GDPR a legal overview

Similar documents
Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

GDPR General Data Protection Regulation

GDPR Factsheet - Key Provisions and steps for Compliance

GDPR factsheet Key provisions and steps for compliance

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

GENERAL DATA PROTECTION REGULATION Guidance Notes

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

General Data Protection Regulation

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

General Data Protection Regulation

General Data Protection Regulation (GDPR)

More information at cventconnect.com/europe/mobileapp

GDPR: What Every MSP Needs to Know

The GDPR enforcement deadline is looming are you ready?

SAP and SAP Ariba Solution Support for GDPR Compliance

GDPR is coming in 108 days: Are you ready?

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) A Point of View. For private circulation only. Risk Advisory

The General Data Protection Regulation: What does it mean for you?

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

GDPR. Guidance on Employee Personal Data

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

Accountability under the GDPR: What does it mean for Boards & Senior Management?

The GDPR Are you ready?

What you need to know. about GDPR. as a Financial Broker. Sponsored by

Brexit and the Future of Data Protection

Preparing for the General Data Protection Regulation (GDPR)

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

General Data Protection Regulation - Explained

How employers should comply with GDPR

EU GENERAL DATA PROTECTION REGULATION

Genera Data Protection Regulation and the Public Sector

Data Protection for Landlords. David Smith Anthony Gold Solicitors

GDPR - Salon Guide Contents

EU General Data Protection Regulation in the digital age: Are you ready?

Data Protection Law: An Update

The Sage quick start guide for businesses

Introduction to the General Data Protection Regulation (GDPR)

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

ARTICLE 29 Data Protection Working Party

GDPR for whom it may concern

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

The (Scheme) Actuary as a Data Controller

Guidance on the General Data Protection Regulation: (1) Getting started

GDPR is coming soon. Are you ready. Steven Ringelberg.

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

A guide to GDPR the effect on all UK organisations

EU General Data Protection Regulation: Are you ready?

EU General Data Protection Regulation: are you ready?

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

Preparation Guide to the New European General Data Protection Regulation

General Personal Data Protection Policy

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Getting Ready for the GDPR

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

General Data Privacy Regulation: It s Coming Are You Ready?

Preparing for the GDPR

GDPR journey: from ready to compliant GDPR survey results

What does the GDPR mean for recruitment?

ARTICLE 29 DATA PROTECTION WORKING PARTY

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

Preparing for the General Data Protection Regulation (GDPR)

Summary of General Data Regulation & Actions. Nationwide Coverage.

European Union General Data Protection Regulation 25 th May 2018

Summary of General Data Regulation & Actions. Nationwide Coverage.

GDPR: What can we expect, and how should I guide my Board? April 12, 2018

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

DATA PROTECTION POLICY

With financial penalties of up to 4 percent of global annual turnover, are you up-to-date on the General Data Protection Regulation?

The EU General Data Protection Regulation

Getting ready for GDPR. A guide to General Data Protection Regulations

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

The EU General Data Protection Regulation

Session 1. Asset Management and Risk Control Forum. bvrla.co.uk

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

General Data Protection Regulation Guide

Data Protection (internal) Audit prior to May (In preparation for that date)

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

What is GDPR and Should You Care?

General Data Protection Regulation (GDPR) Frequently Asked Questions

GDPR Impacts on Digital Transformation

GDPR & SMART PIA. Wageningen University Feb 2017

EU data protection reform

THE NEW EU GENERAL DATA PROTECTION REGULATION & UK - ITALIAN FILING OBLIGATIONS KEY CHANGES AND NOTIFICATION REQUIREMENTS IN UK AND ITALY

Self-Assessment Questionnaire Controllers

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

The ICT Service:

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

Preparing Your Vendor Agreements for the General Data Protection Regulation

December 28, 2018, New Delhi, INDIA

Transcription:

GDPR a legal overview Andrew Gilchrist and Noirin McFadden, K&L Gates LLP Copyright 2017 by K&L Gates LLP. All rights reserved.

Background to reform

WHY WAS REFORM REQUIRED? We ve had data protection laws in the UK for 20 years Data Protection Act 1998 implemented European Directive 95/46/EC into UK law. Need for harmonisation Various EU member states have taken divergent approaches to implementing the Data Protection Directive, creating compliance difficulties for many businesses. Disproportionate penalties Maximum fines: 500,000 for most serious breaches. High profile enforcements: Talk Talk / Sony. Technological change Significant advances in information technology, and fundamental changes to the ways in which individuals and organisations communicate and share information. klgates.com 3

BACKGROUND TO REFORM Key Dates: Directive 95/46/EC issued: October 1995 Reform proposed by European Commission: January 2012 Legislative hell: January 2012 December 2015 Text of GDPR Agreed: 15 December 2015 Text of GDPR Adopted: 14 April 2016 Text of GDPR Published: 4 May 2016 GDPR Enters into force: 24 May 2018 GDPR Applies from: 25 May 2018

EFFECT OF REFORM Evolution not revolution Data Protection Act 1998 Harmonised principles (different implementations). Global companies potential subject to multiple enforcement Fines limited to 500,000 Increased accountability for businesses: increased Same basic data record keeping protection principles Same basic approach to categorization of controllers and processors Same basic compliance mechanisms for transfer outside of EEA Retains a lot of same concepts GDPR Full harmonisation (but perhaps not)* Mandatory breach reporting One stop shop mechanism. Increased enforcement powers (up to 4% annual global turnover). New and enhanced subject rights: data portability, right to be forgotten etc. *Not entirely harmonised Member States can set additional (more specific) rules for processing personal data in certain circumstances klgates.com 5

BREXIT WON T SAVE US! On 25 May 2018 (from which GDPR applies) UK will still be a member of the UK. On 21 June 2017 the UK Government revealed that they will be passing legislation to bring the GDPR into UK law. Apart from various administrative changes, the UK law will be an exact equivalent of the GDPR. Brexit may affect how data protection laws are enforced How will the one stop shop model work when the UK is no longer a member of the EU? klgates.com 6

Upcoming changes under the GDPR

PERSONAL DATA What is personal data? Definition of personal data updated to reflect new technologies adds new identifying types of data e.g. location data and online identifiers. Pseudonymised data still considered personal data. Sensitive personal data Same basic categories apply. Extended to genetic and biometric data. Requires more safeguards. As in DPA, includes personal details such as ethnicity and details of an individual s health e.g. information on allergies. Children s data Special rules surrounding the control and processing of data relating to children are now more specific e.g. all individuals under 13 classified as children. klgates.com 8

WHO DOES IT IMPACT? DPA places data processing obligations on: Organisations established within the UK who process personal data in the context of that establishment GDPR places data processing obligations on: organisations that are established within the European Union where personal data is processed in the context of that establishment; OR regardless of whether data subjects are based in the UK. organisations that offer goods/services (paid or free) to individuals located within the European Union; OR organisations that monitor individuals whose behaviour takes place within the European Union. Where the business is based Where the data subjects are based. Has extra-territorial effect klgates.com 9

MORE RIGHTS FOR INDIVIDUALS Organisations need to be aware that the GDPR grants further rights to individuals in relation to their personal data: Key Rights that exist under the DPA Right to be informed Right of access (within 1 month) Right of rectification of their personal data Rights that exist under case law Rights introduced under GDPR Right of erasure (also known as the right to be forgotten) ensure all data is tracked to enable deletion if necessary Right to restrict processing Right to data portability i.e. right to request the personal data, free of charge, to be transferred to another tour operator Right to object to processing Right not to be subject to automated decisionmaking i.e. profiling klgates.com 10

INCREASED ACCOUNTABILITY PART 1 Accountability Principle, organisations are now required to provide evidence of compliance. Data protection compliance has to be managed as a risk Actions will need to be documented so that a data controller can prove what has been done. Must evidence policies / good data governance. Increased record keeping: Records of processing Increased transparency - revised privacy notices Burden of proof to demonstrate consent was obtained. May need consent for different purposes. klgates.com 11

INCREASED ACCOUNTABILITY PART 2 Mandatory Data Protection Impact Assessments Processors now directly liable to comply with certain requirements (i.e. data security). Privacy by design and default Written contracts must be entered into to cover third party processing. Requirement to appoint a data protection officer (mandatory in some instances) Up to 20 million or 4% of global turnover (whichever is higher). One stop shop enforcement / consistency mechanism. klgates.com 12

Practical steps for a legal compliance program

TYPICAL STAGES OF A LEGAL COMPLIANCE PROGRAM Akin to undertaking a global health and safety assessment but for your data. It is not just about lawyers drafting contracts that can protect you must be business-wide engagement. Phase 1: Due Diligence Audit / Questionnaires Phase 2: Gap Analysis Phase 3: Plugging the gaps Phase 4: Implementation and on-going training klgates.com 14

STAGE 1: DUE DILIGENCE What personal data does the organisation hold? What are the origins of the personal data held? Were the appropriate consents obtained? What does the organisation do with the personal data? How does it process data internally? Does the tour operator use it for marketing purposes? Organisation-wide audit Who does the organisation share the personal data with? For what purposes? Is it passed onto local tour operators? Airlines? Where are these organisations based? On what terms is the data shared? Document audit information in record of processing. Always ensure there is a paper trail. klgates.com 15

STAGE 2 /3 : GAP ANALYSIS AND PLUGGING THE GAPS Prepare policies What do you have already? What is missing? How are the policies acknowledged / enforced? Are they fit for purpose? Is there an appropriate governance structure in place to provide sufficient oversight? Revise privacy policies Do they reflect reality? Do they contain the enhanced information rights contained in the GDPR? (e.g. legal basis of processing, data retention periods). Can only do this when you know what data you process and why! Revise data processing contracts Work out where your data goes. Are written contracts in place? Do those contracts contain the minimum provisions required under the GDPR? Do they contain breach notification provisions? klgates.com 16

STAGE 4: IMPLEMENTATION / ONGOING TRAINING Implement policies / introduce risk management and governance structures. Might involve process and systems change! New systems to deal with portability, right to be forgotten, subject access requests, consent etc. Privacy by design and default when creating / procuring new products/services/systems. Carry out Privacy Impact Assessments when establishing new practices/employing new technology. Consider appointing a Data Protection Officer, even if not required under statute, who can offer training and guidance. Security audits engage a cybersecurity consultant? Staff training and updates! klgates.com 17

WHY COMPLIANCE IS CRUCIAL Increased fines Up to 20 million or 4% of global turnover (whichever is higher) Individual claims Individuals can now claim for nonmaterial damage against both processors and controllers (who are jointly and severally liable). Changing enforcement model One stop shop principle lead supervisory authority of main establishment i.e. your European HQ. More harmonised enforcement? But other supervisory authorities can object to decision built in consistency mechanism. klgates.com 18

Neil Baylis K&L Gates LLP One New Change London EC4M 9AF Phone: +44 (0)20 7360 8140 Fax: +44 (0)20 7806 0675 neil.baylis@klgates.com www.klgates.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback