Board Priorities for GDPR
Implementation
Keir Gumbs
Covington & Burling
Joseph Moreno
Cadwalader, Wickersham & Taft LLP

2
What Changed on
May 25, 2018?
 Previous Law:
 Data Protection Directive 1995/46/EC
on the protection of individuals with
regard to the processing of personal
data and free movement of such data
 Privacy and Electronic
Communications Directive 2002/58/EC
 Replaced by:
 General Data Protection Regulation
(GDPR) (EU) 2016/679
 Regulation on Privacy and Electronic
Communications (ePrivacy Regulation)
“What must be recognized is
that GDPR is an evolution in
data protection, not a total
revolution . . . GDPR is building
on foundations already in place
for the last 20 years.”
Steve Wood
Deputy Commissioner,
Information Commissioner’s
Office (ICO)

3
Why the Change?
 Aim of improving individuals’ data protection rights
 Existing framework seen as having insufficient “bite” in terms
of sanctions
 Varied approach across EU and need for better
harmonization via a Regulation
 Developments in technology and the way people live and
work:
Recital 6: “Rapid technological developments and globalisation have brought new
challenges for the protection of personal data. The scale of the collection and sharing of
personal data has increased significantly. Technology allows both private companies and
public authorities to make use of personal data on an unprecedented scale in order to
pursue their activities. Natural persons increasingly make personal information available
publicly and globally. Technology has transformed both the economy and social life, and
should further facilitate the free flow of personal data within the Union and the transfer to
third countries and international organisations, while ensuring a high level of the
protection of personal data.”

4
Who Does it Apply to?
 Controllers and Processors with “establishments” in the EU
 “Establishment” is broad – a minimum business presence is
sufficient (e.g., website, single agent)
 Applicable even if data processing takes place outside the EU
(e.g., UK organization with data processed in a cloud hosted in
the US or India)
 Non EU-established organizations processing data of an individual
in the EU
 Applies if company offers goods/services or monitors
individuals’ behavior within the EU
 Must look at factors such as ability to order goods/services
online in EU language/currency
 “Monitoring” includes tracking individuals online or creating
profiles (e.g., targeted advertising through use of cookies)

5
Who Does it Apply to?
Scenario Directive
Applied
GDPR
Applies
US company without any EU subsidiaries offering free social
media services via a website hosted in the US to individuals in the
EU
Malaysian travel business using cookies to track past customers’
(including EU-based customers) browsing in order to target
specific holiday adverts to them
Brazilian flower delivery company allowing data subjects in the EU
to make orders for fulfilment only in Brazil
New Zealand retailer with a website for online shopping. The
website is accessible to individuals in the EU in English. The
currency is the NZ dollar and the address fields only allow NZ
addresses

6
What Does it Apply to?
 GDPR applies to “personal data”:
 Information relating to an identified natural person – e.g.,
name, ID number, location data, online identifier
 Excluded from the material scope are data processed:
 outside the scope of EU law
 by member states for national security
 by a national in the course of a purely personal or household
activity
 by competent authorities for the purpose of prevention,
investigation, detection or prosecution of criminal offenses or
the execution of criminal penalties
 by EU institutions, bodies, offices and agencies (these are
covered under separate law)

7
What Does it Require?
 Transparency
 Personal data must be processed in a “transparent manner in
relation to the data subject” – which requires increased
information to be provided to the individual (e.g., privacy policy)
 Purpose Limitation
 Data must only be collected for specified, explicit and
legitimate purposes
 Minimization
 Personal data must be adequate, relevant, and limited to what
is necessary for purpose – “only collect what you really need”
 Accuracy
 Data must be kept accurate and up to date and inaccuracies
must be corrected or erased swiftly

8
What Does it Require?
 Storage limitation
 Data should only be kept for so long as necessary for the
original purpose
 Integrity and confidentiality
 Data security obligation – appropriate technical and
organizational measures to protect against unauthorized or
unlawful processing and accidental loss/destruction/damage
 Accountability
 Previous requirement to register with local regulators deleted,
replaced with onerous internal record-keeping requirements
 Breach notification
 Breach of personal data must be reported to the ICO
“promptly” (within 72 hours of becoming aware)
 Must also be reported to individuals unless encrypted or in
other limited circumstances

9
Can Data Be Transferred
Outside the EU?
 Transfers outside the EU only permitted in certain circumstances:
 Explicit consent of data subject
 Model contractual clauses
 Binding corporate rules
 Codes of conduct or certification (e.g., Privacy Shield – US only)
 Privacy Shield
 Agreed following invalidity of Safe Harbor as a result of CJEU in
Schrems (Case C-362/14)
 Key changes include requirements that:
o data not serving original purpose will be deleted
o third party companies processing data of Privacy Shield
companies will guarantee Privacy Shield-equivalent
protection
o bulk surveillance by USG only in exceptional circumstances

10
What are the Consequences for
Noncompliance?
 Remedies and enforcement measures under GDPR are considerably
stronger than previous regime
 Levels of fines are substantially increased, with two tiers depending
upon breach:
 Lower tier: up to 2% annual worldwide turnover or €10 million
 Higher tier: up to 4% annual worldwide turnover or €20 million
 Supervisory bodies such as the ICO have enhanced powers to
investigate, audit, and make orders (e.g., ban processing, delete data)
 Individuals have the right to:
 Seek damages for material and non-material losses
 Make complaints to the relevant supervisory authority
 It is possible for a not-for-profit body to bring a “class action” in some
circumstances

11
How are Privacy Notices
Affected?
 Transparency a key theme throughout GDPR
 Information that must be provided has been increased considerably
 Privacy notices must be in clear, concise, intelligible language and
readily accessible
 When must information be provided?
 If data gathered directly from individual  when it is gathered
 If not gathered directly  within a reasonable period (maximum
one month)
o if data used (e.g., to email), time of first email
o if disclosing to third party, before disclosure

12
What Questions Should Boards
be Asking?
 What personal data do we hold?
 Is it necessary to collect and keep this data?
 If so, how long do you need to keep it?
 Where is it?
 What is it being used for?
 How secure is it?
 Do we need a data protection officer (DPO)?
 Do you have permission from the data subject to process the data?
 How is consent obtained from data subjects for each method of
personal data collection?
 What is our third party partner and supplier risk?

13
What are Directors Responsible
For?
 A director’s duty of care requires that they oversee the management
of key risks and a company’s compliance program
 GDPR represents a significant enhancement of privacy obligations for
companies subject to the new requirements
 Directors could be held liable for failing to ensure that their companies
are properly managing compliance with GDPR in light of the
significant penalties for non-compliance
 Further, privacy represents one of the most significant risk compliance
areas for company with operations in the EU
 Consequently, directors should be overseeing a company’s
compliance with the new requirements imposed by the GDPR

14
What is the Extent of Director
Liability?
 Delaware courts have been reluctant to hold directors liable for
perceived failures to effectively oversee risk in the absence of:
“sustained or systemic failure of the board to exercise oversight.”
 This standard has also been defined as:
“utter failure to assure a reasonable information and reporting
system exists.”
In re Caremark International Inc. Derivative Litigation (1996)

15
What is a Good Next Step?
 Establish expectations for regular reporting for privacy officer/DPO
regarding status of GDPR compliance
 Reports could cover:
 Status of compliance program
 Challenges in implementation
 Regular audits and monitoring of compliance with GDPR
 Investigations or regulatory inquiries regarding compliance
 Monitor market developments regarding GDPR

16
Questions
Joseph Moreno
White Collar Defense and
Investigations Partner
Cadwalader, Wickersham &
Taft LLP
joseph.moreno@cwt.com
202-862-2262
Keir Gumbs
Partner & Vice Chair,
Securities and Capital
Markets Practice Group
Covington & Burling
kgumbs@cov.com
202-662-5500