Vendor Agreements and the New EU GDPR Steps to Take Now

Transcription

1 Presenting a live 90-minute webinar with interactive Q&A Vendor Agreements and the New EU GDPR Steps to Take Now Complying With the EU General Data Protection and Privacy Regulation TUESDAY, JANUARY 30, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: William Long, Partner, Sidley Austin, London, England Lei Shen, Partner, Mayer Brown, Chicago The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 1.

2 Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

3 Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you that you will receive immediately following the program. For additional information about continuing education, call us at ext. 2.

4 Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

5 January 30, 2018 Vendor Agreements and the New EU GDPR Steps to Take Now William Long, Partner, Sidley Austin LLP

6 1. GDPR Key Features 6

7 GDPR: Impact of the GDPR Implementation and violation 2018 GDPR adopted in 2016 and will come into force in 2018 GDPR applies to businesses in the EU and any company worldwide that holds data on Europeans Fines of up to 4% of annual worldwide turnover or 20m, whichever is greater Increase in privacy litigation by customers Damages will now be permitted for non-financial loss, e.g., for distress Claims by individuals or representative organisations 7

8 GDPR: Who does it impact? Wide scope and extra territorial effect Data controllers and data processors A data controller determines the purposes and means of the processing of personal data A data processor processes personal data on behalf of a data controller The GDPR will directly impose obligations on data controllers AND processors Extra territorial affect The GDPR will apply to almost all companies established in the EU. The GDPR will also apply to companies processing the personal data of EUbased individuals, even where the company is not established in the EU (e.g., in the U.S.) if they are offering individual in the EU goods or services or monitoring them. All industries affected All types of personal data Financial services, tech companies, life sciences, retail etc. Multinational companies and small businesses Employee data Client data Vendor data Claimant data 8

9 GDPR: A Status Update G-Day: GDPR will come into force on Friday 25 May 2018 What has been published to date? Article 29 Working Party (WP29) has now released final guidelines on: - Privacy Impact Assessments - Data Protection Officers - The Lead Supervisory Authority - Data Portability - Administrative Fines What are we waiting for? We await WP29 guidance on the following topics: Certification Data transfer tools update Implementation of the European Data Protection Board (EDPB) WP29 also released draft guidelines in October 2017 and in December 2017 on: - Profiling and automated decision making - Breach notification Consent Transparency Member State Data Protection Authorities continue to publish guidance on various GDPR topics 9

10 Consents, Notices and Policies Requirements Consents higher standards for consent under the GDPR (e.g, must be unambiguous, granular and involve a clear affirmative action) Existing consents many current consents are unlikely to be valid under the GDPR Notices the GDPR requires additional information to be provided in privacy notices AND that the notices are concise, transparent and easily accessible Actions to comply Review consents determine if other legal grounds can be relied on rather than consent and whether existing consents will be valid under the GDPR Consent mechanisms prepare new GDPR compliant consents with suitable withdrawal mechanisms Notices and policies review and amend privacy notices and related policies to indicate additional information and privacy rights Records keep adequate records of consents obtained and withdrawn 10

11 Compliance with Accountability Principles Requirements Data protection officer (DPO) must be appointed where: the processing requires regular and systematic monitoring of individuals on a large scale; or where processing sensitive personal data on a large scale DPO must advise and monitor compliance with the GDPR, and act as a contact point for the Data Protection Authority (DPA) Actions to comply Determine if required to appoint a DPO and management structure for DPO Develop procedures to ensure accountability for privacy (e.g., privacy impact assessments) under the GDPR Carry out a review of IT Systems and procedures to consider impact of privacy by design and data minimisation requirements on systems Privacy impact assessments must be carried out where data processing uses new technologies and results in high risk to individuals (e.g., profiling) Privacy by design and by default implement technical and organisational measures to ensure privacy (e.g., encryption) AND by default only the minimum amount of personal data are processed 11

12 Information Security Information security, breach reporting and vendors Requirements Implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk Security breaches must be reported to: (i) the DPA without undue delay and where feasible within 72 hours; and (ii) affected individuals without undue delay where high risk, unless measures taken to minimise risk, e.g., the data is encrypted Data Processors Company is responsible for ensuring processors (e.g. vendors) comply with security measures Actions to comply Review and comply with Company s: (i) information security standards; and (ii) data breach response plan and reporting procedures Conduct a review of key vendor agreements to ensure they include GDPR-compliant data processing provisions Conduct data protection due diligence on key vendors 12

13 GDPR and Data Processors Data controllers and data processors will now have joint and several liability Requirements Maintain a detailed record of processing activities Implement appropriate technical and organisational measures to safeguard data Actions to comply Review data processing agreements and ensure that appropriate data privacy provisions are included as well as provisions dealing with apportionment of liability Appoint a DPO where the threshold is met Notify the controller without undue delay after becoming aware of a data breach Comply with restrictions on international transfers Prior consent must be given by a controller where a data processor appoints a subcontractor and a subcontractor must comply with the same data privacy obligations as the data processor 13

14 Data Subject Rights Requirements Right to erasure a business must erase an individuals personal data in certain circumstances Right to data portability an individual has a right to request the transfer of their personal data from one company to another in certain circumstances Right to object to processing a data subject can object to processing based on the public interest or legitimate interest grounds Right of access individuals have a right to access and obtain copies of their personal data Actions to comply Determine how the new GDPR data privacy rights apply to the business Develop policies and procedures and, if necessary, system changes to deal with these new rights Review consents and notices (e.g., customer privacy policy) and amend to deal with new privacy rights Provide training to relevant staff on how to review and handle privacy requests Right to rectification Individuals have right to have their personal data rectified if it is inaccurate or incomplete Right to restrict processing individuals have right to restrict processing of their personal data 14

15 Big Data & Profiling Requirements Big Data, i.e., the processing of large datasets obtained from multiple sources a catalyst for economic growth, innovation and digitisation European Commission Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person! Restrictions new restrictions on business carrying out solely automated profiling that produces legal effects or significantly affects an individual, subject to limited exceptions (e.g., credit scoring and fraud prevention may be affected) Exceptions can only take place if: (i) necessary for the performance of a contract, (ii) authorised by Union or Member State law or (iii) based on consent Actions to comply Review current profiling activities to determine where GDPR profiling restrictions apply Consider what GDPR exemptions to profiling restrictions may apply Review consents and notices to deal with profiling restrictions and the right to object to profiling Big Data Guidance: Article 29 Working Party - Opinion on Purpose Limitation (April 2013) European Data Protection Supervisor - Opinion on Privacy and Competitiveness in the Age of Big Data (March 2014) National Guidance - in July 2014 the UK s Information Commissioner s Office published guidance on the data protection issues raised by the use of Big Data Big Data and Data Protection 15

16 International Data Transfer Requirements Prohibition on transfers of personal data outside EEA to countries that do not provide adequate safeguards (e.g., U.S.) Data transfer solutions are exceptions to the prohibition on international data transfers and include: the new EU-U.S. Privacy Shield applies to transfers of personal data to U.S. companies that are Privacy Shield certified EU Standard Contractual Clauses EU-style data transfer agreements but which are under review by EU Authorities Binding Corporate Rules privacy rules adopted by a group of companies meeting EU standards and approved by EU DPA approved Codes of Conduct or Certification Mechanisms Actions to comply Determine international data flows based on reviews of processing activities and data mapping Review whether current data transfer solutions are adequate Implement data transfer solutions where required 16

17 Lei Shen, Partner, Mayer Brown LLP 2. How Will Companies in the U.S. Be Subject to the GDPR?

18 Data Controllers: Under the EU Directive U.S. companies can become subject to the EU Directive by: Processing data from EU affiliate or EU customer or other EU company Using equipment in the EU but have U.S.-only data For example, as a backup server or using cloud service provider Potential loophole Using only equipment in the U.S. (e.g., website with no cookies) but targeting EU and collecting EU personal data 18

19 Data Controllers: Under the GDPR U.S. companies can become subject to the GDPR by: Processing data from EU affiliate or EU customer or other EU company Offering goods or services to the EU or monitoring the behavior of people in the EU (even if using equipment in the U.S.) Fixes loophole and illogical jurisdiction scenarios 19

20 Data Processors: Under the EU Directive No direct processor obligations under EU Directive Only contractual obligations to the data controller Follow controller s instructions Have appropriate technical and organizational measures in place to protect personal data 20

21 Data Processors: Under the GDPR U.S. companies (data processors) can become subject to the GDPR by processing EU personal data New contractual obligations to the data controller Adds several direct processor obligations, including: Having a DPO if required Recordkeeping requirements Data breach notification obligations Having appropriate data transfer mechanism in place 21

22 3. Performing due diligence on existing technology vendor agreements for GDPR compliance 22

23 Vendor Management Requirements Mandatory terms contracts with data processors must contain the contract terms specified in Article 28 of the GDPR Article 28 provisions include the processor s obligation to: assist the controller with data subjects rights requests; notify the controller of data breaches; assist the controller with privacy impact assessments; flow down data processing obligations to subcontractors; and at the controller s request delete or return all personal data processed on the controller s behalf at the end of the processing activities Actions to comply Scope identify the universe of in-scope GDPR contracts and prioritise Key vendor contracts Templates prepare GDPR compliant data processing provisions Propose appropriate templates to vendors and negotiate GDPR compliant amendments favourable to your business by May 2018 Flow down data processors must flow down the obligations to sub-data processors 23

24 Vendor Due Diligence Requirements Implement appropriate technical and organizational measures to protect personal data Bound by written GDPR-compliant data processing provisions Actions to comply Implement a business-wide vendor management program and incorporate into it a requirement to implement appropriate data processing agreements with the vendors and the development and implementation of a minimum set of vendor security requirements Ensure vendor risk assessment questionnaires have been completed by the vendor Ensure contract contains a detailed description of data processing Review vendor s process to ensure it is in compliance with GDPR obligations Ensure the vendor will allow audits of the processors compliance Review vendor s information security measures and what standards are used 24

25 Vendor Management Information Security Requirements No formal security standard specified by GDPR Actions to comply Ensure vendor has the ability to restore access to data in a timely manner after a security breach Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk Ensure vendor has the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services ISO 27001, ISO or the US NIST framework may be good indicators of appropriate information security measures Ensure vendor conducts a regular testing of technical and organisational measures 25

26 Key Steps with Vendor Management Use of templates and prioritizing vendor contracts Step 1: Prepare vendor contract templates GDPR: Pro-controller, pro-processor, and middle of the road templates Other regulatory laws: e.g., financial services outsourcing rules IP and contracts: e.g., ownership of resultant data Liability: indemnities, exclusions and limits on liability Step 2: Identify universe of inscope vendor contracts Does contract involve the processing of EU-originating personal data? Will it be in effect after May 2018? Step 3: Prioritize certain legacy vendor contracts: Deadline for compliance May 2018; no grandfathering All new in-scope vendor contracts to be GDPR-compliant Determine which legacy contracts get priority 26

27 Key Steps with Vendor Management Vendor contract amendment mechanisms Step 4: Determine the appropriate amendment mechanism Contract-by-contract vs. global approach to amendment? Will amendment be effectively incorporated into contract? Step 5: Propose correct amendment template to vendor Determine whether you are a controller or processor E.g., if a controller, then propose pro-controller template Step 6: Negotiate amendments with vendors Develop negotiation cheat sheets for the legal or procurement team Ensure other contract terms are consistent with amendment (e.g., general confidentiality terms) Ensure contracts assigns responsibility for costs of compliance (e.g., for changes in law, data portability) 27

28 Key Steps with Vendor Management Vendor management as part of a wider GDPR compliance strategy Step 7: Ensure vendor management part of wider GDPR compliance strategy Vendor contracts only a portion of GDPR compliance In turn, consider GDPR within a broader data legal ecosystem regulatory and commercialization -- project 28

29 4. Updating Your Vendor Contracts for the GDPR

30 Key Changes for Using Processors / Vendors Controllers should only select processors who provide sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures that will meet the requirements of the GDPR Adherence to codes of conduct or approved certification mechanisms may be used as an element to demonstrate compliance Parties must ensure that an adequate transfer mechanism is in place if transferring data out of the EU Contracts with processors must meet the requirements of the GDPR, which contain certain provisions not required by the EU Data Protection Directive 30

31 Key Changes for Processor / Vendor Agreements EU Directive (current requirements) Two contractual requirements: Only act on controller s instructions Implement appropriate technical and organisational security measures EU GDPR Retains and strengthens Directive s contractual requirements: Only act on controller s documented instructions Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk Also adds several new contractual requirements, including but not limited to: Recordkeeping and audits Subcontracting 31

32 Updating Your Vendor Agreements: Required Provisions Contract must set out: Subject matter and duration of processing Nature and purpose of processing Type of personal data and categories of data subjects Obligations and rights of controller Contract must include the following terms: Process only on documented instructions from controller Duty of confidentiality Implementation of appropriate technical and organisational security measures Sub-processing restrictions 32

33 Updating Your Vendor Agreements: Required Provisions (cont.) Contract must include the following terms (cont.): Assistance to enable controller to comply with data subject requests (e.g., right to data portability, right to erasure, etc.) Assistance to enable controller to comply with its obligations in Articles 32 to 36 (i.e., security, notification of data breaches, DPIAs, consultation) Deletion or return of data at end of contract Information to demonstrate compliance Audits and inspections Notification of infringing instructions 33

34 Updating Your Vendor Agreements: Other Provisions to Consider Definitions Recordkeeping Maintain record of categories of processing activities carried out on controller s behalf Comply with cross-border data transfer requirements DPO requirement Data protection by design If applicable, Privacy Shield onward transfer requirements Consider indemnities, limits of liability and other similar clauses to address new risks 34

35 Updating Your Vendor Agreements: Recent Guidance from DPAs Recent Guidance from DPAs: UK s ICO: guidance takes point of view of controller France s CNIL: guidance takes point of view of processor Still a number of unanswered questions For example, how far down the subprocessor chain must a processor flow down obligations? 35

36 Data Breach Notification Data breach notification (for data controllers): Report to the competent Supervisory Authority without undue delay and where feasible not later than 72 hours unless the breach is unlikely to result in a risk to data subjects Describe nature of breach (e.g., categories and number of data subjects, categories of personal data) Name and contact information of the DPO or other contact point Describe consequences of the breach Describe mitigating measures taken or proposed Report to data subjects without undue delay if breach is likely to result in high risk to data subjects May be able to avoid notice to individuals if the controller satisfies the SA that, for example, data are unintelligible or risks have otherwise been mitigated 36

37 Data Breach Notification (cont.) Data breach notification (for data processors): Report to data controller without undue delay after becoming aware of a breach Very broad obligation No risk analysis is given, unlike for data controllers notification obligations Recent guidance from Article 29 Working Party: Awareness of breach Controller Processor Notification of availability breaches 37

38 Comparison of U.S. vs EU Data Breach Obligations Scope Definition of Breach Notification Timeframes U.S. State Data Breach Laws Mostly limited to personal information that could put person at risk for identity theft Typically requires unauthorized access or acquisition of covered information Controller: fastest is 30 days Processor: fastest is 24 hours 38 EU GDPR Covers all personal data, subject to risk analysis accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed Controller: 72 hours to supervisory authority; without undue delay to individuals Processor: without undue delay

39 Comparison of U.S. vs EU Data Breach Obligations Whom to Notify Liability and Fines U.S. State Data Breach Laws Notify affected individuals Notify a variety of state and other agencies (e.g., law enforcement, state attorneys general, credit reporting agencies, etc.) Mostly class action lawsuits Some government enforcement actions EU GDPR Notify affected individuals Notify supervisory authority Fines for not notifying of a data breach can reach 2% of global turnover or 10 million, whichever is higher 39

40 Assess Your International Transfers Data transfer restrictions apply to controllers and processors Current legal instruments to ensure legality of transferring data outside the EU are generally maintained under GDPR Transfer to country with Adequate Protection (same as Directive) OR use of approved means: EU Model Clauses (but with caution Schrems challenge) Binding Corporate Rules (BCRs) Privacy Shield NOT Safe Harbor Derogations (EU Directive derogations continue to apply) Data Subject Consent Approval from Data Protection Authority (DPA) Data Protection Seals 40

41 Assess Your International Transfers: Privacy Shield Replacement mechanism to Safe Harbor that permits transfers of EU personal information to the US Must be subject to jurisdiction of FTC or DOT to self-certify Privacy Shield Principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability (plus 16 Supplemental Principles) The Onward Transfer principle addresses how Privacy Shield-certified companies must protect personal information that they transfer onto other data controllers or to third-party agents Will need to modify agreements of third parties that receive such data Not easy compliance often requires certain operational, policy and contractual changes 41

42 Questions? 42