Unpacking the European Commission General Data Protection Regulation - PowerPoint Presentation

Slide1

Unpacking the European Commission General Data Protection Regulation

Getting into the Nitty Gritty of How

to Comply

Lothar Determann | Partner, Palo Alto

Julia

Kaufmann | Partner, Munich Slide2

Agenda

1

Project plan

4

2

Data mapping63Compliance recommendations94Implementation & ongoing review29Slide3

Speakers

3

Julia Kaufmann

Partner, Munich

+ 49 89 5 52 38 200

julia.kaufmann@bakermckenzie.com Lothar DetermannPartner, Palo Alto+ 1 650 856 5533lothar.determann@bakermckenzie.comSlide4

EU general data protection regulation

4

What is it?Regulation v. Directive

First major update since 1995

What will happen to national law?

When will it be effective?Does it apply to companies outside the EU?What are the major changes?Slide5

1

Project planSlide6

Project plan

6Slide7

2

Processing Records and Compliance Documentation Slide8
Slide9

Data mapping step-by-step

9Slide10

Data mapping – the 5Ws of personal data

10Slide11

3

Compliance recommendationsSlide12

13 Key GDPR compliance recommendations

12Slide13

Prepare a record of processing activities

13

Obligation to maintain records of processing activities:Identification of the controller(s)/ representative / processor/ DPO

Purposes of the processing

Description of the data subject and of the data processed

RecipientsTransfersTime limits for erasureTechnical and organisational security measuresSlide14

Establish a Global Data Protection Policy

14

Develop Global Data Protection Policy ("Policy")

Policy establishes Global Data Protection Steering Committee (multi-disciplinary)

Policy establishes core principles

for the protection of personal data

Policy

provides for the appointment of privacy champions, data protection officers, and other features

Policy serves as foundational document for other subordinate proceduresSlide15

Confirm cross-border data transfer solution(s)

15

Privacy Shield

1

Standard contractual clauses (controller or processor)

2Binding corporate rules3consent/other derogations, and potentially emerging codes of conduct, privacy seals, and others4Slide16

Update incident response policy

16

Personal data breach

a

breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise

processed“”not related to the quality / adequacy of the security measuresany incident impacting the c.i.a. trade (Confidentiality, Integrity, Availability)Slide17

Update incident response policy (cont.)

17

DPA

Notification

Nature of the

breachWithin 72 hours of becoming aware of the breachDPO identificationConsequences of the breachMeasures taken to remedy the breachCan be done in stepsData Subject NotificationNo notification if data is encrypted, if technical measures have been taken or if notification involves disproportionate effortsNotification without undue delay in case of high risk to the rights and freedom of individualsSlide18

Prepare HR-specific deliverables

18

Employee

Computer

Use

PolicyProcedures for ManagersOther HR deliverablesEmployee NoticeCover robust content requirements and consider consent issuesNotification and consent as needed for computer use monitoringRespond to access requests and other data subject rightsUpdates to Codes of Conduct, Hotlines, Works Council Agreements,local notices/procedures, other documentsSlide19

Notice to data subjects (content)

19

Identity of the controller

Purposes

Obligation to respond to data subject

Right of access, rectification and objectionRecipientsTransfertsDirectiveIdentity of the controller and of the DPO.PurposeConservation periodRight of access, rectification, restriction and objectionRight to lodge a complaintRecipientsTransfersRight to withdraw consent at any timeLegitimate interest of the controller or of a third party (if relevant).Information about profiling…Any other information guaranteeing the loyalty of the processing…GDPRSlide20

Prepare customer specific deliverables

20

Privacy Statement

Procedures for

Managers

Other customer deliverablesCustomer termsCorporate customer standard terms and playbook for contractingCustomer-facing privacy statement(s) for websites, mobile apps,and other sites and featuresDirect marketing procedures, data sharing rules, rules on respondingto access requests/rights of data subjectsStatements for information collection points, consent terms, contractsfor onward transfers to business partners Slide21

Determine if consent (ever) needed

21

New definition of consent requiring a clear affirmative action

New conditions for consent to be valid

New guidance regarding

"freely given" consentNew circumstances where explicit consent is requiredLocal variations for minors' consentConsent is grounds for processing (Article 6(1)), BUT:Slide22

Provide guidelines for information asset owners

22Slide23

Guidelines for information asset owners (cont.)

23

No personal

data are

collected

beyond the minimum necessary for each specific purpose of the processingNo personal data are retained beyond the minimum necessary for each specific purpose of the processingNo personal data are processed for purposes other than the purposes for which they were collectedElements of privacy by design and privacy by defaultNo personal data are disseminated to non-public third parties for purposes other than the purposes for which they were collectedNo personal data are soldNo personal data are retained in unencrypted form





Slide24

Guidance to information asset owners (cont.)

24

Impact assessment (art. 35)

A

description of the processing

An assessment of the necessity and proportionality of the processing operations in relation to the purposesInvolvement of the Data protection officer (DPO) where one is designatedRequires consultation with the Supervisory Authority (SA) if controller does not mitigate the high riskPrivacy Impact Assessment (PIA) is mandatory when the processing is likely to result in a high risk for the rights and freedom of individuals. It should include: Slide25

Upgrade IT applications to conform to performance standards for data subject rights

25

Logging of sources of personal data, and internal and external accessFeatures to execute on data subject rights of access, correction, objection, profiling, data portability, and deletion (forgotten)Functionality that facilitates the secure destruction of personal data when no longer required for legitimate business and compliance purposes, in accordance with record retention

policiesSlide26

Address requirements for data processors

26

Controller must establish a contract that covers:Description of subject-matter and duration of the processingDescription of nature and purpose of the processing

Types of personal data and categories of data subjects

Obligations and rights for Controller (responsibilities and audit rights)

Direct obligations on data processors, such asCommit personnel to data secrecyAssist Controller to respond to data subject's rightsComply with security measuresAssist Controller with security breach and DPIAsCooperate in case of audits, including inspectionsSlide27

Consider whether required to appoint a data protection officer (DPO)

27

inform and advice data controller or processor as well as employees

;

monitor compliance with data protection laws;

cooperate with and act as contact person for supervisory authorities.DPO has inter alia the following tasks:Slide28

DPO appointment (cont.)

28

Private sector organizations will generally be required to appoint a DPO where they process sensitive data on a large scale or engage in regular and systematic monitoring of data subjects on a large scale. Even if not mandatory DPO requirement, consider whether to voluntarily appoint a DPO as to discharge their GDPR compliance obligations.Data protection authority guidance on appointing a DPO. Slide29

Game plan for one-stop-shop (OSS)

29

Identify likely Concerned SA that your Lead SA will liaise with

Build good relations with your Lead SA

Monitor your Lead SA closely for guidance and enforcement priorities

Identify your main establishment 1234Monitor communications from the EDPB and SAs on how the OSS with be interpreted and applied in practice5Slide30

Consider fines and consequences

30

€

20M

4% of total worldwide annual turnover of preceding financial year

ExampleInfringement of basic principles for processing, data subjects' rights, or obligations pursuant to Member State laws adopted under the GDPR€ 10M 2% of total worldwide annual turnover of preceding financial yearExampleInfringement of obligations regarding data protection by design or by defaultSlide31

4

Implementation & ongoing reviewSlide32

Implementation (snapshot)

32

Establish implementation step list

Set realistic timelines and assign sufficient

resources

Keep senior management apprised of progressAssess relative priority of compliance recommendations, and make strategic decisionsContinue with ongoing review and improvements to the data protection programSlide33

End

game

: Actual

demonstrated compliance

33

Policies & measuresPolicies Procedures MeasuresRecord of all the processingInformation PoliciesSignificant number of items to be providedIn an intelligible formMay be done electronicallyTrainingSuitable Risks AnalysisPrivacy Impact AssessmentsPrivacy by DesignPrivacy by DefaultAppropriate safeguards for cross-border transfersWell-Functioning Governance StructuresNotification of Personal Data BreachesSlide34

Questions?

34

Baker McKenzie Resources

Julia

Kaufmann

Partner, Munich+ 49 89 5 52 38 200julia.kaufmann@bakermckenzie.com Lothar DetermannPartner, Palo Alto+ 1 650 856 5533lothar.determann@bakermckenzie.com