what does the proposed eu general data protection regulation (gdpr) mean for business – truste

1 v Privacy Insight Series v

What Does the Proposed EU

Regulation Mean for Business

September 16, 2015

2 v Privacy Insight Series

Today’s Speakers

Dennis Dayman,

Chief Privacy and

Security Officer,

Return Path Inc.

Dr Kai Westerwelle,

Partner,

Taylor Wessing

Mr Andrea Glorioso,

Counselor, Digital Economy /

Cyber Delegation of the

European Union to the USA

Eleanor Treharne-Jones,

Director, EMEA & Global

Communications, TRUSTe


Today’s Agenda

• Welcome & Introductions Eleanor Treharne-Jones

• Overview of the Main Changes in the Mr Andrea Glorioso

General Data Protection Regulation

• Key Areas in the Regulation - Dr Kai Westerwelle

Legal perspective and Impact on Business

• Actions to Prepare for the GDPR Dennis Dayman

• Q&A All


The General Data Protection

Regulation (GDPR) – Overview of

the main changes

Mr Andrea Glorioso, Counselor, Digital Economy / Cyber Delegation

of the European Union to the USA


The GDPR: timeline

• January 2012: proposal of the European Commission

(draft Regulation + draft Directive on the exchange of

personal data for police and judicial cooperation)

• March 2014: the European Parliament adopts its "first

reading" position

• June 2015: the Council of the European Union adopts its

"general approach"

• July 2015 / ongoing: "trialogues" among the European

Commission, the European Parliament and the Council of

the European Union

• Expected adoption: end of 2015 / beginning of 2016?


The GDPR: what doesn't change

• The core legal concepts (e.g. definition of "personal data",

"data subject", "data controller", "data processor") do not

massively change compared to the main existing EU

legislation (1995 Directive)

• You still need a "legitimate basis" to process personal

data

• The objective remains the same: minimize differences of

legal treatment among EU Member States in order to

safeguard the internal / common market and ensure a

coherent (and high) level of protection of privacy and

personal data across the European Union

• Extra-EU data transfers still need a legal basis to take

place


The GDPR: main changes

• It's a Regulation, not a Directive: no need for Member

States to "transpose" it in their national legal systems

• "One-stop shop" system: organizations operating in

multiple Member States are supposed to interact only with

the Data Protection Authority in their "main place of

establishment"

• "Consistency mechanism": the "main" Data Protection

Authority is responsible for interacting with other Member

States' DPAs to ensure coherency and avoid multiple,

contradicting decisions



• "Information notices" will become much more detailed and

will have to be in an "intelligible form, using clear and

plain language, and adapted to the data subject".

• "Data processors" (e.g. sub-contractors to the data

controllers) are now subject to much stricter controls,

responsibilities and potential penalties.

• Principle of "accountability": data controllers / processors

must demonstrate existence of appropriate internal and

external processes, control systems, auditing checks,

impact assessment procedures and (in some cases)

appoint a Data Protection Officer.

• "Privacy by design" and "privacy by default"



• Certain "data processing" operations are now more strictly

regulated

• E.g. "profiling" which requires explicit consent when

performed on "sensitive data"

• Obligation to notify breaches that lead to the loss or

unauthorized dissemination of personal data

• Jurisdictional scope of application of the GDPR is now

broader: new rules apply also to organizations which are

based outside the EU but are offering goods and services

to EU residents or "monitor the behavior" of EU residents

• Penalties will in general be stiffer: maximum of 2-5% of

the global turnover of a company, or EUR 1 Million,

whichever is higher


The GDPR: the end of the Internet?

• The GDPR raises the bar of privacy / personal data

protection

• The rules are non-discriminatory: non-EU companies are

not penalized compared to EU companies

• Is this the much needed incentive for "data hygiene"

within data-intensive companies (e.g. nowadays, all

companies)?


EU-US data transfers

• Umbrella agreement (exchange of data for law

enforcement purposes): agreement reached on

September 8, waiting for "Judicial Redress Act" to be

adopted in the U.S.

• Safe Harbor discussions: final details on "national security

exemption" and "onward transfers", but overall agreement

on the 13 Recommendations of the European

Commission

• Extra-EU transfers of non-personal data was and is still

valid in principle!

• Safe Harbor is not the only mechanism: list of "legitimate

bases" for transfers (e.g. consent, performance of

contract), Binding Corporate Rules, standard contractual

clauses


More information

• General information: http://ec.europa.eu/justice/data-

protection/

• Supporting documents (fact sheets, background studies,

surveys): http://ec.europa.eu/justice/data-

protection/document/index_en.htm

• Extra-EU data transfers: http://ec.europa.eu/justice/data-

protection/international-transfers/index_en.htm

• Step-by-step timeline: http://eur-

lex.europa.eu/procedure/EN/201286

http://ec.europa.eu/justice/data-protection/




http://ec.europa.eu/justice/data-protection/document/index_en.htm




http://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm






http://eur-lex.europa.eu/procedure/EN/201286





Dr Kai Westerwelle, Partner Taylor Wessing (US) Inc.

Key Areas in the Regulation Legal perspective and impact on business


Harmonization

• Actual

European privacy laws based on EU DP Directive (to be transferred into local law)

Result: different privacy laws in all European States (even within the states)

Result: different levels of data protection (UK vs. France vs. Germany)

Result: different regulatory requirements (e.g.: applications / registrations)

Result: data protection officers only in some Member States

• Business Impact

European roll-out difficult, time consuming, and cost intensive

Idea: compliance with the strictest regime and roll out to “lower levels” (pyramid)

Highest level might not be required and is costly

Remaining uncertainties


Harmonization

• Future

Regulation should create more harmonization (no transfer into local law)

Result: the same law in all European states

Result: the same regulatory requirements (e.g.: applications / registrations)

But: room for interpretation by local authorities ?

• Business Impact

European roll-out easy as one-size fits all

One-stop shopping possible

Compliance with European law much less costly

Substantial business advantage (for EU and non-EU entities)


Harmonization

• Level of data protection

Regulation creates the same level of data protection in all Member States

For most European countries: stricter data protection rules

For some European countries (e.g. Germany): lower standard

Again: room for interpretation by local authorities ?

• Business Impact

Changes required if compliant with lower level (“upgrade” DP level)

Review and amend data protection policies

Review and amend data processing agreements

Install required positions (data protection officer ?)

Establish required data protection measures (e.g. TOMs / certificats)


Applicability

• To non-EU companies

Non-EU company offering goods or services to an EU data subject

Non-EU company monitoring EU data subjects

Unclear: applicable only to data controllers or also to data processors

• Direct relation

Companies having their seat outside the EU must name a contact person within the EU

Direct claims of EU data subjects in the US (umbrella agreement and US transfer)


No Changes

• Prohibition with exemption

Collection and processing of personal data forbidden unless permitted

Legitimate basis for processing required (statutory exemptions or consent)

• Group privilege

One of the most important issues in privacy

No exemption for a data transfer to group companies (HR, group services)

Every data transfer within the group is a transfer to a third party

Consequence: HR centralization, group services, etc. are an issue

Exemption has been highly discussed, seems not to be in the actual draft

Business impact: no facilitation – difficult status remains


Minor Changes

• Commissioned data processing

Most important for any sort of outsourcing, cloud computing, services

The legal concept (no transfer to a third party or general allowance) will not change

Definition of “controller” and “processor” remain about the same

Obligations for “Data Processors” will be stricter (control and penalties, liability)

For Germany substantial change: limitation to the EU / EWR would be erased

• Business Impact

Amendment to the actual processes

For Germany: major facilitation of all outsourcing processes !


Major Changes

• Right to erasure of personal data / “Right to be Forgotten”

Data subjects have far-reaching rights to erasure of their data

“Right to be Forgotten”

Already somehow in place (Google Spain)

Additionally possible research and clean-up obligation of first publisher

Business impact: technical requirements to safeguard process (technically difficult)

• Right to data transfer

Data subjects have a right to request data transfer to another service provider

Practical impact

Impact on business set-up and terms

Business impact: data might become less valuable


Major Changes

• Data Protection Authorities

One-stop shopping: interaction between the authorities in the Member States

Main data protection authority clarifies and aligns decisions

Lead authority in case of establishments in different states (main establishment)

“Work behind the scenes”

• Business Impact

Enormous business impact

Facilitation of processes (multi-jurisdictional projects)

Hopefully: speed-up international processes

May lead to substantial savings for companies dealing with international projects


Major Changes

• Data Protection Officer

New concept to many Member States

Influenced by the strict German data protection law but higher level (50)

Might also have labor law implications

Needs awareness and implementation in company structure

• Certificates (on Technical and Organizational Measures)

Data protection certificates, seals, and marks (unclear relation to ASA or ISO)

“One-stop approach” applies

Supports outsourcing processes (audit requirements)

Particularly supportive to data transfer to non-EU/EEA countries and cloud services

High business impact: enabling / savings / selling advantage / customer requirements


Data Transfer to non-EU Countries

• No change

Remains generally forbidden

Unless “adequate level of data protection”

• Exceptions

Consent of data subject

Binding Corporate Rules

EU Model Clauses (any changes ?)

USA: Safe Harbor (important for US companies: new umbrella agreement)

New: Data Protection Certificates


Dennis Dayman, Chief Privacy and Security Officer, Return Path Inc.

Actions to Prepare for the GDPR -

Key Take-Aways


• Privacy Policies

• Multiple policies for different product lines

• https://returnpath.com/privacy-policy/

• Required languages for partners or 3rd party developers

• TRUSTe

• Auditor

• Mediator

• Easy to read

• Smaller sections

• Hyper-transparent

• Express Opt-in model

Actions to prepare for the GDPR

https://returnpath.com/privacy-policy/





• Privacy by Design

• Taken steps to make sure that our systems and processes,

particularly new ones, deliver data protection compliance as a

matter of course.

• Involved development and program staff

• Reviewing and classify the personal data we hold and why we hold it

to ensure that we can meet the requirement for ‘data minimization’

• Privacy impact assessments

• Performing them on new/old products



• Consent, Control and insight

• Give to visitors and customers 100% control over data / accountability

• Security

• SSAE16 and ISO 27001 audit(s)

• Access limitations/security account based roles/2Fa/OKTA

• Breach management

• Response plan(s)

• Staff

• Education/Certification

• Localization

• Considering EU Data Centre’s

• Admin staff in local countries.

• Corporate data handling directives

• Data treasure maps

• Centralized record of authority which allows us to programmatically manage and perform

compliance on how data is used in the org



Questions?


Andrea Glorioso [email protected]

Kai Westerwelle [email protected]

Dennis Dayman @ddayman

Eleanor Treharne-Jones [email protected]

Contacts


Don’t miss the next webinar in the Series – “Building an Effective

Privacy Program – Six Practical Steps” on September 24th

See http://www.truste.com/insightseries for details of future

webinars and recordings.

Thank You!

http://www.truste.com/insightseries

what does the proposed eu general data protection regulation (gdpr) mean for business – truste

Documents