Q2 2018

PILOT AND PERFECT

Getting ready for the GDPRYour GDPR Readiness Plan

Focus on accountability

The GDPR is coming, and it is raising the risk profile of data protection for all businesses. What should you do to prepare?

There is a lot of change, and it can be hard to get your arms around it. A strategic and risk based approach can help you reach a position of compliance that matches your risk appetite and resources.

Here is our recommended approach:

Establish your core team: Who will manage and monitor GDPR readiness progress

Scope your project: What will be assessed, (think about a “pilot” country or business line) and in what time frames

Map your data: What are the sources of your data, who handles it, where does it go, and how is it used and protected

Identify compliance gaps and establish your plan of action: Collate relevant documentation and holistically review to identify any gaps. Prepare plan of action appropriate to your risk appetite and resources

Review/establish policies, notices and procedures: Prepare comms strategy and consider training requirements

DPO assessment: Is a Data Protection Officer required / should you appoint anyway

Review/update contractual documentation: Ensure compliance extends to your supply chain / procurement process

International transfers: Review legal basis for international transfers and establish appropriate mechanisms to ensure compliance with GDPR

Data protection Impact Assessment: Do you need to / should you carry out an impact assessment

Test drive: Carry out a test run of the policies and procedures you have put in place and make any changes needed to enable organisational continuity

Keep up the good work: Devise and implement plan for ongoing review and audit of GDPR compliance

1 6 3 2 5 1 2 2 3 0 0 1 0 3

0 0 1 2 5 0 6 0 4 0070 1 0 4 0 1 8 9 2 10 0 1 2 5 0 6 0 4 01 2 2 3 0 0 1 0 31 6 2 0 1 3 2 5

Q3 2017

FACT FIND AND GAP ANALYSIS

Q4 2017 – Q1 2018

IMPLEMENT YOUR GAME PLAN

“The GDPR brings with it a quantum shift in emphasis on who is responsible for ensuring that our right to data protection is fully respected… Accountability is more than simple compliance with the rules - it implies a culture change.”

Giovanni Buttarelli, European Data Protection Supervisor

PRIVACY NOTICES � New ICO

Guidance

� Be transparent, be clear, be innovative

PRIVACY BY DESIGN AND DEFAULT � Data protection compliance is

not a band aid to be applied at the end of a process

� It should be baked in from the outset

� How will you achieve this?

� Data Privacy Impact Assessments will be a key tool

LEADERSHIP � You need culture carriers

� Board level representation – who?

� Privacy champions throughout the organisation to support your DPO and help achieve Privacy by Design

UPSKILLING YOUR EMPLOYEES � Training (on what

compliance means, but also on culture – Privacy by Design)

� Achieve a culture shift

� Transparency about what you do – builds trust

DATA PROTECTION OFFICERS � Should you have one

� Should you have delineated responsibility

� Empowering and protecting your DPO

RECORDS � Map your data flows internally

and externally

� Build a record of processing and keep update

DATA SUBJECT RIGHTS � Have processes

to deal with data subjects enhanced rights and to deal with complaints

� Understand new rules around profits, right to be together; data reliability

GDPR Countdown to May 2018

GDPR Countdown to May 2018

GDPR Game Plan

13 OF THE BIGGEST STEP CHANGES YOU NEED TO BE AWARE OF AND ADDRESS AS A MATTER OF PRIORITY

01 05 1002 06 1103 07 1204 0908 13

The GDPR applies to the processing of personal data by data controllers and processors established in the EU, as well as by controllers and processors outside the EU where their processing activities relate to the offering of goods or services (even for free) to data subjects within the EU, or to the monitoring of their behaviour.

EXPANDED SCOPE AND ONE-STOP-SHOP

Data subjects shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, and right to “opt out” in certain circumstances.

PROFILING RESTRICTIONS

The GDPR imposes compliance obligations directly on processors, such as implementing security measures, notifying the data controller of data breaches, appointing a DPO (if applicable), maintaining records of processing activities, etc. Processors will be directly liable in case of non-compliance and may be subject to direct enforcement action.

DATA PROCESSORS

These concepts are codified in the GDPR and require controllers to ensure that individuals’ privacy is considered from the outset of each new processing, product, service or application, and that, by default, only minimum amounts of personal data as necessary for specific purposes are collected and processed.

DATA PROTECTION BY DESIGN AND BY DEFAULT

Businesses will have to ensure through appropriate technical and organisational measures compliance with the requirements of the GDPR and be able to objectively demonstrate such compliance.

ACCOUNTABILITY

The GDPR retains the cross-border data transfer rules of the Directive, but adds new ones such as certification mechanisms and codes of conduct, as well as a new very limited derogation for occasional transfers based on legitimate interest.

OVERHAULED DATA TRANSFERS RULES

The GDPR will harmonise the tasks and powers of supervisory authorities and significantly increase fines. For major infringements (such as failure to comply with cross-border transfer rules or to obtain adequate consents) fines can be up to 20 million EUR or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).

ENFORCEMENT & SANCTIONS

Controllers will have to report data breaches to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk for data subjects’ rights and freedoms). A proper justification shall accompany the notification if it is not made within 72 hours.

DATA BREACH NOTIFICATION

Certain private and most public sector organisations will be required to appoint a DPO to oversee their data processing operations. A DPO will be required where (i) the processing is carried out by a public authority or body, (ii) the core activities of the controller or processor consist of processing which requires regular and systematic monitoring of data subjects on a large scale, (iii) the core activities consist of processing special categories of data on a large scale, or (iv) required by Member State law.

DATA PROTECTION OFFICERS (“DPO”)

Controllers will be required to perform a DPIA where the processing of personal data (particularly when using new technologies) is likely to result in a high risk to the rights and freedoms of the individuals.

DATA PROTECTION IMPACT ASSESSMENTS (“DPIAS”)

Controllers and processors will have to maintain record of processing activities. Detailed information must be kept and provided to supervisory authorities upon request.

DATA MAPPING

Consent is retained as a processing condition but the GDPR is more prescriptive than the Directive when it comes to the conditions for obtaining valid consent. The key change is that consent will require a statement or clear affirmative action of the data subject. Silence, pre-ticked boxes and inactivity will not be sufficient.

CONSENT

The GDPR includes a wide range of new rights including the right to data portability, right to erasure, right to restriction of processing, right to object to certain processing activities (profiling) and to automated processing decisions. Controllers will also be required to provide significantly more information to data subjects about their processing activities.

ENHANCED RIGHTS OF DATA SUBJECTS

The General Data Protection Regulation will apply from May 2018. The Regulation represents a step change for data protection compliance and businesses need to be getting ready now.

GDPR Countdown to May 2018

Julia Wilson Partner+44 20 7919 1357 julia.wilson @bakermckenzie.com

How we can helpAWARENESS AND UPSKILLINGWe can help develop and deliver your data protection training programme to achieve your compliance goals, from introducing your implementation team to the GDPR requirements training your DPO to broader organisational awareness training, and intensive training for employees in “high risk” roles with regular access to personal data

TRACKING YOUR COMPLIANCE We offer practical, and easy to use technology through our innovative ig360 tool. Our ig360 platform was recently recognized by the Financial Times as a “standout” innovative solution in the compliance and technology category in Financial Times’ North America Innovative Lawyers 2015 report

Contacts

Dyann Heward-Mills Partner+44 20 7919 1269 Dyann.Heward-Mills @bakermckenzie.com

PARTNER WITH YOU ON YOUR GDPR COMPLIANCE GAME PLANWe can support you through your GDPR readiness plan. We will work with you to identify an approach that strikes the right balance whether that means we play a light touch role or a submersive partnership with you

TARGETED ASSISTANCE IN KEY FOCUS AREASYou may be taking the lead on GDPR compliance but want a sanity check / review on some of your riskier practices and approach (e.g. consumer tracking, behavioural monitoring, widescale international data transfers, profiling)

BEST IN CLASS COMPLIANCEWe have significant experience advising clients on Binding Corporate Rules, which form the building blocks to starting the journey to cultural and organisational change in data protection compliance

“There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.”

Elizabeth Denham, UK Information Commissioner

Baker & McKenzie LLP is a limited liability partnership registered in England and Wales with registered number OC311297. A list of members’ names is open to inspection at its registered office and principal place of business, 100 New Bridge Street, London, EC4V 6JA. Baker & McKenzie LLP is a member of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the terminology commonly used in professional service organisations, reference to a “partner” means a person who is a member, partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm.

Baker & McKenzie LLP is authorised and regulated by the Solicitors Regulation Authority of England and Wales. Further information regarding the regulatory position together with our privacy policy is available at http://www.bakermckenzie.com/en/locations/emea/united-kingdom/london/legal-notice.

This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

© 2017 Baker & McKenzie. All rights reserved.