eu data protection compliance trends what us companies
play

EU Data Protection Compliance Trends - What US Companies Need to - PowerPoint PPT Presentation

Oct 28, 2022 •106 likes •510 views

EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013 Session Contents Why European data protection rules matter and an introduction to the main privacy rules Transferring data outside of Europe

  1. EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013

  2. Session Contents • Why European data protection rules matter and an introduction to the main privacy rules • Transferring data outside of Europe – the Compliance Options • Outsourcing • A brief UK perspective on privacy compliance • A French perspective on privacy compliance • A German perspective on privacy compliance • Concluding remarks 2

  3. Your Speakers Today Caroline Egan Ann La France Birmingham, UK London, UK Stephanie Faber Andreas Fillmann Paris, France Frankfurt, Germany 3

  4. INTRODUCTORY OVERVIEW

  5. Why Does EU Data Protection Law Matter • Why European DP law matters to US companies  Applies to European subsidiaries in their domestic processing of personal data (even when US parent is Safe Harbor certified)  Applies when they transfer/allow access to personal data from US or outside EEA. • Our focus – on transfers of data outside Europe • Though based on EU Directive – there are differences in implementation in individual countries • Applies to all types of personal data – Employee – Customer – Supplier 5

  6. Why Does EU Data Protection Law Matter • Downsides of non-compliance?  Fines and regulatory sanctions – substantial and increasing – See table on next slide  Reputational damage - name and shame policy of regulators  Employee data - damaged employee relations  Potential conflicts with US law - eg Sarbanes Oxley and whistleblowing in France 6

  7. Examples of Fines Imposed by EU DPAs Country/DPA Date Company Fine imposed Reason UK (ICO) Jan Sony 250,000 GBP Failing to prevent personal 2013 data of Playstation users being hacked UK (ICO) Oct The Prudential 50,000 GBP Mixing up accounts of two 2012 customers UK (ICO) May NHS Trust 325,000 GBP Failure to prevent sensitive 2012 personal data being sold on internet auction site France (CNIL) March Google 100,000 EUR Collection of Wi-Fi and 2011 login/email data during its Street View operations; France (CNIL) July Association 10,000 EUR Published legal cases online 2011 Lexeek and injunction containing parties’ names Germany Hamburger 200,000 EUR Using neuromarketing (Hamburg Sparkasse techniques without customer DPA) consent Spain (AEPD) April Zeppelin 1,000,000 Failure to protect personal 2007 Television EUR data of 7000 applicants for Big Brother Netherlands Dec DollarRevenue 1,000,000 Installing adware/spyware (OPTA) 2011 EUR software on 22million 7 computers

  8. Why Does EU Data Protection Law Matter • Existing law tough; new law tougher? • Proposed new European Data Protection Regulation  Harmonised stricter rules – Regulation – direct effect – no scope to alter  Much higher penalties – Up to 2% of global turnover  Mandatory data breach notification  Requirement to appoint Data Protection Officer  Territorial application - applies even if no European presence – if market to Europe or monitor European citizens 8

  9. Timescale for Implementation • A long way to being finalised • Earliest date for finalising Regulation 2014 • Implementation – 2018? 9

  10. Overview of EU Data Protection Rules • Key terms  Personal data  Data controller especially as these terms not used in Safe Harbor  Data processor  Processing  Transfer outside EEA - including allowing access  Sensitive personal data  EEA – EU plus Norway, Iceland and Liechtenstein 10

  11. Overview of EU Data Protection Rules • Data protection compliance principles  Must have justification – consent or other permitted purpose  Notice to individuals about usage of their data (privacy policy)  Accurate and up to date  Sufficient and not excessive for purpose  Destroyed when no longer needed for purpose  Compliance with individual's rights - eg providing information on request  Kept secure (and higher security required for sensitive data)  Only transferred outside EEA if adequate protection 11

  12. TRANSFERS OUTSIDE OF THE EEA

  13. Compliance Options When Transferring Data Outside the EEA • Approved country – Switzerland, Argentina, Australia, Canada, Israel, Uruguay • US Safe Harbor (some sectors excluded) • EC approved Model Clauses  Controller to Controller  Controller to Processor • Binding Corporate Rules - within multi-national groups • NB: EU law treats group companies as separate third parties 13

  14. Safe Harbor Advantages/Disadvantages • Safe Harbor  Geographical limitations – Issues with onward transfers  Some sectors excluded eg financial services, telecoms  Check exact certification  Lack of fit for pure processors  Long term future? 14

  15. EU Model Clauses - Advantages/Disadvantages • EU standard model clauses  Must be used unamended  Jurisdictional issues – governing law of exporting country  Notification/prior approval in many countries  Service providers becoming more familiar with them  Sub-contracting – further complications 15

  16. EU Standard Model Clauses • Complexity of contracting – an administrative nightmare! Non-EU operations EU operations 1 1 9 2 2 10 3 3 11 4 4 12 5 5 13 6 6 14 7 7 15 8 8 16 9 16

  17. Binding Corporate Rules - Advantages/Disadvantages • Binding corporate rules  Only apply within multi-national groups  Favoured by many regulators  Costly and time consuming  Involves getting approval of regulators in all affected countries, through lead regulator – up to a year  Useful if a lot of data being transferred/accessed 17

  18. Overview on Compliance Options • In theory – straightforward • In practice – tricky  EU requirements – not business-friendly  getting third parties to agree  additional requirements of local regulators/national laws • The UK position  least prescriptive  least red tape  particular sensitivities 18

  19. OUTSOURCING – OVERVIEW OF PRIVACY ISSUES

  20. Outsourcing • Nature of outsourcing  Providing services to other group members  External providers  Examples – Global HR databases – Global email hosting – Using external marketing companies – Cloud computing » Data may be transferred to multiple jurisdictions  Frequently involve sub-contracting 20

  21. Outsourcing • Practical issues  You appointing service provider – who will access/use data from Europe  You as service provider – to third parties or member of group – either to EU clients or US parent and its European affiliates  Understanding who is data controller and who is data processor; usually service provider is processor  Virtually all obligations on data controller  Considering privacy issues at the outset  Increasing willingness of processors to address customer compliance issues 21

  22. Practical Issues (continued) • If personal data comes to you first, before you appoint processor/sub-processor  Compliance for transfer to you  Compliance for transfer to processor/sub-processor 22

  23. Outsourcing • Appointing a Processor  Processor Agreement always needed - even if processor is in the EEA, or recipient is Safe Harbor certified ("basic processor agreement")  Due diligence - up front and ongoing  Mandatory terms of basic processor agreement – Only process on data controller's instructions – Take appropriate technical and organisational measures to keep data secure, proportionate to amount and sensitivity of data – Security - major priority of regulators, especially in UK » Encryption in transit and when accessed from mobile devices » Possibly always encryption?  Strongly advisable terms – Notify data breaches within 24/48 hours – Obligation to take remedial measures if breach – Audit rights  Often involve sub-processing 23

  24. EU Processor Model Clauses 2010 • Not very business friendly • Don't apply if initial processor is inside EEA • Audit requirement compulsory • Must identify in agreement security measures to be taken • Appointing sub-processors  Significant formalities  Requires notification to and consent of controller – Can give generic consent » May be okay within groups » Risky if arm's length transaction 24

  25. UK Hot Topics • Data security  Encryption • Data breach reporting  Not mandatory  Aggravating factor in fines • Power to fine  Data breach – – Liability for processors – Not having agreement in place – Not checking security measures  Inaccurate data 25

  26. A FRENCH PERSPECTIVE ON PRIVACY COMPLIANCE

  27. Cloud Computing • CNIL’s (French DPA) guidance on Cloud (June 2012) :  Similar to opinion of WP 29  Also contains a list of contractual requirements failing which data controller will not be compliant; as well  as proposed clauses 27

  28. Data for Litigation Disclosure • Cultural difference: no pre-trial discovery in France • Guidelines of the CNIL (cooperation through Hague and data minimization) • So called “French Blocking Statute” on “business data” 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Data Protection Compliance for the Hospitality Sector Paul Byrne - Director Key findings of

Data Protection Compliance for the Hospitality Sector Paul Byrne - Director Key findings of

Data Protection Compliance for the Hospitality Sector Paul Byrne - Director Key findings of the compliance survey Understand the impact of the Data Protection (Jersey) Law 2018 & GDPR on your business and how the regulation impacts

649 views • 28 slides
Data Protection Compliance for the Jersey Retail Sector Paul Byrne - Director Key findings

Data Protection Compliance for the Jersey Retail Sector Paul Byrne - Director Key findings

Data Protection Compliance for the Jersey Retail Sector Paul Byrne - Director Key findings of the compliance survey Understand the impact of the Data Protection (Jersey) Law 2018 & GDPR on your business. 3 rd Party agreements

514 views • 22 slides
Ewan Robson Director, IG Compliance ltd 1 Todays Training Look at the History of the Data

Ewan Robson Director, IG Compliance ltd 1 Todays Training Look at the History of the Data

Data Protection Act 1998/General Data Protection Regulation 2016 Freedom of Information Act Ewan Robson Director, IG Compliance ltd 1 Todays Training Look at the History of the Data Protection Act/General Data Protection

575 views • 40 slides
New Data Protection law - Impact on the University LSBUs compliance roadmap Roadmap -

New Data Protection law - Impact on the University LSBUs compliance roadmap Roadmap -

New Data Protection law - Impact on the University LSBUs compliance roadmap Roadmap - continuity, change, uncertainty Data Protection Act 1998 GDPR 2016 Agreed Dec 2015 Approved Apr 2016 In force 25 May 2018 Still to be resolved

478 views • 10 slides
Data Privacy Compliance in Global Transactions: Navigating Complex Data Protection Laws in U.S.,

Data Privacy Compliance in Global Transactions: Navigating Complex Data Protection Laws in U.S.,

Presenting a live 90-minute webinar with interactive Q&A Data Privacy Compliance in Global Transactions: Navigating Complex Data Protection Laws in U.S., Europe and Asia WEDNESDAY, MARCH 5, 2014 1pm Eastern | 12pm Central | 11am

524 views • 41 slides
WHAT CHANGES WITH THE EU DATA PROTECTION REGULATION FOR GAMBLING COMPANIES? Thursday, June 9,

WHAT CHANGES WITH THE EU DATA PROTECTION REGULATION FOR GAMBLING COMPANIES? Thursday, June 9,

WHAT CHANGES WITH THE EU DATA PROTECTION REGULATION FOR GAMBLING COMPANIES? Thursday, June 9, 2016 Speakers: Giulio Coraggio DLA Piper, Milan Antoon Dierick DLA Piper, Brussels Richard van Schaik DLA Piper, Amsterdam *This

377 views • 24 slides
Framing the Debate: How would Data Protection Authorities enforce compliance? 28/29 April 2011,

Framing the Debate: How would Data Protection Authorities enforce compliance? 28/29 April 2011,

Framing the Debate: How would Data Protection Authorities enforce compliance? 28/29 April 2011, Princeton, NJ, USA W3C Workshop on Web Tracking and User Privacy Hannes Tschofenig, Rob van Eijk Paper available at:

234 views • 8 slides
Canadian Sales Tax Compliance Challenges for U S Companies Challenges for U.S. Companies

Canadian Sales Tax Compliance Challenges for U S Companies Challenges for U.S. Companies

presents presents Canadian Sales Tax Compliance Challenges for U S Companies Challenges for U.S. Companies Mastering New Provincial Harmonized Sales Taxes, Nexus Standards, and Other Critical Topics A Live 110-Minute Teleconference/Webinar

586 views • 55 slides
Principles of Protection: 11/01/2017 Cybersecurity Julia Breaux Data Protection William

Principles of Protection: 11/01/2017 Cybersecurity Julia Breaux Data Protection William

Principles of Protection: 11/01/2017 Cybersecurity Julia Breaux Data Protection William Sellers Introductions Julia Breaux Internal Controls and Compliance Manager (225) 214-3898 Julia.Breaux@eatel.com William Sellers Data Center

508 views • 25 slides
IBHE Dual Credit Oversight Issues of Compliance, Data, and Student Protection December 2015

IBHE Dual Credit Oversight Issues of Compliance, Data, and Student Protection December 2015

IBHE Dual Credit Oversight Issues of Compliance, Data, and Student Protection December 2015 Illinois Board of Higher Education IBHE Dual Credit IBHE Administrative rules Public universities Private institutions (proprietary/NFP)

334 views • 8 slides
COMPLIANCE TECHNOLOGY: TRENDS AND INNOVATIONS MATT LUFF 20 th MAY 2020 LINEDATA EMPOWERING

COMPLIANCE TECHNOLOGY: TRENDS AND INNOVATIONS MATT LUFF 20 th MAY 2020 LINEDATA EMPOWERING

COMPLIANCE TECHNOLOGY: TRENDS AND INNOVATIONS MATT LUFF 20 th MAY 2020 LINEDATA EMPOWERING ASSET MANAGERS WITH TECHNOLOGY, SERVICES AND DATA SOLUTIONS 1,300+ people 200m Riga Edinburgh Oxford revenue London Seattle Dublin Toronto

558 views • 20 slides
Collateral Protection for Collateral Protection for Financial Assets: Current Legal Trends Best

Collateral Protection for Collateral Protection for Financial Assets: Current Legal Trends Best

Presenting a live 90 minute webinar with interactive Q&A Collateral Protection for Collateral Protection for Financial Assets: Current Legal Trends Best Practices for Protecting Collateral in a Post Lehman and MF Global World TUES DAY,

545 views • 30 slides
GDPR General Data Protection Regulation Its application for Businesses David Cauchi Head

GDPR General Data Protection Regulation Its application for Businesses David Cauchi Head

GDPR General Data Protection Regulation Its application for Businesses David Cauchi Head Compliance Regulation (EU) 2016/679 ... on the protection of natural persons with regard to the processing of personal data and on the free movement of

549 views • 34 slides
Welcome to Enobyte Munich! Data Protection Enobyte Introduction Company overview 2 Enobyte

Welcome to Enobyte Munich! Data Protection Enobyte Introduction Company overview 2 Enobyte

Welcome to Enobyte Munich! Data Protection Enobyte Introduction Company overview 2 Enobyte overview GDPR Over Data Protection compliance staff training 20 years support tools tools experience in IT infrastructure & security

553 views • 31 slides
Legal and Compliance Department Responsibilities Insurance Companies and staff Insurance

Legal and Compliance Department Responsibilities Insurance Companies and staff Insurance

Legal and Compliance Department Responsibilities Insurance Companies and staff Insurance companies and all persons working in the professions associated with the insurance business must maintain the documents and records pertaining to

841 views • 14 slides
Analysis of Network Beaconing Activity for Incident Response FloCon2008 Peter Balland DOE

Analysis of Network Beaconing Activity for Incident Response FloCon2008 Peter Balland DOE

Lawrence Livermore National Laboratory Analysis of Network Beaconing Activity for Incident Response FloCon2008 Peter Balland DOE Computer Incident Advisory Capability (CIAC) Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA

167 views • 15 slides
Think like a Hacker Not So Smart Phone security Introduction Peter Rietveld Liviu

Think like a Hacker Not So Smart Phone security Introduction Peter Rietveld Liviu

Partners in Information Security Think like a Hacker Not So Smart Phone security Introduction Peter Rietveld Liviu Rombaut Traxion Smartphones will never be secure Since security is not a simple notion What & Whom

331 views • 18 slides
IT Security Training April 21, 2016 Presented by Benjamin Ellis Topics to be Covered What has

IT Security Training April 21, 2016 Presented by Benjamin Ellis Topics to be Covered What has

IT Security Training April 21, 2016 Presented by Benjamin Ellis Topics to be Covered What has changed to make IT security harder? What are the common areas your business is being attacked? What can you do about those areas? What

630 views • 35 slides
The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber

The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber

The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber Crime Growth Number of mobile 200M devices affected IBM 11.6M Number of accounts hacked CNN Money 432M Number of malware samples collected Intel

652 views • 30 slides
Tech Terminology Overview Devices Desktop Laptop Tablet Smartphone

Tech Terminology Overview Devices Desktop Laptop Tablet Smartphone

Tech Terminology Overview Devices Desktop Laptop Tablet Smartphone Operating System Determines how device will look and behave Different operating systems on computers and laptops than on mobile devices.

352 views • 17 slides
MAY 2020 This presentation and the accompanying slides (the Presentation), which have been

MAY 2020 This presentation and the accompanying slides (the Presentation), which have been

Q4 & FY20 MAY 2020 This presentation and the accompanying slides (the Presentation), which have been prepared by Quick Heal Safe Harbor Technologies Ltd. (the Company), have been prepared solely for information purposes and do not

771 views • 48 slides
Risky Business: How Companies Fall Victim to Fraud Presented by: Tony Okray Julie Latchaw

Risky Business: How Companies Fall Victim to Fraud Presented by: Tony Okray Julie Latchaw

6/5/2016 Risky Business: How Companies Fall Victim to Fraud Presented by: Tony Okray Julie Latchaw Julie Lombardi Member FDIC Agenda: Fraud Statistics Fun With Numbers Check Fraud & ACH Fraud Your Role in Preventing Fraud Fraud

238 views • 13 slides
Low-level Features for Multinomial Malware Classification Sergii Banin 10.05.2017 Sergii Banin,

Low-level Features for Multinomial Malware Classification Sergii Banin 10.05.2017 Sergii Banin,

Low-level Features for Multinomial Malware Classification Sergii Banin 10.05.2017 Sergii Banin, COINS Finse Winter School, 1 10.05.2017 Agenda Introduction (problem description). Previous research. Malware classification

540 views • 19 slides

More recommend