Mais conteúdo relacionado

Apresentações para você(20)

Similar a Board Priorities for GDPR Implementation(20)



Board Priorities for GDPR Implementation

  1. Board Priorities for GDPR Implementation Keir Gumbs Covington & Burling Joseph Moreno Cadwalader, Wickersham & Taft LLP
  2. 2 What Changed on May 25, 2018?  Previous Law:  Data Protection Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and free movement of such data  Privacy and Electronic Communications Directive 2002/58/EC  Replaced by:  General Data Protection Regulation (GDPR) (EU) 2016/679  Regulation on Privacy and Electronic Communications (ePrivacy Regulation) “What must be recognized is that GDPR is an evolution in data protection, not a total revolution . . . GDPR is building on foundations already in place for the last 20 years.” Steve Wood Deputy Commissioner, Information Commissioner’s Office (ICO)
  3. 3 Why the Change?  Aim of improving individuals’ data protection rights  Existing framework seen as having insufficient “bite” in terms of sanctions  Varied approach across EU and need for better harmonization via a Regulation  Developments in technology and the way people live and work: Recital 6: “Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”
  4. 4 Who Does it Apply to?  Controllers and Processors with “establishments” in the EU  “Establishment” is broad – a minimum business presence is sufficient (e.g., website, single agent)  Applicable even if data processing takes place outside the EU (e.g., UK organization with data processed in a cloud hosted in the US or India)  Non EU-established organizations processing data of an individual in the EU  Applies if company offers goods/services or monitors individuals’ behavior within the EU  Must look at factors such as ability to order goods/services online in EU language/currency  “Monitoring” includes tracking individuals online or creating profiles (e.g., targeted advertising through use of cookies)
  5. 5 Who Does it Apply to? Scenario Directive Applied GDPR Applies US company without any EU subsidiaries offering free social media services via a website hosted in the US to individuals in the EU Malaysian travel business using cookies to track past customers’ (including EU-based customers) browsing in order to target specific holiday adverts to them Brazilian flower delivery company allowing data subjects in the EU to make orders for fulfilment only in Brazil New Zealand retailer with a website for online shopping. The website is accessible to individuals in the EU in English. The currency is the NZ dollar and the address fields only allow NZ addresses
  6. 6 What Does it Apply to?  GDPR applies to “personal data”:  Information relating to an identified natural person – e.g., name, ID number, location data, online identifier  Excluded from the material scope are data processed:  outside the scope of EU law  by member states for national security  by a national in the course of a purely personal or household activity  by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties  by EU institutions, bodies, offices and agencies (these are covered under separate law)
  7. 7 What Does it Require?  Transparency  Personal data must be processed in a “transparent manner in relation to the data subject” – which requires increased information to be provided to the individual (e.g., privacy policy)  Purpose Limitation  Data must only be collected for specified, explicit and legitimate purposes  Minimization  Personal data must be adequate, relevant, and limited to what is necessary for purpose – “only collect what you really need”  Accuracy  Data must be kept accurate and up to date and inaccuracies must be corrected or erased swiftly
  8. 8 What Does it Require?  Storage limitation  Data should only be kept for so long as necessary for the original purpose  Integrity and confidentiality  Data security obligation – appropriate technical and organizational measures to protect against unauthorized or unlawful processing and accidental loss/destruction/damage  Accountability  Previous requirement to register with local regulators deleted, replaced with onerous internal record-keeping requirements  Breach notification  Breach of personal data must be reported to the ICO “promptly” (within 72 hours of becoming aware)  Must also be reported to individuals unless encrypted or in other limited circumstances
  9. 9 Can Data Be Transferred Outside the EU?  Transfers outside the EU only permitted in certain circumstances:  Explicit consent of data subject  Model contractual clauses  Binding corporate rules  Codes of conduct or certification (e.g., Privacy Shield – US only)  Privacy Shield  Agreed following invalidity of Safe Harbor as a result of CJEU in Schrems (Case C-362/14)  Key changes include requirements that: o data not serving original purpose will be deleted o third party companies processing data of Privacy Shield companies will guarantee Privacy Shield-equivalent protection o bulk surveillance by USG only in exceptional circumstances
  10. 10 What are the Consequences for Noncompliance?  Remedies and enforcement measures under GDPR are considerably stronger than previous regime  Levels of fines are substantially increased, with two tiers depending upon breach:  Lower tier: up to 2% annual worldwide turnover or €10 million  Higher tier: up to 4% annual worldwide turnover or €20 million  Supervisory bodies such as the ICO have enhanced powers to investigate, audit, and make orders (e.g., ban processing, delete data)  Individuals have the right to:  Seek damages for material and non-material losses  Make complaints to the relevant supervisory authority  It is possible for a not-for-profit body to bring a “class action” in some circumstances
  11. 11 How are Privacy Notices Affected?  Transparency a key theme throughout GDPR  Information that must be provided has been increased considerably  Privacy notices must be in clear, concise, intelligible language and readily accessible  When must information be provided?  If data gathered directly from individual  when it is gathered  If not gathered directly  within a reasonable period (maximum one month) o if data used (e.g., to email), time of first email o if disclosing to third party, before disclosure
  12. 12 What Questions Should Boards be Asking?  What personal data do we hold?  Is it necessary to collect and keep this data?  If so, how long do you need to keep it?  Where is it?  What is it being used for?  How secure is it?  Do we need a data protection officer (DPO)?  Do you have permission from the data subject to process the data?  How is consent obtained from data subjects for each method of personal data collection?  What is our third party partner and supplier risk?
  13. 13 What are Directors Responsible For?  A director’s duty of care requires that they oversee the management of key risks and a company’s compliance program  GDPR represents a significant enhancement of privacy obligations for companies subject to the new requirements  Directors could be held liable for failing to ensure that their companies are properly managing compliance with GDPR in light of the significant penalties for non-compliance  Further, privacy represents one of the most significant risk compliance areas for company with operations in the EU  Consequently, directors should be overseeing a company’s compliance with the new requirements imposed by the GDPR
  14. 14 What is the Extent of Director Liability?  Delaware courts have been reluctant to hold directors liable for perceived failures to effectively oversee risk in the absence of: “sustained or systemic failure of the board to exercise oversight.”  This standard has also been defined as: “utter failure to assure a reasonable information and reporting system exists.” In re Caremark International Inc. Derivative Litigation (1996)
  15. 15 What is a Good Next Step?  Establish expectations for regular reporting for privacy officer/DPO regarding status of GDPR compliance  Reports could cover:  Status of compliance program  Challenges in implementation  Regular audits and monitoring of compliance with GDPR  Investigations or regulatory inquiries regarding compliance  Monitor market developments regarding GDPR
  16. 16 Questions Joseph Moreno White Collar Defense and Investigations Partner Cadwalader, Wickersham & Taft LLP 202-862-2262 Keir Gumbs Partner & Vice Chair, Securities and Capital Markets Practice Group Covington & Burling 202-662-5500