General Data Protection Regulation

Transcription

1 General Data Protection Regulation Caroline Budde Vice President, Compliance, Global Privacy Officer Walgreens Boots Alliance Agenda Overview of global data protection The General Data Protection Regulation A Roadmap Towards Compliance 1

2 Overview of Global Data Protection Purpose of Data Protection Regulations Regulate the collection, retention, use, disclosure and security of personal information Breach notification and data incident response Balance between data utility and personal privacy Different approaches to data protection across the globe 2

3 United States approach to data protection Sector and data specific Focus on sensitive information and populations Health Care Financial Information Children Focus on Harm to the Individual Unfair and deceptive trade practices Civil litigation Breach reporting Multiple regulatory agencies (e.g. OCR, FTC, state AGs) European Approach to Data Protection Omnibus regulation of all personal information regardless of sector or type More robust protection of sensitive information (e.g. health) Limitations on collection and transfer European approach more popular globally than US approach 3

4 General Data Protection Regulation EU Data Directive vs. GDPR DATA DIRECTIVE Outlines set of goals, principals or objectives that each country must achieve through the implementation of domestic legislation. Individual member states enacted legislation that is consistent with such objectives Inconsistency in approach across the EU GDPR First major update to European data legislation since 1995 Effective May, 2018 Directly applicable to each member state leading to one set of rules across Europe Member states have flexibility to pass more stringent laws in limited circumstances (e.g. HR data) 4

5 General Data Protection Regulation: Enforcement Applies to both data controllers and data processors Extraterritorial jurisdiction Supervisory Authorities will have wide ranging powers to enforce compliance Expanded rights and remedies for data subjects Mandatory breach reporting Increase in maximum fines and penalties: maximum penalty is the greater of $20 Million dollars or 4% of world wide turnover GDPR: Data Protection Officers Certain organizations must appoint a Data Protection Officer ( DPO ) with expert knowledge of data protection law and practices The DPO must: Report to the highest levels of management Maintain independence in performance of job functions Inform and advise the company and its employees of their obligations to comply with the GDPR Serve as the point of contact for regulators on issues relating to the processing of personal information Respond to inquiries from data subjects on issues relating to data protection practices, consent and individual rights 5

6 GDPR Key Takeaways: Compliance Program Organizations will have to implement and be able to demonstrate to its Supervisory Authority that they have comprehensive data protection compliance programs Risk Assessments: Must perform data protection impact assessments for high risk processing activities Oversight and Responsibility: The DPO must be involved in all issues which relate to the protection of personal data in a timely manner Monitoring & Auditing: The DPO must monitor and audit company compliance with privacy policies and procedures Training: The DPO is required to raise awareness and train staff involved in processing activities Code of Conduct: Organizations are encouraged to create a Code of Conduct relating to processing personal information as a means of both achieving and demonstrating GDPR compliance Privacy by Design: an approach to projects that promotes the consideration of privacy from the start and throughout the lifecycle. For example: building new IT systems for storing personal data, or using personal data for new purposes Roadmap to Compliance 6

7 Step One: Take Inventory Start with taking an inventory of your organization s: Data collection and processing activities (both customer and human resources) Basis for such processing (legitimate interests; consent) Cross border transfers activities Notices, policies, procedures and training Retention practices Existing governance structure Technical capabilities of your IT environment Vendor management Step Two: Gap Analysis Is your privacy notice outdated? Can you continue to rely on current justification for processing and transfer? What updates to policies, procedures and training are necessary? Is your consent process sufficient to comply? What IT enhancements will be needed to comply (e.g. right of data portability, access and erasure)? What updates will need to be made to your governance structure? Identify data processor/data controller relationships 7

8 Step Three Implementation Risk based approach to compliance Develop a timeline for implementation an assign accountability Data incident response ensure that you have a plan in place when something goes wrong Questions? 8