Getting into the Nitty Gritty of How to Comply Lothar Determann Partner Palo Alto Julia Kaufmann Partner Munich Agenda 1 Project plan 4 2 Data mapping 6 3 Compliance r ecommendations ID: 678938
Download Presentation The PPT/PDF document "Unpacking the European Commission Genera..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Unpacking the European Commission General Data Protection Regulation
Getting into the Nitty Gritty of How
to Comply
Lothar Determann | Partner, Palo Alto
Julia
Kaufmann | Partner, Munich Slide2
Agenda
1
Project plan
4
2
Data mapping63Compliance recommendations94Implementation & ongoing review29Slide3
Speakers
3
Julia Kaufmann
Partner, Munich
+ 49 89 5 52 38 200
julia.kaufmann@bakermckenzie.com Lothar DetermannPartner, Palo Alto+ 1 650 856 5533lothar.determann@bakermckenzie.comSlide4
EU general data protection regulation
4
What is it?Regulation v. Directive
First major update since 1995
What will happen to national law?
When will it be effective?Does it apply to companies outside the EU?What are the major changes?Slide5
1
Project planSlide6
Project plan
6Slide7
2
Processing Records and Compliance Documentation Slide8Slide9
Data mapping step-by-step
9Slide10
Data mapping – the 5Ws of personal data
10Slide11
3
Compliance recommendationsSlide12
13 Key GDPR compliance recommendations
12Slide13
Prepare a record of processing activities
13
Obligation to maintain records of processing activities:Identification of the controller(s)/ representative / processor/ DPO
Purposes of the processing
Description of the data subject and of the data processed
RecipientsTransfersTime limits for erasureTechnical and organisational security measuresSlide14
Establish a Global Data Protection Policy
14
Develop Global Data Protection Policy ("Policy")
Policy establishes Global Data Protection Steering Committee (multi-disciplinary)
Policy establishes core principles
for the protection of personal data
Policy
provides for the appointment of privacy champions, data protection officers, and other features
Policy serves as foundational document for other subordinate proceduresSlide15
Confirm cross-border data transfer solution(s)
15
Privacy Shield
1
Standard contractual clauses (controller or processor)
2Binding corporate rules3consent/other derogations, and potentially emerging codes of conduct, privacy seals, and others4Slide16
Update incident response policy
16
Personal data breach
a
breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
processed“”not related to the quality / adequacy of the security measuresany incident impacting the c.i.a. trade (Confidentiality, Integrity, Availability)Slide17
Update incident response policy (cont.)
17
DPA
Notification
Nature of the
breachWithin 72 hours of becoming aware of the breachDPO identificationConsequences of the breachMeasures taken to remedy the breachCan be done in stepsData Subject NotificationNo notification if data is encrypted, if technical measures have been taken or if notification involves disproportionate effortsNotification without undue delay in case of high risk to the rights and freedom of individualsSlide18
Prepare HR-specific deliverables
18
Employee
Computer
Use
PolicyProcedures for ManagersOther HR deliverablesEmployee NoticeCover robust content requirements and consider consent issuesNotification and consent as needed for computer use monitoringRespond to access requests and other data subject rightsUpdates to Codes of Conduct, Hotlines, Works Council Agreements,local notices/procedures, other documentsSlide19
Notice to data subjects (content)
19
Identity of the controller
Purposes
Obligation to respond to data subject
Right of access, rectification and objectionRecipientsTransfertsDirectiveIdentity of the controller and of the DPO.PurposeConservation periodRight of access, rectification, restriction and objectionRight to lodge a complaintRecipientsTransfersRight to withdraw consent at any timeLegitimate interest of the controller or of a third party (if relevant).Information about profiling…Any other information guaranteeing the loyalty of the processing…GDPRSlide20
Prepare customer specific deliverables
20
Privacy Statement
Procedures for
Managers
Other customer deliverablesCustomer termsCorporate customer standard terms and playbook for contractingCustomer-facing privacy statement(s) for websites, mobile apps,and other sites and featuresDirect marketing procedures, data sharing rules, rules on respondingto access requests/rights of data subjectsStatements for information collection points, consent terms, contractsfor onward transfers to business partners Slide21
Determine if consent (ever) needed
21
New definition of consent requiring a clear affirmative action
New conditions for consent to be valid
New guidance regarding
"freely given" consentNew circumstances where explicit consent is requiredLocal variations for minors' consentConsent is grounds for processing (Article 6(1)), BUT:Slide22
Provide guidelines for information asset owners
22Slide23
Guidelines for information asset owners (cont.)
23
No personal
data are
collected
beyond the minimum necessary for each specific purpose of the processingNo personal data are retained beyond the minimum necessary for each specific purpose of the processingNo personal data are processed for purposes other than the purposes for which they were collectedElements of privacy by design and privacy by defaultNo personal data are disseminated to non-public third parties for purposes other than the purposes for which they were collectedNo personal data are soldNo personal data are retained in unencrypted form
Slide24
Guidance to information asset owners (cont.)
24
Impact assessment (art. 35)
A
description of the processing
An assessment of the necessity and proportionality of the processing operations in relation to the purposesInvolvement of the Data protection officer (DPO) where one is designatedRequires consultation with the Supervisory Authority (SA) if controller does not mitigate the high riskPrivacy Impact Assessment (PIA) is mandatory when the processing is likely to result in a high risk for the rights and freedom of individuals. It should include: Slide25
Upgrade IT applications to conform to performance standards for data subject rights
25
Logging of sources of personal data, and internal and external accessFeatures to execute on data subject rights of access, correction, objection, profiling, data portability, and deletion (forgotten)Functionality that facilitates the secure destruction of personal data when no longer required for legitimate business and compliance purposes, in accordance with record retention
policiesSlide26
Address requirements for data processors
26
Controller must establish a contract that covers:Description of subject-matter and duration of the processingDescription of nature and purpose of the processing
Types of personal data and categories of data subjects
Obligations and rights for Controller (responsibilities and audit rights)
Direct obligations on data processors, such asCommit personnel to data secrecyAssist Controller to respond to data subject's rightsComply with security measuresAssist Controller with security breach and DPIAsCooperate in case of audits, including inspectionsSlide27
Consider whether required to appoint a data protection officer (DPO)
27
inform and advice data controller or processor as well as employees
;
monitor compliance with data protection laws;
cooperate with and act as contact person for supervisory authorities.DPO has inter alia the following tasks:Slide28
DPO appointment (cont.)
28
Private sector organizations will generally be required to appoint a DPO where they process sensitive data on a large scale or engage in regular and systematic monitoring of data subjects on a large scale. Even if not mandatory DPO requirement, consider whether to voluntarily appoint a DPO as to discharge their GDPR compliance obligations.Data protection authority guidance on appointing a DPO. Slide29
Game plan for one-stop-shop (OSS)
29
Identify likely Concerned SA that your Lead SA will liaise with
Build good relations with your Lead SA
Monitor your Lead SA closely for guidance and enforcement priorities
Identify your main establishment 1234Monitor communications from the EDPB and SAs on how the OSS with be interpreted and applied in practice5Slide30
Consider fines and consequences
30
€
20M
4% of total worldwide annual turnover of preceding financial year
ExampleInfringement of basic principles for processing, data subjects' rights, or obligations pursuant to Member State laws adopted under the GDPR€ 10M 2% of total worldwide annual turnover of preceding financial yearExampleInfringement of obligations regarding data protection by design or by defaultSlide31
4
Implementation & ongoing reviewSlide32
Implementation (snapshot)
32
Establish implementation step list
Set realistic timelines and assign sufficient
resources
Keep senior management apprised of progressAssess relative priority of compliance recommendations, and make strategic decisionsContinue with ongoing review and improvements to the data protection programSlide33
End
game
: Actual
demonstrated compliance
33
Policies & measuresPolicies Procedures MeasuresRecord of all the processingInformation PoliciesSignificant number of items to be providedIn an intelligible formMay be done electronicallyTrainingSuitable Risks AnalysisPrivacy Impact AssessmentsPrivacy by DesignPrivacy by DefaultAppropriate safeguards for cross-border transfersWell-Functioning Governance StructuresNotification of Personal Data BreachesSlide34
Questions?
34
Baker McKenzie Resources
Julia
Kaufmann
Partner, Munich+ 49 89 5 52 38 200julia.kaufmann@bakermckenzie.com Lothar DetermannPartner, Palo Alto+ 1 650 856 5533lothar.determann@bakermckenzie.com