Dealing with the EU Data Protection Regulation in Practice William Long, Partner Sidley Austin LLP February 11, 2016
Do you need to comply? The Regulation will apply to a business processing personal data: (1) in the context of establishments in the EU; or (2) outside the EU where it carries out activities aimed at offering goods or services to individuals in the EU or that monitor individuals. So Regulation will apply to US companies that have personal data on European citizens even if not European business Determine which of your business units will be subject to the Regulation
What are the potential consequences of not complying? Fines of up to the greater of 4% of the annual worldwide turnover (gross revenue) or 20 million for failing to comply with the proposed Regulation Claims by individuals or representative organisations Damages will now be permitted for non-financial loss e.g. for distress One Stop Shop - businesses will be accountable to one single Lead DPA in the EU country where the data controller has its main establishment Determine applicable Lead DPA Carry out gap analysis between existing privacy requirements and those in the Regulation Implement or update privacy program to deal with requirements under the Regulation and to mitigate risk
1. Update privacy notices, consents and policies The Regulation introduces new requirements as to the information that should be provided in notices AND new consent requirements The Regulation also sets out limited legal grounds for which personal data may be processed Review and amend existing employee and customer data privacy notices, consents and policies Determine legal grounds that can be used for processing of personal data and if consent, how it will be obtained in line with Regulation
2. Keep detailed data records The Regulation requires businesses to have clear and accessible policies and maintain a detailed record of processing activities The records must be provided to the DPA upon request Carry out data flow analysis and document the internal use of personal data by the business to meet accountability principles under the Regulation
3. Assess compliance with accountability principles A business must appoint a data protection officer where: the processing involves large amounts of sensitive personal data (e.g. health data) the processing involves regular monitoring of individuals it is required by Member State law Privacy impact assessments must be carried out where data processing uses new technologies and is likely to result in a high risk to individuals (e.g. Profiling or the processing of health data on a large scale) Determine if required to appoint a DPO single or multiple DPO(s)? internal or external? Develop a procedure to ensure accountability measures including carrying out privacy impact assessments where required under the Regulation
4. Review IT systems and procedures The Regulation introduces the concept of privacy by design and by default Requirement to implement technical and organisational measures to ensure data protection requirements are met AND to ensure that by default only the minimum amount of personal data are processed Carry out a review of IT Systems and procedures to consider impact of privacy by design and data minimization requirements
5. Information security and reporting security breaches Requirement to implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk including, e.g., pseudonymization and encryption of data and regular assessments as to the efficacy of the measures Security breaches must be reported to the DPA without undue delay and where feasible within 72 hours after becoming aware of breach Security breaches that involve high risk must also be reported to affected individuals without undue delay unless measures taken to minimize risk, e.g. the data is encrypted Review and update information security standards and implement a process for regular information security audits Develop a data breach response plan and reporting procedures
6. Review arrangements with vendors The Regulation introduces new requirements and liabilities for data processors (e.g. vendors) New obligations to be included in the processing agreement Prior specific consent must be given by controller where vendor appoints subcontractor and subcontractor must comply with the same data privacy obligations as vendor Conduct a review of vendor agreements to ensure appropriate data privacy provisions are included as well as provisions dealing with liability and security breach reporting Consider implementing a vendor management program with vendor questionnaire, minimum security requirements and regular vendor audits
7. Dealing with individuals new privacy rights Right to erasure a business is obligated to erase an individual s personal data where, for example, the data is no longer necessary for the purpose for which it was obtained or consent is withdrawn Right to object to processing an individual has a right to object to the use of their personal data including in relation to direct marketing Right to data portability an individual has a right to request the transfer of their personal data from one service provider to another where the data is processed in a machine-readable, structured and commonly-used format and the processing is based on consent or on the performance of a contract with the individual Determine how the new data privacy rights apply to your business and develop policies and procedures, and if necessary system changes, to deal with these new rights
8. Review profiling activities The Regulation introduces new restrictions on businesses carrying out profiling which produces legal effects or significantly affects an individual subject to exceptions such as, where: this is necessary for the performance of a contract it is authorized by national Member State law it is conducted with the explicit consent of the individual Review current profiling activities and determine whether profiling is covered by an exception Where appropriate amend profiling activities to ensure compliance with the Regulation Review consents and notices to deal with profiling
9. Review international data transfers Restriction on transfers of personal data outside the EEA to jurisdictions that do not provide adequate safeguards. Data transfer solutions include: the recently announced EU-US Privacy Shield (if agreed!) EU Standard Contractual Clauses and Binding Corporate Rules (but currently being evaluated by Article 29 Working Party) approved Codes of Conduct or Certification Mechanisms Determine international data flows based on reviews of processing activities Consider international transfer solutions and review whether current solutions are adequate particularly in light of recent developments on EU-US Privacy Shield
William Long wlong@sidley.com http://www.sidley.com/services/infolaw