SLIDE 1
Data privacy from across the pond: what US companies need to know - - PowerPoint PPT Presentation
Data privacy from across the pond: what US companies need to know - - PowerPoint PPT Presentation
Data privacy from across the pond: what US companies need to know about the European General Data Protection Regulation. 15 February 2018 Jade Kowalski Jade Kowalski Joseph Fitzgerald Joseph Fitzgerald Senior Associate Senior Associate
SLIDE 2
SLIDE 3
EU General Data Protection Regulation
A
History of DP and privacy in Europe History of DP and privacy in Europe
General Data Protection Regulation (GDPR) which will replace the UK Data Protection Act 1998 and other national legislation across Europe on 25 May 2018 An attempt to harmonise data protection laws across Europe Places greater obligations on organisations when processing personal data Provides individuals with more rights which are easier to enforce Changes the risk profile of data protection compliance Not just about security of personal data, but also what personal data you have, where you have it, when and why you need it, and protecting data subjects’ rights
SLIDE 4
Scope
Regulates:
1. “Processing” of 2. “Personal Data” by 3. “Controllers” or “Processors”.
“Personal Data” is broader under GDPR:
“any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person.”
B
How to identify whether the GDPR applies. How to identify whether the GDPR applies.
SLIDE 5
Jurisdictional reach
- Regulates “processing” of personal data by controllers or
processors established in the EU.
- Also applies to controllers or processors not established in the
EU where processing relates to: (a) Offering of goods or services to data subjects in the EU (b) Monitoring the behaviours of data subjects in the EU
- Overseas companies will need to appoint a local
“representative” in certain circumstances.
B
How to identify whether the GDPR applies. How to identify whether the GDPR applies.
SLIDE 6
B
How to identify whether the GDPR applies. How to identify whether the GDPR applies.
Situation Existing law applies GDPR applies US social media company with no European group companies, targeting the service at individuals in the EU. No Yes US retailer with e-commerce website, in the English language, accessible by EU citizens. The company only delivers to addresses in the US. No No
SLIDE 7
B
How to identify whether the GDPR applies. How to identify whether the GDPR applies.
Situation Existing law applies GDPR applies US retailer with e-commerce website, in English language, which takes payment in Euros and makes deliveries to European citizens No Yes US website which uses cookies to monitor behaviour and send targeted marketing to IP addresses, which include those belonging to European citizens No Yes
SLIDE 8
SLIDE 9
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
- Security
- Data breach notification to
regulator within 72 hours
- Data breach notification to data
subjects without undue delay
- Pseudonymised data formally
recognised as a security protection
- Security
- Data breach notification to
regulator within 72 hours
- Data breach notification to data
subjects without undue delay
- Pseudonymised data formally
recognised as a security protection
- Data Protection
Officers
- New requirement to appoint a
DPO in certain circumstances
- DPO must be independent and
must not be instructed on how to carry out his/her role
- Data Protection
Officers
- New requirement to appoint a
DPO in certain circumstances
- DPO must be independent and
must not be instructed on how to carry out his/her role
Wider Scope
- Data processors now have
direct obligations and liabilities
- Expanded territorial scope to
govern companies outside of EU
Wider Scope
- Data processors now have
direct obligations and liabilities
- Expanded territorial scope to
govern companies outside of EU
Enforcement
- Up to 4% of worldwide turnover
- r EUR 20,000,000.
- Right to compensation from a
data controller or data processor
- Quasi-ombudsman for group
litigation
Enforcement
- Up to 4% of worldwide turnover
- r EUR 20,000,000.
- Right to compensation from a
data controller or data processor
- Quasi-ombudsman for group
litigation
Fair processing notices
- Specific and comprehensive
requirements for content and format of privacy notices including specifying legal basis
- f processing
Fair processing notices
- Specific and comprehensive
requirements for content and format of privacy notices including specifying legal basis
- f processing
Consent
- Higher threshold for consent
meaning there will only be limited circumstances when it may be relied upon
Consent
- Higher threshold for consent
meaning there will only be limited circumstances when it may be relied upon
Accountability
- New principle of accountability
- Certain processing activities will
require data protection impact assessments
- Privacy by design and privacy
by default
Accountability
- New principle of accountability
- Certain processing activities will
require data protection impact assessments
- Privacy by design and privacy
by default
Best of the rest
- European Data Protection Board
to replace Working Party 29 with remit for guidance and consistent application of the GDPR
- New concept of data privacy
seals
Best of the rest
- European Data Protection Board
to replace Working Party 29 with remit for guidance and consistent application of the GDPR
- New concept of data privacy
seals
Data Subject Rights
- Subject access
- Data portability
- Erasure
- Right not to be subject to
automated decisions
- Objection to marketing
Data Subject Rights
- Subject access
- Data portability
- Erasure
- Right not to be subject to
automated decisions
- Objection to marketing
C
SLIDE 10
Is it Fair?
- Significant increase in information to be provided by data
controllers to data subjects
- Data controllers must provide:
- contact details of data controller and DPO;
- purpose of processing and legal basis;
- recipients;
- international transfers;
- data retention period;
- reference to data subject rights; and
- existence of automated decision making including profiling.
Principle 1: Fair and Lawful Processing
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 11
Is it Lawful?
- Not in breach of any other law (including contractual obligations)
- Performed in reliance on a legal basis:
- Consent of the data subject
- Necessary for the performance of a contract with the Data Subject
- Necessary for compliance with a legal obligation to which the Data Controller
is subject
- Necessary for the purposes of legitimate interests of the Data Controller
which will not cause undue prejudice to the Data Subject
- Additional legal basis for processing of sensitive personal data
Principle 1: Fair and Lawful Processing
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 12
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Principle 2: Purpose limitation Personal data must be adequate, relevant and limited to what is necessary Principle 3: Data Minimisation Principle 4: Accuracy Personal data must be accurate and kept up to date
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 13
Principle 5: Storage Limitation Personal data must not be kept for longer than is necessary Principle 6: Integrity and Confidentiality Personal data must be processed in a manner that ensure appropriate security, including protection against unauthorised
- r unlawful processing and accidental loss, destruction or
damage, using appropriate technical or organisation measures
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 14
The data controller must be responsible for, and be able to demonstrate compliance with the other principles.
- Policies and procedures
- Governance
- Records of processing
- Data protection officers
- Data protection impact assessments
- Data protection by design and by default
Principle 7: Accountability
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 15
- Required where processing is likely to result in a high risk to the
rights and freedoms of data subjects
- Liaise with DPO
- Will be required in cases of:
- systematic and extensive evaluation of personal aspects based on
automated processing, including profiling
- processing of special categories of data on a large scale / criminal
convictions and offences
- systematic monitoring of a publicly accessible area on a large scale
Data protection impact assessments
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 16
- Consider: the state of the art, the cost of implementation and the
nature, scope, context and purposes of processing as well as the risks posed by the Processing
- What technical and organisational measures could be used? (e.g.
pseudonymisation)
- Goal: only Personal Data which is necessary for each specific
purpose of the processing are processed
Data protection by design and default
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 17
Data subject rights
- Right not to be subject to automated decisions (including
profiling) – the right not to be subject to a decision based solely
- n automated processing which produces a legal effect or similar
effect.
- Exceptions – necessary for performance of a contract
- Absolute restriction for special categories of data
- Right to be forgotten – the right to have personal data erased in
certain circumstances.
- Exceptions - e.g. where the controller is required to retain data
to comply with a legal obligation
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 18
The right of data portability – transfer of data to another controller in a structured, commonly used and machine readable format.
- Applies only to personal data provided by the data subject (not
data that is subsequently generated)
- WP29 Guidance takes a wide view to include “data generated
by his or her activity”
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 19
International transfers
Personal Data should not be transferred outside of the EEA unless “adequate data protection” is ensured:
- EU Model Clauses
- Transfer is under binding corporate rules
- Privacy Shield
Two new approved transfer mechanisms:
- reliance on approved code of conduct
- approved privacy seal
New derogation: compelling legitimate interest not outweighed by prejudice to the rights and freedoms of the Data Subject
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 20
Breach Notification (Regulator)
Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the regulator Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the regulator
- Unless data breach unlikely to result in risk to the rights and freedoms of data
subjects
- If later than 72 hours, explain the delay.
- If not all information is available to provide a complete notification within 72
hours, then provide information in phases without delay.
- The controller shall document any personal data breaches, comprising the
facts of the breach, its effects and remedial action taken. This will be used by the regulator to verify compliance with this obligation.
- Unless data breach unlikely to result in risk to the rights and freedoms of data
subjects
- If later than 72 hours, explain the delay.
- If not all information is available to provide a complete notification within 72
hours, then provide information in phases without delay.
- The controller shall document any personal data breaches, comprising the
facts of the breach, its effects and remedial action taken. This will be used by the regulator to verify compliance with this obligation.
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 21
Breach Notification (Data Subjects)
If personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the personal data breach to the data subject without undue delay. If personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the personal data breach to the data subject without undue delay.
- Describe in clear and plain language the nature of the breach and contain at
least:
- Name and contact details of Data Protection Officer;
- Likely consequences of breach;
- Describe measures taken or proposed to be taken by the controller to
address the breach, including mitigation steps.
- Not required if:
- Personal data is unintelligible;
- Controller has taken subsequent measures which ensure that the high risk
to the rights and freedoms of data subjects will not materialise;
- Individual notification would require disproportionate effort
- Describe in clear and plain language the nature of the breach and contain at
least:
- Name and contact details of Data Protection Officer;
- Likely consequences of breach;
- Describe measures taken or proposed to be taken by the controller to
address the breach, including mitigation steps.
- Not required if:
- Personal data is unintelligible;
- Controller has taken subsequent measures which ensure that the high risk
to the rights and freedoms of data subjects will not materialise;
- Individual notification would require disproportionate effort
An overview of the requirements of the GDPR An overview of the requirements of the GDPR
C
SLIDE 22
Fines can be imposed for any infringement of the GDPR. When imposing a fine, the supervisory authority must ensure it is “effective, proportionate and dissuasive”.
Consequences of a breach Consequences of a breach
Examples Level of fine Category A breaches
- failure to maintain
written records
- failure to implement
data protection by design and default up to EUR 10,000,000 or 2%
- f worldwide annual turnover
- r an undertaking
Category B breaches
- processing without a
relevant legal basis
- infringement of data
subject rights up to EUR 20,000,000 or 4%
- f worldwide annual turnover
- r an undertaking
D
SLIDE 23
D
Consequences of a breach Consequences of a breach
Others sanctions & litigation
- Other sanctions
- a written warning (unintentional, first offences only);
- issue orders to suspend or cease processing;
- rder suspension of data flows to third countries;
- regular audits
- Litigation
- Right to claim compensation for financial loss and “distress” caused.
- Not-for-profit (consumer watchdog) able to pursue claims on behalf of
individuals and classes
- Current UK compensation awards for privacy breaches up to £250,000
($300,000).
SLIDE 24
D
Consequences of a breach Consequences of a breach
Sanctions & Litigation
- Case law developed independent of GDPR
- Tort of Misuse of Private Information
- Duty of Confidentiality
- Art 8 ECHR
- GDPR will clarify law across Europe and is expected to increase litigation
- Case law developed independent of GDPR
- Tort of Misuse of Private Information
- Duty of Confidentiality
- Art 8 ECHR
- GDPR will clarify law across Europe and is expected to increase litigation
- Halliday v Creation Consumer Finance [2013]: £750 (compensation)
- AB v MoJ [2014]: £1 (nominal) £2,250 (distress)
- CR19 v Police Service of Northern Ireland [2014]: £20,000 compensation (negligence)
plus £1 (nominal DPA damages)
- Vidal-Hall v Google [2015]: Claimants entitle to sue for compensation for misuse of
private information despite no direct financial loss
- Gulati v MGN [2015]: individual privacy awards up to £250,000. Claimants entitled to sue
for mere “loss of autonomy” over personal information.
- TLT v Home Office [2016]: Six awards between £2,500 to £12,500, including those not
named on the spreadsheet. Quantum based on personal injury psychological damage awards.
- Various v Morrisons [2017]: Morrisons is vicariously liable for rogue employee’s data
breach (currently being appealed).
- Halliday v Creation Consumer Finance [2013]: £750 (compensation)
- AB v MoJ [2014]: £1 (nominal) £2,250 (distress)
- CR19 v Police Service of Northern Ireland [2014]: £20,000 compensation (negligence)
plus £1 (nominal DPA damages)
- Vidal-Hall v Google [2015]: Claimants entitle to sue for compensation for misuse of
private information despite no direct financial loss
- Gulati v MGN [2015]: individual privacy awards up to £250,000. Claimants entitled to sue
for mere “loss of autonomy” over personal information.
- TLT v Home Office [2016]: Six awards between £2,500 to £12,500, including those not
named on the spreadsheet. Quantum based on personal injury psychological damage awards.
- Various v Morrisons [2017]: Morrisons is vicariously liable for rogue employee’s data
breach (currently being appealed). 24
SLIDE 25
D
Consequences of a breach Consequences of a breach
Sanctions & Litigation
25 Perceived and anticipated increases in litigation
SLIDE 26
GDPR Compliance Plan
- Data maps and records of the processing of EU residents
- Audit and gap analysis, resulting in readiness reports, setting
- ut GDPR compliance action lists
- Fair processing notice updates
- Policy review and remediation
- Contract review and remediation
E
Practical steps for GDPR compliance Practical steps for GDPR compliance
SLIDE 27
GDPR Compliance Plan
- Employee training on GDPR requirements
- DPO?
- Carrying out Data Protection Impact Assessments
- Data breach response planning
- Governance reviews
E
Practical steps for GDPR compliance Practical steps for GDPR compliance
SLIDE 28
Disclaimer The descriptions contained in this communication are for preliminary informational purposes only and should not be taken as legal advice. The product is available on an admitted basis in some but not all US jurisdictions through Beazley Insurance Company, Inc., and is available on a surplus lines basis through licensed surplus lines brokers underwritten by Beazley syndicates at Lloyd’s. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities in the respective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: 0G55497). CBEM623_US_02/17