR applies Preparing for the GDPR: The ten steps your business should take How we can help: The Mayer Brown GDPR Readiness Service 2

4 European Data Protection Law: The Current Framework European Data Protection Directive 95/46 adopted in 1995 Personal data Processing Data controller Data processor Data subjects Supervised by national data protection authorities Criminal offenses, fines and other civil sanctions 3

5 European Data Protection Law: The Challenges Enormous technological change since Scale of data collection, use and sharing has increased dramatically but current law does not adequately address increasing concerns over misuse of data/data loss, length of time data can be held and issue of consent Covers personal data processed by data controllers established in the EU and those using equipment in the EU. Does not cover data controllers established outside the EU or data processors Enacted unevenly throughout the EU, compliance required with different sets of procedures in each member state Has led to spiralling bureaucracy, costing businesses around 2.3b a year according to European Commission 4

6 The GDPR: The Reform Timeline in the Broader Context Citizens and businesses will benefit from clear rules that are fit for the digital age, that give strong protections and at the same time create opportunities and encourage innovations in a European Digital Single Market - Vera Jourova, EU Commissioner January 2012 Reform announced. First draft of GDPR released by European Commission June 2013 Edward Snowden leaks classified material. These reveal surveillance of companies in Safe Harbor program March 2014 Amended, tougher draft of GDPR adopted by European Parliament June 2015 European Commission, Parliament and Council start final negotiations on GDPR October 2015 CJEU invalidates Safe Harbor December 2015 GDPR final draft agreed by the European Union. Adopted in April 2016 June 2016 EU-US Data Protection Umbrella Agreement agreed July 2016 EU-US Privacy Shield launched to replace Safe Harbor May 25, 2018 The GDPR becomes law within the European Union. All organizations must comply by this date 5

7 GDPR: The Key Changes A Regulation, not a Directive: The GDPR will be directly applicable in the same form in all EU Member States with the intention of reducing the burden on international organizations Changes to territorial scope: In addition to businesses that are established in the EU, non-eu businesses that process personal data in relation to the offer of goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will now have to comply Significantly higher fines: The maximum fine will be substantially increased to 4% of an enterprise's worldwide turnover or 20 million per infringement, whichever is higher New data loss notification obligation: The relevant European DPA must be notified without undue delay and where feasible within 72 hours. The individuals affected may also have to be notified 6

8 GDPR: The Key Changes New data privacy governance requirements: A data protection officer may have to be appointed to be responsible for an organization's compliance. Organizations will also be required to map their processing activities and undertake data protection impact assessments for higher risk processing A requirement to implement privacy by design : Businesses must now take a proactive approach to ensure that an appropriate standard of data protection is the default position taken Strengthening of individuals rights to personal data: Individuals will have right to be forgotten, the right to data portability and the right not to be subjected to automated data profiling Obligations on both data controllers and data processors: Service providers will be held accountable for their own level of appropriate security, must document their processing to the same extent under the GDPR and must obtain prior consent to use sub-processors 7

9 Assessing Whether the GDPR Applies European Data Protection Directive 95/46 applies to A data controller where it is established in an EU Member State and the data is processed in the context of that establishment A data controller where it is not established in an EU Member State but is using equipment in an EU Member State for processing data otherwise than for the purposes of transit through that Member State 8 General Data Protection Regulation 2016/679 applies to The processing of personal data in the context of the activities of a data controller or data processor established in the EU, irrespective of where the processing takes place The processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU, where the processing activities are related to: The offering of goods or services to those data subjects; or The monitoring of their behaviour in the EU

10 Get Ready to Comply: Ten Steps to Prepare for the GDPR 1. Inform Your Leadership, Formulate a Plan 2. Decide Whether a Data Protection Officer Should be Appointed and a Data Protection Framework Created 3. Map the Personal Data that Your organization is Processing 4. Examine the Results to Determine Which of Your Data Processing Activities and Business Units Must Comply with the GDPR 5. Address the Risks Identified in Any Data Processing Activities 6. Review the Grounds Under Which Personal Data is Being Processed 7. Update Your Data Governance Policies and Procedures 8. Design and Implement New Compliance Systems to Comply with the GDPR 9. Review Your Supply Chain Contracts to Ensure that Your Service Providers will Comply 10. Assess any International Transfers of Personal Data Being Conducted by Your Business 9

11 Step 1 Inform Your Leadership, Formulate a Plan

12 Step 1: Inform Your Leadership, Formulate a Plan Senior management should be made aware of the changes to data protection law and how it will affect your business. Consider: Providing an executive summary of a preliminary assessment of the application of the GDPR to your business and the potential implications of non-compliance to your leadership team Asking external advisors to brief senior members of the management, legal or compliance teams on the requirements under the GDPR at the next team meeting Drawing up a high level framework of the GDPR requirements that must be put into operation within your business and conducting an analysis to identify any gaps 11

13 Step 1: Inform Your Leadership, Formulate a Plan Senior management should designate the individuals that will formulate a plan for how your business will implement the requirements of the GDPR and will educate the wider workforce on its operational impact. Consider which individual(s) should be appointed based on: Seniority within your organization, their role, knowledge of your business and their ability to affect change Expertise in data privacy issues and experience in conducting business change projects Which business unit (Legal? Compliance?) will be tasked with devising and implementing compliance and their relationship with that business unit 12

14 Step 1: Inform Your Leadership, Formulate a Plan When formulating a plan, consider: Which business unit will be tasked with devising and implementing compliance How your organization has previously implemented business change projects before and whether any elements of previous plans can be utilized, based on previous experience Whether an existing data privacy framework exists within your organization and whether that can be used as a starting point and adapted to comply with the GDPR Whether a previous data protection risk or gap analysis exists and can be used to help formulate the plan Whether external advisors or providers can be utilized to assist your organization to formulate the plan 13

15 Step 2 Appoint a Data Protection Officer?

16 Step 2: Appoint a Data Protection Officer? Decide whether it is required under the GDPR to appoint a data protection officer (DPO) who will be responsible for the implementation of the requirements of the GDPR and monitoring compliance with it. A DPO must be appointed if: The relevant data processing activity is carried out by a public authority or body; The core activities of the relevant business involve regular and systematic monitoring of individuals, on a large scale; or The core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offenses, on a large scale. 15

17 Step 2: Appoint a Data Protection Officer? Responsibilities of a DPO Monitor compliance with GDPR Assist with the production of DPIAs Pay particular attention to high risk processing Available for data subject concerns Cooperate with DPAs Rights of a DPO Sufficient funding and access to perform the role Certain degree of autonomy Protected under the GDPR from unfair dismissal/termination in some cases Business must involve the DPO from the outset in all related issues 16

18 Step 3 Map Your Personal Data

19 Step 3: Map Your Personal Data Why map data? GDPR requires a detailed record of data processing activities, which may need to be shared with regulators. You need to understand your data in order to comply with various GDPR obligations. Data mapping should be done in order to determine the types of data you are collecting, the purposes for which it is being processed, how it was obtained, and the parties that it is being shared with. Types of data: Understand types of data recognized by the Regulation (new elements of personal data, sensitive personal data, pseudonymous data...) Purposes for processing: Assess grounds for processing to ensure that it is appropriately limited How it was collected: Need to know how data was obtained in order to evaluate new consent rules Parties involved: GDPR includes new obligations with regard to third party contracts, but you also must know which party bears responsibility for compliance 18

20 Step 3: Map Your Personal Data What do I need to map? Type of data and any classification Location of data/nationality of subjects Form of collection (or how it is obtained) Policies attached to the data and the purposes described Transfers and disclosures between business and third-parties Details on storage (including where stored and who manages the system; whether there are back-ups) Compiled with other information Encryption and destruction schedule 19 How do I map it? Gather information: Make a plan Identify and review relevant policies Involve key actors and prepare questionnaires and interviews Assess where your data is processed and who it is being shared with Ensure mapping is ongoing Make it visual (i.e., a map) Identify any gaps

21 Step 4 Examine the Impact

22 Step 4: Examine the Impact Whether GDPR applies: The information gathered from the personal data mapping exercise should be used to assess which parts of your business and which data processing activities must comply with the GDPR. Example #1 Map of non-eu company s data flows shows collection of personal data on EU subjects through commercial website. Is company offering goods or services to EU data subjects? Example #2 Map of company with physical presence in EU shows collection of sensitive HR data on EU subjects. Is company required to appoint DPO? Compliance and accountability: Additionally, GDPR ushers in new accountability regime. Good data governance practices including identifying leadership and mapping data are needed for recordkeeping to demonstrate compliance, as well as to evaluate the risk-level of processing activities. 21

23 Step 5 Address the Risks

24 Step 5: Address the Risks Data protection impact assessments (DPIAs) should be conducted to identify and minimize the risks associated with the processing of personal data by your business, particularly where there are high risks to the rights and freedoms of the individuals concerned by the activities that are being or are going to be carried out. A DPIA must be conducted with respect to activities that are likely to result in a high risk to the rights and freedoms of the individuals concerned, particularly when using new technologies. These include activities that involve: Systematic, extensive evaluation of personal aspects of persons based on automated processing i.e. profiling; The processing of sensitive personal data, criminal convictions and offenses; Systematic monitoring of publicly accessible areas on a large scale; or Other activities identified by national DPAs from time to time. 23

25 Step 5: Address the Risks When conducting a DPIA, data controllers must consult about the proposed processing in certain circumstances: Where appropriate, the data controller must seek the views of data subjects or their representatives on the intended processing Where a DPIA indicates that the processing would result in a high risk in the absence of any measures taken to mitigate the risk, the data controller must submit the DPIA and a description of the processing, entities involved and their responsibilities, measures taken to reduce the risk etc. to the relevant DPA for consultation Where the DPA has sufficient information to review the DPIA, the DPA has an eight week period (extendable to 14 weeks) to consider it. If the DPA believes the processing would infringe the GDPR, it will provide written advice on how to proceed with the processing/further minimize the risk etc. and can use its powers to ban/ suspend the proposed processing. Where necessary, the data controller must subsequently review the DPIA where there is a change of the risk represented by the processing operations. 24

26 Step 5: Address the Risks No set format for a DPIA, but it must contain: A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; An assessment of the necessity and proportionality of the processing operations in relation to the purposes; An assessment of the risks to the rights and freedoms of data subjects; or The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned. DPIA exercise is typically conducted in two parts: A questionnaire for your business representatives to complete Carrying out the DPIA itself. The document typically contains a description of the processing activities, data flows, an assessment of the risk in the form of a risk register and a description of the actions taken/solutions adopted to reduce or mitigate the risks identified 25

27 Step 6 Review the Grounds for Processing

28 Step 6: Review the Grounds for Processing Using the information collected during the data mapping and DPIA exercise, a review should be conducted into how and the basis under which personal data is being collected and processed to determine if any changes need to be made for this to continue under the GDPR, in particular, any processing being conducted that is relying on the following conditions: Consent of the data subject: Consent must be an informed, unambiguous and freely given indication by a statement or clear affirmative action, of the data subject s consent to processing for specified purposes and it must be capable of being withdrawn at any time. Whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance will be taken into account when assessing if consent has been freely given. The data controller must be able to demonstrate that consent has been given. Where consent is given in a written document, the request for consent must be clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. 27

29 Step 6: Review the Grounds for Processing Legitimate interests : The processing must be necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child Requirement to notify the individuals concerned of the details of the legitimate interests being pursued 28

30 Step 6: Review the Grounds for Processing Review the categories of data subjects and grounds that your organization may be relying on to process their personal data: Job applicants, employees, workers, contractors, pension scheme members, their dependents Client contacts, their directors, shareholders, beneficial owners Supplier personnel, subcontractors, counterparties Shareholders and other investors Consider whether it is necessary to update your notifications. Review: The routes through which personal data is provided to your organization The manner in which the data subjects are notified of how your organization processes personal data about them When the notification is made (it must now be made at the time the information is collected from the relevant individual or, where collected from a third party, at the time a communication is made to the data subject, the personal data is disclosed to another third party or within one month of first receiving it at the latest) The form of the notification itself 29

31 Step 6: Review the Grounds for Processing The notification must contain: The identity and the contact details of the data controller and, where applicable, of the data controller's representative and the data protection officer In the case of personal data provided by a third party, the categories of personal data being processed The purposes of the processing as well as the legal basis for the processing (consent, legitimate interests etc). If legitimate interests, these must be identified The recipients or categories of recipients of the personal data, if any Where the personal data is to be transferred outside of the EEA, that fact and the existence or absence of an adequacy decision by the Commission, or a reference to the appropriate or suitable safeguards being adopted to protect the transfer (e.g. standard contractual clauses) and the means by which the data subject can obtain a copy of them or where they have been made available 30

32 Step 6: Review the Grounds for Processing The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period A description of the data subject s rights under the GDPR and their right to complain to a DPA Where consent is being relied upon, the right to withdraw it at any time Whether the personal data is required to perform a contract / is required by law, whether the data subject is required to provide that personal data and the consequences if they do not (not required where personal data received from a third party) The existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject 31

33 Step 7 Update Your Data Governance

34 Step 7: Update Your Data Governance Policies, procedures and other governance controls within your business should be updated to detail how your organization will practically comply with the new requirements under the GDPR. Consider whether updates to any of the following is required: Your global data protection policy or regional, country or business line specific policies to identify those parts of your business that are subject to GDPR and how they will comply with it Your IT security policy to address how your IT function will manage access to and transfers of personal data subject to the GDPR, respond to subject access requests, the right to be forgotten, data portability etc. Your business change/project initiation procedure to detail how you would ensure privacy by design 33

35 Step 7: Update Your Data Governance Your vendor risk management process to address how your procurement team will assess and ensure your suppliers compliance with the GDPR Your security incident response plan and procedures to detail how your organization would comply with the breach notification requirements under the GDPR and how these would interact with your organization s existing notification requirements 34

36 Step 7: Update Your Data Governance Employees should receive regular training on compliance with the GDPR, the policies and procedures that your organization has in place to ensure this. Consider whether any of the following is appropriate: Train the trainer training for your DPOs and any other senior members of staff that will lead the GDPR compliance program In the first instance, a mandatory in person training session on data protection compliance for your employees that handle personal data, with case studies tailored to their business lines Virtual training for new joiners as part of the induction process and then at regular intervals for existing employees, using online training courses, exercises or videos Providing a reference guide or playbook for those who routinely have to deal with or negotiate on data protection issues for your business Intranet resources detailing the manner in which your organization complies with the GDPR with examples aligned to your business lines, which can be accessed as and when required for reference purposes 35

37 Step 8 Implement New Compliance Systems

38 Step 8: Implement New Compliance Systems Systems and procedures will likely require changes these will take time! Implement data protection by design Architect procedures that permit compliance with new data breach reporting requirements (72 hours) Need updated data breach response plans and procedures Processors must notify controller without undue delay after becoming aware of the breach Respond to data subject rights, including: Access to personal data and information about processing Right to rectification, completion, erasure and right to be forgotten Right to object when processing for public interest, legitimate interests of controller for direct marketing purposes Parental consent for children under the age of 16 (or depending on Member State, as low as 13) 37

39 Step 8: Implement New Compliance Systems Privacy by design When designing a product or system, controllers must: Take data protection into account in new technologies and systems or services Implement appropriate technical and organizational measures to protect the rights of data subjects and ensure compliance (pseudonymization is encouraged whenever possible) Limit processing to minimum extent necessary for the purposes Example: In designing a new mobile application, controllers must ensure that users receive proper notice and provide consent, that collection, storage and processing of data are in compliance with the Regulation, that technical and organizational measures are used to protect the data, that data breaches are reported, data transfers are done in accordance with requirements, and data are stored only for so long as necessary, and are used in a manner consistent with the original consent or purpose for processing, among other design elements, that data subject rights (e.g. to be forgotten) are respected, etc. 38

40 Step 8: Implement New Compliance Systems Data breach notification: Report to the competent Supervisory Authority without undue delay and where feasible no later than 72 hours unless the breach is unlikely to be a risk to individuals Describe nature of breach Name and contact information of the DPO or other contact point Describe consequences of the breach Describe mitigating measures Report to data subjects if the breach is likely to result in high risk to the rights and freedoms of the data subjects May be able to avoid notice to individuals if the controller satisfies the SA that, for example, data are unintelligible (through acceptable encryption) or risks have otherwise been mitigated 39

41 Step 8: Implement New Compliance Systems Right to erasure and to be forgotten yours systems must be able locate relevant data and securely disable or otherwise destroy it Data are no longer needed for original purpose Withdrawal of consent Right to object processing for public interest, legitimate interests of controller for direct marketing purposes Court holding Processing is unlawful Data must be erased in order to comply with a legal obligation to which the controller is subject Others 40

42 Step 9 Review Your Supply Chain Contracts

43 Step 9: Review Your Supply Chain Contracts Controllers must use a high degree of care in selecting processors who provide sufficient guarantees, in expert knowledge, reliability and resources Adherence to codes of conduct or approved certification mechanisms may be used as an element to demonstrate compliance Contracts must be implemented that contain a range of information e.g., data processed and duration, obligations such as data breach reporting, use of technical and organization measures, audit assistance obligations, and flow downs to subsubprocessors 42

44 Step 9: Review Your Supply Chain Contracts Use of standard contractual contract clauses are still good for satisfaction of some of the requirements, but most third party agreements will require some modifications Commission and Supervisory Authorities are likely to publish approved forms of service provider contract clauses Controllers and processors must maintain a record of all categories of processing activities carried out on behalf of the controller records must be available to an SA upon request Compliance is likely to have a cost on service provider services, and risk allocation in contracts, including limits of liability, indemnities and similar clauses 43

45 Step 10 Assess Your International Transfers

46 Step 10: Assess Your International Transfers Data transfer restrictions apply to controllers and processors Transfer to country with Adequate Protection (same as Directive) OR use of approved means: EU Model Clauses (but with caution Shrems challenge) Binding Corporate Rules (BCRs) (intercompany only, available for controller group or processor group) Derogations (EU Directive derogations continue to apply) Data Subject Consent Approval from Data Protection Authority (DPA) Privacy Shield NOT Safe Harbor 45

47 Step 10: Assess Your International Transfers Privacy Shield Replacement mechanism to Safe Harbor that permits transfers of EU personal information to the US Must be subject to jurisdiction of FTC or DOT to self-certify Privacy Shield Principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability (plus 16 Supplemental Principles) Not easy compliance often requires certain operational and policy changes The Onward Transfer principle addresses how Privacy Shield-certified companies must protect personal information that they transfer onto other data controllers or to thirdparty agents 46

48 Thank You

49 Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC303359); Mayer Brown, a SELASestablished in France; Mayer Brown Mexico, S.C., a sociedad civil formed under the laws ofthe State ofdurango, Mexico; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian lawpartnership with which Mayer Brown is associated. Mayer BrownConsulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. "Mayer Brown" and the Mayer Brown logo are the trademarks ofthe Mayer Brown Practices in their respective jurisdictions.

50 Time in Months (Example GDPR Process Map) MAR 2017 MAY INFORM 2. DECIDE 3. MAP 4. EXAMINE 5. ADDRESS 6. EVALUATE 7. UPDATE 8. DESIGN AND IMPLEMENT 9. REVIEW 10. ASSESS 1. Inform your leadership; formulate a plan 2. Decide whether a data protection office should be appointed and a data protection framework created 3. Map personal data that your organization is processing 4. Examine results to determine which of your data processing activities and business units must comply with GDPR 5. Address risks identified in any data processing activities 6. Evaluate grounds under which personal data is being processed 7. Update your data governance policies and procedures 8. Design and implement new compliance systems to comply with GDPR 9. Review supply chain contacts to endure that your service providers will comply 10. Assess any international transfers of personal data being conducted by your business

51 GDPR The Impact of Cybersecurity, Data Privacy and Social Media DPO Appointment Considerations Under the GDPR, certain controllers and processors are required to appoint a data protection officer (DPO). Nonpublic bodies are required to appoint a DPO if their core activities are to process data on a large scale that either require regular and systematic monitoring of data subjects or involve special categories of data... relating to criminal convictions and offences. (Article 37) Article 29 Data Protection Working Party put forth Guidelines on Data Protection Officers, Adopted on December 13, 2016, providing important clarifying information and guidance. RELEVANT TERMS CLARIFICATION EXAMPLES Core activities Refers to key operations necessary to achieve business goals or if an inextricable part of the controller s or processor s activity Processing of sensitive data by a hospital Surveillance by a security company operating in public spaces Regular and systematic monitoring Activity that is repeatable and planned or strategic All forms of tracking and profiling on the Internet, including behavioral advertising Operating a telecommunications network Location tracking through mobile apps Wearable fitness trackers Sensitive categories of data References Article 9 Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person s sex life or sexual orientation Large scale Factors to be considered in determining whether it is large scale Number of individuals affected (either in abstract or as a proportion of the population) Volume of data or categories of data processed Duration or permanence of processing Geographical extent of the processing activity Processing of travel data by a public transport system via tracking cards Insurance company or bank processing of customer data in the regular course of business Processing of personal data for behavioral advertising by a search engine MAYER BROWN 1

52 Other Considerations Maintain records of internal decision to appoint, or not appoint, a DPO, and any analysis undertaken in connection with that decision. Voluntary appointment of a DPO, even if not required by the GDPR, results in the business having to comply with all other DPO requirements. Data protection staff or consultants not performing official duties as DPO should be clearly identified as not a DPO in order to avoid any confusion over the specific DPO compliance obligations. DPOs must be qualified and have expert knowledge of data protection laws and practices relevant to the business and must be sufficiently independent without instruction or interference from their business. MAYER BROWN 2

53 GDPR The Impact of Cybersecurity, Data Privacy and Social Media GDPR Data Protection Impact Assessment Project name: Completed by: Date: Version: Review cycle: DPIA tips Please assume the reader only has basic knowledge of your sector. Not all questions may be relevant to your project. Where a question is not relevant, please answer Not applicable and explain why. To the extent that questions cannot be answered in the space provided, please answer in a separate document, attach it to this DPIA and refer to the attachment in the relevant question. We confirm that the data protection impact of this project to the relevant data subjects has been minimized to the extent reasonably possible to ensure that the processing of information relating to the data subjects will not be unwarranted or unfairly prejudice their interests and that it is reasonable and proportionate to take the remaining risks in all the circumstances. We confirm that the use of the information described in this DPIA for the purposes of this project is necessary and justified and that the use of this information as part of this project should comply with all applicable privacy law as at the date of this DPIA. Project Lead Signed: Name: Date: Job title: Legal Representative Signed: Name: Date: Job title: MAYER BROWN 1

54 Part 1: Data Protection Impact Assessment Screening Questionnaire To be completed by the Project Lead NO. QUESTION RESPONSE LEGAL COMMENTS/NOTES 1. Is this a project to implement a new initiative or to change/ enhance an existing initiative? 2. Will the project involve the collection of new information about individuals? 3. Will the project compel individuals to provide information about themselves? 4. Will information about individuals be disclosed to organizations or people who have not previously had routine access to the information? 5. Will information about individuals be used for a purpose that it is not currently used for, or in a way it is not currently used? 6. Does the project involve using new technology that might be perceived as being intrusive to individuals privacy for example, by using biometrics, location data or facial recognition? 7. Will the project involve systematic monitoring of a publicly accessible area (e.g., use of CCTV)? 8. Will the project conduct profiling or result in decisions being made or action being taken with respect to individuals in ways that can have a significant impact on them? 9. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private? 10. Will the project require individuals to be contacted in ways that they may find intrusive? MAYER BROWN 2

55 Part 2: Data Protection Impact Assessment To be completed by the Legal Representative with the Project Lead PART A: THE REQUIREMENT TO CONDUCT A DPIA NO. QUESTION RESPONSE 1. Explain the aims of the project, the anticipated benefits to the organization, to individuals and to other parties. 2. Summarize why the need for a DPIA was identified. 3. Describe the collection, use and deletion of personal data and identify the relevant data controllers and data processors involved. It may be useful to refer to a flow diagram or another way of explaining the data flows. 4. Describe why it is necessary to process personal data for this project. Explain the purposes for which the personal data will be processed, the conditions that are being relied upon to process it and why. 5. How many individuals are likely to be affected by the project? 6. Explain the practical steps that will be taken to ensure that the privacy risks are identified and addressed. 7. Which stakeholders or types of stakeholders should be consulted, internally and externally? How will you carry out the consultation? This should be linked to the relevant stages of the project management process. Consultation can be used at any stage of the DPIA process. 8. Please explain the steps that have been taken to ensure privacy by design as part of this project. 9. Please indicate whether it is necessary to consult a data protection authority about the processing activities anticipated under this DPIA. If so, please identify the relevant data protection authority. MAYER BROWN 3

56 PART B: THE PRIVACY AND RELATED RISKS Identify the key privacy risks and the associated compliance and corporate risks. Privacy issue Risk to individuals Compliance Risk Associated Risk to the Company Risk 1 Risk 2 Risk 3 PART C: THE POTENTIAL SOLUTIONS Describe the actions that could be taken to reduce the risks identified above and any future steps that would be necessary (e.g., the production of new guidance or future security testing for systems). Potential solution(s) Result: Is the risk eliminated, reduced, or accepted if the solution is implemented? Evaluation: Is the final (i.e., residual) impact on individuals after implementing this solution a justified, compliant and proportionate response to the aims of the project? Should this solution be implemented? (If not, indicate the reason.) Decision taken by Risk 1 Risk 2 Risk 3 MAYER BROWN 4

57 PART D: DATA PROTECTION AUTHORITY FEEDBACK To the extent that a data protection authority was consulted about the risks of any processing activities, please explain the feedback received from the data protection authority and how any solutions identified above have been modified or any new solutions proposed to take this into account. Feedback received from a DPA Result: Is the risk eliminated, reduced, or accepted if the solution is implemented? Evaluation: Is the final (i.e. residual) impact on individuals after implementing this solution a justified, compliant and proportionate response to the aims of the project? Should this solution be implemented? (If not, indicate the reason.) Decision taken by Risk 1 Risk 2 Risk 3 PART E: THE DPIA OUTCOMES AND INTEGRATION INTO THE PROJECT PLAN Identify the person who has approved the privacy risks involved in the project, the solutions that need to be implemented and how these outcomes are going to be integrated into the project plan. Risk 1 Risk 2 Risk 3 Approved solution Approved by Action/next steps to be taken Date for completion of action Responsibility for action Contact point for future privacy concerns: MAYER BROWN 5

58 GDPR The Impact of Cybersecurity, Data Privacy and Social Media Data Protection Policy Checklist NO. REQUIREMENT HEADING TYPICAL CONTENT 1. Responsibility for the policy This section typically identifies the individuals or roles that are responsible for maintaining the policy and supervising compliance with data protection requirements throughout the organization. It also identifies the entity or entities within the company group that will be the data controllers for the personal data subject to the policy. 2. The data protection principles 3. Data protection authority registration, notification and filing requirements 4. Requirements when collecting personal data A summary of the eight data protection principles, together with a brief explanation of the other GDPR requirements that have to be complied with, should be included. This section summarizes the particular registration, notification or other document filing requirements that the organization must comply with when dealing with a European data protection authority in order to process personal data in, or transfer personal data from, the relevant European member state. This section sets out the requirements that the organization must comply with to ensure personal data is collected lawfully. It should explain how the organization ensures that individuals are notified about how their personal data is going to be processed before or at the time their personal data is collected, as well as set out the minimum requirements that must be complied with when providing any notification. 5. Processing activities A high level explanation should be included of the processing activities that the organization is conducting, the types of personal data (including sensitive personal data) that are being processed, the purposes for which and the grounds under which they are being processed, the types of data subjects affected and the types of third parties with which that personal data may be shared. 6. Data mapping and impact assessments 7. Limitations to processing activities This section should explain how the organization records the personal data processing activities that it conducts, when it is necessary to conduct a data protection impact assessment and how that should be conducted. The policy should explain the steps the organization takes to limit the processing activities that it carries out so that personal data is only processed for the purposes that have been stated to the data subjects and so that the organization implements privacy by design. An explanation of how the organization ensures the adequacy and relevance of the personal data it holds should be included in order to demonstrate that the organization does not process excessive amounts or types of personal data. MAYER BROWN 1

59 NO. REQUIREMENT HEADING TYPICAL CONTENT 8. Retention of personal data A description of how the organization maintains the accuracy of its personal data should be included, together with an explanation of how long records of personal data covered by the policy will be retained and why (by reference to the applicable data retention policy, where relevant). 9. Security of personal data Details of how personal data being processed by the organization is secured and how these security arrangements are reviewed and updated should be included in the policy (by reference to the applicable IT or data security policy, where relevant). An explanation of the requirements that must be complied with should a data breach event be discovered should also be included (with reference to the applicable security breach response plan, where relevant). 10. Dealing with requests from data subjects and data protection authorities 11. Providing personal data to third parties 12. Transfers of personal data from the EEA 13. Other ongoing compliance responsibilities This section should set out the rights that data subjects can exercise in relation to the processing of their personal data (such as the right to make a subject access request, to object to processing, to opt out of automated decision making and to be forgotten, as well as the right to data portability) and how the organization will respond to any request to exercise those rights. An explanation should also be given as to how the organization should respond to any request from a data protection authority for information about its data processing activities. A description should be given about the steps that must be taken before personal data can be shared with, or disclosed to, a third party. This section should explain the restrictions that apply to transferring personal data from the European Economic Area to recipients located in countries outside of it, how the organization currently conducts such transfers and the steps that must be taken before personal data can be transferred in this way. This section should detail any other ongoing responsibilities in relation to collecting and processing personal data that the organization has implemented, as well as the requirement for all staff involved in the collection and processing of personal data to take part in regular data protection training. MAYER BROWN 2