What is the GDPR & What does it mean for YOUR business?
•Download as PPTX, PDF•
1 like•105 views
The European Union’s General Data Protection Regulation, which became effective on May 25, began a new era in data privacy. Among other changes, the GDPR imposes new limits on the collection of personal information of EU residents and expands individuals’ rights with respect to companies’ use of such information, including the “right to be forgotten.” These requirements are backed up by substantial penalties—up to 4% of a company’s global revenue. But, does a U.S. company need to worry about the GDPR if it has no business operations in the EU? In a surprising number of cases, the answer is “yes.” #NPLaw's Kirsten Small, CIPP/US, provides an overview of the GDPR and explores its implications for US businesses in this presentation.
Recommended
More Related Content
What's hot
What's hot (17)
Similar to What is the GDPR & What does it mean for YOUR business?
Similar to What is the GDPR & What does it mean for YOUR business? (20)
More from Nexsen Pruet
More from Nexsen Pruet (20)
Recently uploaded
Recently uploaded (20)
What is the GDPR & What does it mean for YOUR business?
- 2. www.nexsenpruet.comto Upstate Alliance INTRODUCTION 2 • What do we mean by “privacy”? • The American approach to privacy regulation • GDPR: An overview • GDPR: The shape of things to come?
- 3. www.nexsenpruet.comto Upstate Alliance 3 ‣ 1937 ‣ 1890 ‣ 1985 ‣ 1964 When was the first major publication advocating a right to privacy published? POP QUIZ!
- 4. www.nexsenpruet.comto Upstate Alliance 4 Louis Brandeis & Samuel Warren, “The Right to Privacy,” Harvard Law Review (1890) Defining “privacy” as “the right to be let alone.” When was the first major publication advocating a right to privacy published? 1890
- 5. www.nexsenpruet.comto Upstate Alliance HOW DO WE DEFINE PRIVACY IN THE 21ST CENTURY? 5 “Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.” – American Institute of Certified Public Accountants • Two key principles: • The appropriate use of personal information under the circumstances. • The individual’s right to control the collection, use, and disclosure of personal information.
- 6. www.nexsenpruet.comto Upstate Alliance HOW DO WE DEFINE PRIVACY IN THE 21ST CENTURY? 6 Rights Of the individual Of the organization Obligations Of the Individual Of the organization
- 7. www.nexsenpruet.comto Upstate Alliance U.S. vs. EU Treatment of Privacy 7 United States Some constitutional protection Commercial processing of personal information accepted (“Opt Out”) Controls on processing are sectoral European Union Privacy as a human right Default = No processing (“opt in”) Uniform, across-the-board regulation
- 8. www.nexsenpruet.comto Upstate Alliance U.S. vs. EU Treatment of Privacy 8 United States “Sensitive Personal Information” • Social Security Number • Financial Information (account numbers, etc.) • Driver’s License Number • Medical Records European Union “Special Categories of Data” • Racial or Ethnic Origin • Political Opinions • Trade Union Membership • Criminal Convictions
- 9. www.nexsenpruet.comto Upstate Alliance U.S. = Sectoral Approach aka “Land of the Acronym” 9 • CAN-SPAM • VPPA • COPPA • FERPA • FCRA • FACTA • GLBA • HIPAA • HI-TECH • GINA Medical Financial ConsumerEducational
- 10. www.nexsenpruet.comto Upstate Alliance EU Approach: Across-the-Board Regulation 10 OECD Guidelines - 1980 Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability
- 11. www.nexsenpruet.comto Upstate Alliance EU Approach: Across-the-Board Regulation 11 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981 Public/Private Sectors Trans-border Data Flows Mutual Assistance
- 12. www.nexsenpruet.comto Upstate Alliance EU Approach: Across-the-Board Regulation 12 European Data Directive (Directive 94/95/EC), 1995 Encompasses many principles now found in the GDPR Intended to encourage uniformity within the EU, but Not binding on member states
- 13. www.nexsenpruet.comto Upstate Alliance EU Approach: Across-the-Board Regulation 13
- 14. www.nexsenpruet.comto Upstate Alliance GDPR 14 • Adopted 14 April 2016 • Effective 25 May 2018 • Binding on EU countries (no enabling legislation necessary) • Britain is not Brexiting from GDPR
- 15. www.nexsenpruet.comto Upstate Alliance GDPR 15 • Data Subject: A living, natural person who is in the EU, regardless of residence or nationality. • Personal Data: Any information relating to an identified or identifiable Data Subject (“PII”). • Sensitive Personal Data: Origin, beliefs, opinions, union membership, biometric data, sex life/orientation • Processing: Any operation performed on PII, from collection through disposal. • Controller: The person (natural or legal) who decides what PII will be collected and how it will be processed. • Processor: The person (natural or legal) who processes PII on behalf of a controller GDPR Glossary
- 16. www.nexsenpruet.comto Upstate Alliance GDPR 16 • Data Protection by Design & Default • Transparency • Minimization • Lawful Basis for Processing • Data Subjects’ Rights • Accountability Key Points
- 17. www.nexsenpruet.comto Upstate Alliance GDPR 17 • Data Protection by Design • Address information security at the front end of software development, not as an afterthought; • De-identification of PII; • Standards for international transfers • Data Protection by Default • Privacy settings “on” by default • Opt-in, not opt-out Data Protection
- 18. www.nexsenpruet.comto Upstate Alliance GDPR 18 • Disclosure: Data subjects are entitled to know: • What PII is being collected & how long it will be kept • How PII is being used • The specific legal basis for each and every use of PII • Their rights, and how to exercise them • Accessibility: Disclosures must be: • Written in “clear and plain language” • Easy to locate Transparency
- 19. www.nexsenpruet.comto Upstate Alliance GDPR 19 • Collection of PII should be: • Limited in scope to the data that is adequate and relevant to the intended use • Limited in time to the period necessary to achieve the purpose for which the data was collected • As accurate as reasonably possible Minimization
- 20. www.nexsenpruet.comto Upstate Alliance GDPR 20 • Consent • Genuine choice • Affirmative opt-in • Specific and granular • Contract • Provide information • Fulfill a contract • Legal obligation • Vital Interests Lawful Basis for Processing • Public Tasks • Legitimate Interests of the Controller • Consider data subject’s expectations • Requires assessment/analysis • For example: • Security/network integrity • Analytics • Performance improvement • B2B marketing
- 21. www.nexsenpruet.comto Upstate Alliance GDPR 21 • To Be Informed • To Object • To Restrict Processing • To Access Data Subjects’ Rights • To Correction • To Portability • To Erasure (aka “the right to be forgotten”)
- 22. www.nexsenpruet.comto Upstate Alliance GDPR 22 • Compliance • Documentation of Legitimate Interests Analysis, Data Protection Impact Assessment • Designated Privacy Officer • Supervising Processors • Enforcement • Data Protection Authority (each EU member state) • Remedies range from reprimand to fine of 4% of worldwide revenue or €20,000,000 – whichever is higher Accountability
- 23. www.nexsenpruet.comto Upstate Alliance GDPR 23 • Controller or processor with an establishment in the EU • Controller or processor not in the EU, but • Offering goods or services (regardless of payment) in the EU; or • Monitoring behavior of data subjects in the EU Who is subject to the GDPR?
- 24. www.nexsenpruet.comto Upstate Alliance GDPR 24 • A controller or processor outside the EU but subject to the GDPR must: • Comply with GDPR requirements; and • Appoint a Designated Privacy Officer in the EU, *unless* • “Occasional” processing that • Doesn’t involve large-scale processing of special categories of data or data related to criminal convictions; and • Is unlikely to result in a risk to the rights and freedoms of natural persons Who is subject to the GDPR?
- 25. www.nexsenpruet.comto Upstate Alliance 25 California Consumer Privacy Act
Editor's Notes
- Brandeis - Associate Justice of the US Supreme Court 1916-1939 Brandeis & Warren graduated 1st & 2d in their class at Harvard Law in 1877, then went out and practiced law together. Article prompted by increasing newspaper coverage of peoples’ private lives (specifically, the wedding of Warren’s daughter). “The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.” The law protected the right of the creator of the content to keep the profit (e.g., copyright protection) but not the right of the subject to avoid the publication.
- Processing: Does not apply to purely personal or household activity; also excludes certain activities of EU member states in the area of foreign policy/national security. Controller/processor are not mutually exclusive roles.
- Accessibility: There must be clarity as to who is collecting the information Easy to Locate: “unsubscribe” links; cookie policy pop-ups
- Scope limitation: If you want to send an electronic newsletter to a customer, what do you need? Time limitation: Are you keeping subscribers’ information after they have unsubscribed? Employees’ information after they have left the company? Accuracy: What are you doing to avoid corruption or inaccurate cross-linking of data?
- Legal Obligation: Not just to perform a contract; must be a specific, documented obligation (subpoena, EEOC compliance). Vital Interests: “to protect an interest which is essential to the life of the data subject” – think medical emergency, mandated reporters (maybe), suicide hotlines Public Tasks: Primarily applicable to government agencies, affiliates, contractors. Authority doesn’t need to be as specific as under “legal obligation,” but must have a clear foundation in law. Legitimate Interest: The most flexible basis, but care is required. Data subject’s expectations based on relationship with the controller. --Legitimate Interest Analysis (record of your reasoning) - what is the legitimate interest (purpose test) - Is the processing necessary to achieve it (necessity test) - Balance against the individual’s rights and freedoms (balancing test). Examples – remember the balancing test. This is not an exception that swallows the rule.
- To be informed: The right to know what data is being collected and what is being done with it. The flip side of the controller’s disclosure obligation. Included in the right to be informed is the right of choice. Can deny access; it’s okay if certain features of your site don’t work as well. Notify before collection of information Consent—we’ll talk more about this in a few slides. To Object: The right to stop processing of data for marketing purposes. Must be notified of right in every communication, and once objection is made, full stop on use. None of this “it takes 90 days to get you off the list” To Restrict Processing: This is the right to limit the way the controller uses your data. Tied to disclosure/consent. Specific/granular. To Access: Data subjects have the right to see the data a controller has collected about him/her. “Subject access request” can be written (incl. electronic) or verbal. 30 days to respond, can’t charge a fee. To Correction: Data subject has the right to have inaccurate or incomplete data corrected or completed. Verbal or written request; respond w/in 30 days; no fees To Portability: This is the right to re-use data across difference services without loss of functionality Think QuickBooks to Peachtree – it’s your information so they have to let you move it. To Be Forgotten: Same as others: written or verbal, 30 days (but can get an extension), no charge. This right is only available in specific circumstances: 1. PII no longer necessary for the purpose for which it was collected; 2. Consent has been withdrawn and there is no other legal ground; 3. Data subject objects and there are no overriding legitimate grounds to process; 4. Unlawfully processed PII; 5. Compliance with a legal obligation; 6. PII collected for “information society services” offered to children (younger than 16)
- EU Establishment: Doesn’t matter if data processing occurs in the EU. Monitoring: It’s not entirely clear what this means, not much official guidance. The EU Commission has suggested a broad definition: ““[i]n order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.” That definition is potentially so broad that it probably won’t become regulatory reality. But, it points in the direction of tracking technologies (geo-location data, persistent cookies).
- Designated Privacy Officer: Must be in one of the member states where the data subjects whose activities are being monitored are located. “Unlikely to result in a risk” must take context into account; must apply EU conception of “rights and freedoms.”
- CCPA is the result of a game of chicken between the CA legislature and a group called “Californians for Consumer Privacy.” CCP got 600,000 signatures for a ballot initiative (1.5% of population) that enacted in late June by legislature to avoid more stringent ballot initiative. CCPA and AB-375 provide a lot of the same protections as the GDPR – right to know what information is being collected about you; the right to opt-out of the sale of your personal information; right of access; right to equal service. What the CCPA would have done, which AB-375 does not do, is give consumers extensive rights to sue (individually or collectively) to sue for violations of the act or for data breaches where information was not reasonably protected. AB-375 tempers those aspects of the bill, including by creating a 30-day right to cure a violation.