3. OVERVIEW
Moore Law
• What’s the fuss?
• Big Bang Theory?
• Reality = Evolution?
• Accountability
• Compliance / Privacy by Design
• Demonstrating Consent
• ‘Appropriate’ Measures
• Opportunities (& Competitive Edge)
Contacts
4. What’s the Fuss?
“GDPR affects anyone holding data on EU citizens.
A survey of 1350 companies around the world by
cybersecurity firm NTT found that a lot of them
have no clue about this yet, even Europeans
seemed unaware. The Brits were the worst. 39% of
UK companies realised that they were subject to
the regulation.” TheRegister.co.uk
‘Personal Data' – Employees, clients, users / suppliers
Presumption of application to businesses
Enhanced enforcement / fines for data protection
breaches
Deadline for implementation = 25 May 2018
5. Big Bang Theory?
1995 EU Data Protection Directive –>DPA 98
Applies broadly to the collection and processing of data able
to identify living individuals (filing system) = ‘Person Data”
DPA 98 introduced 6 x Data Principles:
Lawfulness, fairness and transparency
Purpose limitation
Data Minimisation
Accuracy
Storage Limitation
Integrity & Confidentiality
Definitions: ‘Data Controller’ / ‘Data Processor’ / ‘Sensitive
Personal Data’/ ‘Consent’
Roles: Data Protection Officer (DPO)
6. Reality = Evolution
GDPR = accepts the world has moved and extends the existing Principles:
• All EU-based businesses
• Any business targeting EU citizens (USA, Australia, etc)
• All EU citizens
Regulation vs Directive
• GDPR = Direct Effect
• No domestic Member State law required
• Intended to promote greater harmonisation and consistency across EU in
terms of application and interpretation
Reverses DPA 98 position
• Register with Information Commissioner’s Office (ICO) –> inference of
application
• DPA 98 -> Data Protection Bill (Post-Brexit)
7. Accountability
Accountability
• Move away from mere lip service. Businesses have to demonstrate
(ongoing) compliance, often in written form:
• Internal policies and processes that are GDPR-compliant
• Implementation of the policies and processes
• Effective internal compliance measures.
• External controls & contracting (model clauses)
Demonstrable protections for specific types of data / subjects:
• Sensitive Personal Data (genetic, biometric)
• Children (16+ / 13+)
Introduces new concepts
• Data Protection Risk Assessment
• Pseudonymisation (vs anonymisation) to better protect data
8. Compliance/
Privacy by Design
Day-to-day compliance –> Obligation to justify data position to Regulator (ICO)
• What is the purpose the data will be used for
• Retained solely to fulfil the stated purpose
• Where it will be stored (UK / EU / EEA)
• Not keep for longer than necessary (2 years?)
• Uphold data subjects rights (right of access / right to be forgotten / data
portability)
• Data Controllers and Data Processers are treated equally (previous focus on DCs)
• Data Controllers required to perform due diligence on Data Processers (supply chain)
• DPO requirement (or justify why not have one)
Breaches – Obligation to Report
Regulator will look at what has happened, why, and whether ‘appropriate’ measures
put in place to safeguard data.
ICO extended powers £500,000 -> €20,000,000 / 4% Global Turnover (+ PR DAMAGE)
9. Specific (6) justifications for collecting data: performance of
contract / compliance with legal obligation / vital interests / public
interest / legitimate interests of DC / consent
• Implied consent no longer valid – ICO / pre-checked boxes /
‘continue to use our site accept our Ts&Cs’
Have to be able to prove actual consent: ‘freely given, specific,
informed & unambiguous’
Children: must be able to demonstrate steps to show capability
• GDPR @ 16+
• Member State discretion @ 13+ (UK)
Death of Data
• Reassess sign-up / consent processes -> compliant
• Death of data – can’t rely on past consent for post May 2018
Demonstrating Consent
10. Must be able to demonstrate ‘appropriate technical and
organisational measures’ for data compliance / protection
• Demonstrate how and why collect personal data
• ‘Consent’ / Privacy Policy / Terms & Conditions / Terms of Use
Internal processes
• Data risk Impact Assessment / Data Use Policy / Data Retention
Policy / Employment Contracts
Awareness of GDPR principles - Staff training / DPO (qualified)
Contractual Relationships - GDPR model clauses incorporated
Breach Obligations
• Requirement to log breaches
• Report to the Regulator (and potentially data subjects) within 72
hours of a notifiable breach
‘Appropriate’ Measures
11. GDPR is a reality
Brexit – GDPR continue to apply if businesses target EU will apply
• -> Data Protection Bill
• -> UK require an ‘equivalent’ regime
Businesses need to assess own situation / audit
• how & why collect data (consent, etc) / how protect data / enforcement
policies (internal & external) / supplier terms.
Case Studies
• Clients wanting to get their house in order – Compliance = Biz Dev
• Breach = costly (£££) + PR / Reputational risk
Bigger businesses doing GDPR due diligence:
• expect their supply chains to have ‘adequate’ measures in place
• want to see policies (privacy / data protection / data retention)
• expect awareness of GDPR implications
• practical importance of new concepts – i.e. pseudonymisation
Opportunities
(& Competitive Edge)
12. Scott Appleton
scottappleton@moore-law.co.uk
T 01237 704789
M 07557 447054
@TalkingLawyer
Editor's Notes
DPO – scale of collection / processing / size / dealing with sensitive data / public body (+ adequately qualified -> reporting to Senior Management). Justify why not.
CONSIDER IF THERE IS SCOPE OR TIME TO EXPLORE REVOCATION, INVALIDITY AND GROUNDS FOR OPPOSITION. THIS WILL LIKELY FALL UNDER THE DUE DILIGENCE CATEGORY ABOVE. IT IS IMPORTANT FOR CLIENTS TO APPRECIATE THAT TRADEMARK APPLICATIONS CAN SOMETIMES DRAW ATTENTION FROM MUCH LARGER RIGHTS HOLDERS WITH DEEPER POCKETS WHO ARE AGGRESSIVE ABOUT PURSUING INFRINGERS. SMALLER ORGANISATIONS OPERATING UNDER THE RADAR MAY HAVE HITHERTO GONE UNNOTICED BUT APPLYING FOR A REGISTERED TRADEMARK MAY BRING YOU TO THEIR ATTENTION. ALSO THE POINT SHOULD BE MADE THAT IT IS NOT UNUSUAL TO BE SURPRISED BY A CAUTIOUS EXAMINER’S VIEW WHICH MIGHT INCLUDE NOTIFICATION WHERE IT WOULD NOT SEEM TO BE MERITED.
Ketchup – more sales / bigger bottles = easier to use
112 iteration
1991 – 95 $13m
Licensing NASA / HEINZ etc
Patent Box - JCL (80% sales on patented driver)