Professional Documents
Culture Documents
Todays Speakers
Ralph T OBrien,
Principal Consultant EU,
TRUSTe
Paul Lanois
Counsel, Cross-border Legal
Credit Suisse
Applicability
Applicability now extra territorial
Based on residency of individuals in EU
Offering goods or services
Monitoring of behavior (such as internet tracking and profiling)
Timeline
Political agreement reached between Council and Parliament
December 2015
Final text 6 April 2016 from Technical drafting committees
The text of the regulation will be sent to the European Parliament
where it will first be approved by the Civil Liberties, Justice and Home
Affairs (LIBE) committee in an extraordinary session
It has been adopted in plenary on 14 April 2016 (Today!)
It will then be published in the Official Journal of the European Union
(OJEU)
Exactly two years after the date of publication in the OJEU, the
Regulation will enter into force (April/May 2018?)
EU Courts
National Courts
Advisory and
Enforcement
Data
Processor
Security?
Complain?
Duties
Data Controller
(organisations)
Data Subject
(individuals)
Rights
Inform?
Third
Countries
Guarantees?
Disclosure?
Third
Parties
Key Requirements
Increased Individual Rights
Increased Obligations
Access to data
Proactively Demonstrate
Compliance
Objection
Erasure (NEW)
Privacy by Design
Lawful basis
Fair processing
Specify Purposes
(Limitation)
Adequate, relevant, not excessive
(Minimization)
Accuracy
Retention
Rights of Individuals
Appropriate Security
International Transfer adequacy
10
Fines
Up to 10m EUR or
2% world annual
turnover of last FY
Up to 20m EUR or
4% world annual
turnover of last FY
11
POLL:
How prepared is your organization with the European Union's
upcoming General Data Protection Regulation (the "GDPR")?
1. Sorry, GDPR? Any connection with the Gross Domestic Product?
2. We are already prepared, ready and waiting. Bring it on!
3. We have already begun work and expect to be in time.
4. We are not sure we will be ready by the deadline.
5. We have not started anything yet.
12
Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.
13
Scope
The scope of application of the GDPR is broader than the EU current data
protection regime:
Under the current regime, organizations are in scope if they are located
within the EU or make use of (automated) equipment located within the EU.
With the GDPR, the legislation extends to all organizations offering goods
or services to EU citizens, irrespective of whether connected to a payment
and organizations that monitor (online) behavior of EU citizens, in so far as
the behavior takes place in the EU.
14
15
Ensure that decision makers and key people in your organization are
now aware that the law is changing so that they can start identifying
the areas that will have the biggest impact on them.
Privacy Insight Series
- truste.com/insightseries
v
16
17
Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.
18
19
20
GDPR Requirements
Applicable GDPR Text
Data Protection Impact
Assessments (DPIAs)
(Sect. 3, Art. 35)
The supervisory authority shall
establish and make public a list of
the types of processing
operations that require a DPIA.
They may also establish and
make public a list of the types of
processing operations that do not
require a DPIA.
Lists shall be communicated to
EUDPB.
Penalty, Art. 83: Administrative
fines up to 10,000,000 EUR, or in
case of an undertaking, up to 2%
of the total worldwide annual
turnover of the preceding financial
year, whichever is higher
Obligations
DPIAs are required for any
processing that may result in
high risk, and for:
Systematic and extensive
automated processing,
including profiling, if the
decisions produce legal
effects or significantly affect
the individual
Example: Making predictions
based on a persons behavior,
economic situation, health,
location
An assessment of the
necessity and
proportionality of the
processing operations in
relation to the purposes;
Processing special
categories of data (ie. genetic
or biometric data) or criminal
records on a large scale
Systematic monitoring of a
publicly accessible area on a
large scale
As indicated by the DPAs or
EUDPB
21
GDPR Requirements
Implementation Considerations
23
24
25
Sample
26
Questions?
27
Contacts
Ralph T OBrien
Barbara Mangan Sondag
Paul Lanois
robrien@truste.com
bmangan@ebay.com
planois@alumni.law.upenn.edu
28
Thank You!
Dont miss the next webinar in the Series Global Privacy Enforcement
Priorities on May 19 featuring Chris Hoofnagle, Adjunct Full Professor,
University of California, Berkeley
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.
v
Privacy Insight Series
truste.com/insightseries
v
29