POST MAY 25TH GDPR OBLIGATIONS, GOVERNANCE, AND RESPONSE WEBINAR - - PowerPoint PPT Presentation

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

POST MAY 25TH – GDPR OBLIGATIONS, GOVERNANCE, AND RESPONSE WEBINAR

May 2, 2018

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 2

WITH YOU TODAY

Karen Schuler Part ner and Nat ional Dat a & Informat ion Governance Pract ice Leader BDO US A, LLP 8401 Greensboro Drive, S uit e 800 McLean, VA 22102 Direct : 703-336-1533 kschuler@ bdo.com www.bdo.com Lisa Sotto Part ner and Chair, Privacy and Cybersecurity Pract ice Hunt on Andrews Kurt h LLP 200 Park Avenue New York, NY 10166 Direct : 212-309-1223 lsot t o@ hunt on.com www.huntonprivacyblog.com

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 3

TOPICS TO BE COVERED

• GDPR Background
• Primary Legal Considerations
• Approach to GDPR
• Minimizing Y
• ur Exposure Post-May 25
• Managing Risk in an Uncertain World

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 4

GDPR Background

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 5

GDPR Background

• Enhanced personal privacy

rights

• Increased duty for protecting

data

• Mandatory breach reporting
• S

ignificant penalties for non- compliance The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 6

Key GDPR Themes

Harmonisation

• Harmonised rules, but

not fully (e.g. employee dat a, children dat a)

• One S

t op S hop: Lead DP A for pan-European mat t ers, in cooperat ion wit h ot her DP As; Local DP A for local mat t ers and redress for individuals

• Risk-based approach
• S
• me reduct ion of

administ rat ive burden (no nat ional regist rat ion

• f processing or prior

aut horisat ion)

• BCRs, seals and

cert ifications

Increased

• bligations
• DP principles t ight ened

(consent , t ransparency)

• Profiling rules
• Privacy Impact

Assessment

• Privacy by Design
• Breach not ification – t o

DP As and individuals

• Direct obligat ions and

liabilit y for processor

• Account abilit y – Privacy

Programme

• Int ernal record of

processing

• DP Officer

Strengthened rights of individuals

• Right t o erasure
• Dat a port abilit y
• Right not t o be subj ect

t o aut omat ed profiling/ right t o obj ect

Increased enforcement, fines, liabilities

• Regulat ory fines up t o

4%

• f annual worldwide

t urnover

• Individual act ion
• Class act ion
• Criminal sanct ions (in

nat ional laws)

• Larger role for European

Dat a Prot ect ion Board (EDPB)

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 7

Territorial S cope

EU Businesses

• The GDPR applies if personal

data are processed in the context of the activities of their establishment in the EU

• Based on the concept of

“ establishment”

• Irrespective of where the

actual processing takes place

Non-EU Businesses

• The GDPR applies when a

business “ targets” individuals in the EU (by offering them products or services), or monitor the behavior of individuals in the EU

• What is “ targeting” ?
• What is “ monitoring” ?

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 8

Data S ubj ect Rights

Access Restriction Obj ection Erasure Portability Profiling/ automated decisions

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 9

Fines & S anctions

• Controllers and processors subj ect to administrative fines for non-

compliance

• High fines of up to:

‒

20 million euros, or

‒

“ in case of an undertaking” up to 4%

• f total worldwide annual

turnover of the preceding financial year, whichever is higher

• Fines should take into account:

‒

Gravity and duration of the violation, and

‒

Any mitigating measures taken by companies

• Criminal sanctions also available and will continue to be determined

at national level

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 10

Primary Legal Considerations

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 11

Legal Basis for Processing

• Personal data may be processed under the GDPR only if there is a legal

basis to do so

• Legal bases include:

‒

Consent

‒

Performance of a contract

‒

Compliance with a legal obligation

‒

Legitimate Interests

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 12

GDPR Transparency Requirements

• Transparency is an explicit requirement
• Personal data must be processed fairly, lawfully and in a transparent

manner

‒

The Controller is responsible for demonstrating compliance with transparency obligations

‒

The Controller must provide information to individuals in a concise, transparent, intelligible and easily accessible form, using clear and plain language

‒

Individuals must be made aware of data processing, purposes, risks, rules, safeguards and rights

‒

Further reinforced by and linked to requirements for consent, notice, legitimate interest, publishing DPO contacts

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 13

Privacy Notice Requirements

• Controllers must provide certain information to individuals when:

‒

Obtaining data directly from the individuals, and

‒

When obtaining personal data about the individual from third parties

• This information must include:

‒

Controller/ representative identity and DPO identity/ contact details

‒

Purposes of processing and legal basis

‒

When processing based on legitimate interests, an explanation

‒

Whether provision of data is mandatory

‒

Information about recipients of data and data retention periods

‒

Explanation of individual rights

‒

Information regarding cross-border transfers

‒

Existence of automated decision taking and logic behind it

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 14

Accountability Requirements

Internal records Data protection impact assessments Data Protection Officer Data Protection by Design and by Default

Codes of conduct and certifications

14

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 15

Approach to GDPR

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 16

Holistic GDPR Implementation

• Readiness

assessment

• Business processing
• Information

inventory

• Risks
• Vendors
• S

pecial categories

Readiness, Dat a Mapping & Regist ers Account abilit y & Organizat ional Measures S ubj ect Access Right s

• Access requests

and forms

• Response

mechanisms

• Rectification &

erasure

• Accuracy
• Obj ections
• Data Protection

Officer S ervices

• iGRC
• POS

Compliance

• Policy

Management

Monit oring & Governance

• Transfers to data

subj ects

• Transfers to DPA’ s/ S

A’ s

• 3rd party transfers
• International transfers
• Info. security policies
• Data breach response &

notifications

Dat a Transfers & Technical Measures

• Records retention &

erasure

• Awareness &

training

• Website policies
• Privacy notices
• Data protection

policies

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 17

Path to Compliance

• GDPR is a combination of evolving and new requirements
• GDPR requires an ongoing compliance obligation
• Management buy-in is critical
• Continued compliance means

‒

Ongoing diligence

• Ongoing understanding of your data processing activities
• Conduct ongoing gap analyses against GDPR requirements
• Continue to remediate based on the gap analysis

‒

Ongoing Remediation

• Execute strategic remediation on an ongoing basis
• Continue to implement underlying changes

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 18

Minimizing Your Exposure Post- May 25

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 19

Minimizing Exposure

GDPR LIFECYCLE

Meet DPO Requirement s Informat ion management Policies & procedures Dat a t ransfers & st orage Training & awareness S AR Management PoS & ERP Compliance

People Process Technology

Cont racts & t hird part y Management

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 20

S ecurity: Risk Assessment and S afeguards

Obligat ions

• Applies to

controllers and processors

• Must evaluate

risks of processing

• Must put in place

adequate security measures

S ecurit y measures

• Technical

safeguards

• Organisational

safeguards

• Policies and

procedures

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 21

Breach Notificat ion in the EU

• Currently, there are two EU Directives requiring notice

‒

e-Privacy Directive - applies to Telecoms and IS Ps

• Must notify DPAs, and individuals if breach will adversely affect their personal

data

‒

Network and Information S ecurity Directive – applies to operators

• f essential services and digital service providers
• Reporting obligations for “ substantial impact” disruptions

‒

Notification obligations often depend on controllership analysis

• Breach laws or guidance at Member S

tate level in the Netherlands, Germany, France and the UK

• In the UK, also must notify the FCA

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 22

Breach Notificat ion Under the GDPR

• S

ignificant changes coming with GDPR

‒

“ Personal data breach” notification obligations

• Must report breaches to:

‒

Supervisory authority not later than 72 hours after having become aware, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons

‒

Individuals without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 23

Preparation Is Critical

• The 72 hour requirement of GDPR makes one thing clear: Advance

planning is key

• Making matters more challenging, complying with notice obligations in
• ne j urisdiction is one thing . . .

‒

Complying at scale across the globe is another

• S

ecurity

‒

Must understand your data and where it is stored

‒

Continually assess status of technical and physical protections

• Vendor Management

‒

Diligence, Contract, Ongoing Monitoring

23

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 24

Vendor Management and Liability Considerations

• Article 28 of the GDPR imposes obligations on controllers who retain

processors for data processing

‒

No subprocessing without the consent of the controller

‒

Processing governed by a contract that includes specific provisions

‒

Contract provisions must be extended to approved subprocessors

• Beyond Article 28, potentially massive liability resulting from breach

notification must be addressed in contracts

• Processors directly liable under GDPR for their own security violations

‒

Cold comfort

‒

Notification-related costs will add up for controllers, as well as potential compensation claims

‒

S hould be managed through a combination of provisions

• Direct reimbursement + indemnification for third party claims

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 25

Data Transfer Mechanisms

Binding Corporate Rules EU Model Clauses Adequacy Decisions

Third country requirements

Certification & Codes of Practice

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 26

Remedies for Individuals

• Data subj ects have the right to:

‒

Lodge a complaint with the S upervisory Authorities, which may lead to investigations and/ or fines

‒

Effective j udicial remedy when a S upervisory Authority fails to deal with a complaint or inform the complaining individual of the

• utcome

‒

Effective j udicial remedy against controllers/ processors

‒

Compensation for material/ immaterial damage resulting from GDPR violations

• Consumer protection groups may bring legal proceedings on behalf of

individuals

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 27

Impact of New Enforcement Rules

• The risk of substantial fines emphasizes the need to carefully assess

(non) compliance with the GDPR

• Compliance measures and cooperation with S

upervisory Authorities are likely to induce leniency

• Expectation that complaints and investigations will increase
• Litigation around administrative fines may develop, similarly to EU

competition law

• S

pecialized insurance arrangements likely to emerge?

POS T MAY 25TH – GDPR OBLIGATIONS , GOVERNANCE, AND RES PONS E WEBINAR 28

S ummary

 Focus on st affing solut ions for a wide range of publicly t raded and privately

held companies.

 Part ners wit h IT leaders t o deliver st rat egy and t echnology solut ions t o

address business needs t hrough CIO Advisory, Program/ Proj ect Management delivery, Out sourcing, and S t aff Augment at ion. Manage and Govern

 Facilit at e int erview process t hat exposes challenges.  Leverage leading pract ices and indust ry knowledge.  Drive t owards a longer t erm st rat egy t hat support s privacy obj ect ives of the

company.

 Delineat e t he discret e init iat ives t o sust ain value year over year.

Develop your approach & st rat egy

 Evaluate products, large scale processing act ivities and processes,

monit oring procedures or vendors

 Conduct vendor/ t hird part y GDPR readiness assessment s.  Ident ify t echnical cont rols, policies, procedures, process or document ation

t hat require updat es . Assess & re-assess

 Implement requirement s t o align wit h Privacy by Design and Default  Implement BDO’s Dat a Reduct ion by Design st rat egies  Align Art icles wit h business pract ices, policies, and procedures  Implement necessary updates t o meet GDPR compliance requirements  Implement pract ices t o t rain, communicat e and manage t he GDPR program.  Ident ify overlaps bet ween GDPR and ot her privacy regulat ions

Implement t he program