Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The 5 Things All In-House Counsel Need to Know about Privacy + Data Security

37 views

Published on

on Tuesday, October 16, Central Ohio Association of Corporate Counsel, lawyers from Kegler Brown’s Privacy + Data Security practice, and the Director of GBQ’s Information and Technology Services discussed recent developments in privacy + data security, including the recently signed Ohio Data Protection Act, California’s new Consumer Privacy Act (CaCPA), and the EU’s General Data Protection Regulation (GDPR).

The team explained what these developments mean for corporate counsel and will share best practices for in-house lawyers with a specific focus on five key questions in-house counsel should ask (and understand the answers to) regarding their company’s privacy + data security practices.

Published in: Business
  • Be the first to comment

  • Be the first to like this

The 5 Things All In-House Counsel Need to Know about Privacy + Data Security

  1. 1. All In-House Counsel Need to Answer About Privacy + Data Security 5 QUESTIONS
  2. 2. 1 What are the legal implications of privacy + data security risks as they relate to your company’s specific circumstances? 2 How is your company assessing + managing privacy and data security risk? 3 What is your understanding of the privacy + data security regulatory environment and how your customers’ expectations could impact your business if there is an incident? 4 What strategies do you have in place to recover from an incident? 5 Does your company need a privacy or data security steering committee or similar group?
  3. 3. Key Topics We’ll Cover Best Practices + Key Questions Current State of Privacy + Data Security Basic Nuts + Bolts
  4. 4. Current State of Privacy + Data Security in the U.S. Patchwork sectoral system Federal schemes focused on industry + unique circumstances 50 different state laws with various breach notification requirements
  5. 5. GDPR May 25, 2018
  6. 6. LGPD February 2020
  7. 7. Personal Data Protection Bill of 2018
  8. 8. What is the Ohio Data Protection Act?
  9. 9. Ohio Data Protection Act SB220 Bill passed with bipartisan support and was signed by the governor on August 3rd Will go into effect November 2, 2018 It is an affirmative defense to certain tort claims
  10. 10. Ohio Data Protection Act What tort claims does it defend against? Any cause of action sounding in tort brought under the laws of Ohio or in the courts of Ohio that alleges that, “the failure to implement reasonable information security controls resulted in a data breach concerning personal information” In general, such claims may include negligence and invasion of privacy claims
  11. 11. Ohio Data Protection Act Who can use the defense? Covered Entities, as defined in §1354.01 – a business organized in any state or country that accesses, maintains, communicates or processes personal information or restricted information through one or more systems, networks or services located in or outside of Ohio
  12. 12. Ohio Data Protection Act What does a covered entity need to do? Create, maintain, and comply with a written cyber security program that reasonably conforms to one of the approved frameworks
  13. 13. Ohio Data Protection Act Is it a silver bullet? No – SB220 does not provide complete protection in Ohio May not be used as a defense against claims not brought under Ohio law in courts outside of Ohio, even if they are tort claims
  14. 14. What is GDPR?
  15. 15. GDPR In general, many of the concepts existed in the 1995 European Union Data Protection Directive (Directive 95/46/EC), which was replaced by the GDPR The concept is not new
  16. 16. GDPR The concept is not new The core requirements are different from those in the U.S. In the U.S. many of our laws focus on providing individuals with notice and obtaining consent Under the GDPR, the focus is on the individual – data subjects are provided with specific rights Before personal data of a data subject is processed, you must have a lawful basis
  17. 17. GDPR The GDPR applies to organizations established outside of the EU, if the organization: offers goods or services to EU data subjects, or monitors behavior of data subjects in the EU Who does the GDPR affect?
  18. 18. Key Definitions + Concepts
  19. 19. PERSONAL DATA Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Article 4(1)
  20. 20. PERSONAL DATA Any information relating to a data subject DATA SUBJECT An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  21. 21. PROCESSING Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Article (4)(2) Why is this important? Before you process personal data, you must have a legal basis
  22. 22. Consent Performance of contract Compliance with legal obligation Protect the person’s vital interests Public task Legitimate interests
  23. 23. DATA SUBJECT RIGHTS Article 15: Right of Access Article 16: Right of Rectification Article 17: Right to Erasure Article 18: Right to Restriction of Processing Article 20: Right to Data Portability Article 21: Right to Object
  24. 24. Enforcement
  25. 25. ARTICLE 83 Administrative Fines – “Lower Tier” or 2% of the total annual turnover of the preceding year, whichever is higher
  26. 26. ARTICLE 83 Administrative Fines – “Higher Tier” or 4% of the total annual turnover of the preceding year, whichever is higher
  27. 27. The GDPR provides a private right of action, even in the event of non-material damage for breaches of the GDPR ARTICLES 80 + 82 Private Right of Action
  28. 28. What is the California Consumer Privacy Act?
  29. 29. California Consumer Privacy Act of 2018 Who is protected? In general, California residents
  30. 30. California Consumer Privacy Act of 2018 What is protected? Personal information is defined broadly Definition includes identifiers such as real name, alias, address, unique personal identifier, IP address, email address, account name, SSN, driver’s license #, commercial information, biometric information, geolocation data, employment information and much more
  31. 31. California Consumer Privacy Act of 2018 Who must comply? Companies around the world that receive personal data from California residents, AND exceed one of the following requirements: annual gross revenues of $25 million, or obtains personal information of 50,000 California residents (or more) annually, or derives more than 50% of its annual revenue from selling California residents’ PI
  32. 32. Key Requirements
  33. 33. Fund + Implement New Systems and Processes to Respond to Access Requests Make available methods for submitting data access requests Respond to access requests within 45 days
  34. 34. Prepare Data Maps/Inventories to Enable Required Disclosures + Updates to Privacy Policies Privacy policies to be updated to include specific required information Business must disclose categories of third parties with whom the business sold PI in the preceding 12 months
  35. 35. “Do Not Sell” Button Provide a clear and conspicuous “Do Not Sell My Personal Information” link on the business’ Internet homepage enabling users to opt-out of the sale of personal information
  36. 36. Enforcement
  37. 37. California Consumer Privacy Act of 2018 Civil action penalties Up to $2,500 per violation, $7,500 per intentional violation Private Right of Action with prescribed statutory damages between $100 and $750 per California resident, in the event of an incident, where nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure
  38. 38. 1 What are the legal implications of privacy + data security risks as they relate to your company’s specific circumstances? 2 How is your company assessing + managing privacy and data security risk? 3 What is your understanding of the privacy + data security regulatory environment and how your customers’ expectations could impact your business if there is an incident? 4 What strategies do you have in place to recover from an incident? 5 Does your company need a privacy or data security steering committee or similar group?
  39. 39. David M. Wilson Director + Chair, Privacy + Data Security Practice dwilson@keglerbrown.com keglerbrown.com/wilson 614-462-5406 Doug Davidson Director of Information Technology Services ddavidson@gbq.com 614-947-5340

×