Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

New Regulation - Association of Corporate Counsel

advertisement 
307 - Preparing for EU 2015
Data Protection Rules
Gary Chun, Senior Corporate Counsel, Covance Inc.
Laura Hamady, Assistant General Counsel Privacy,
eCommerce & Retail, Levi Strauss & Co.
Mark Diamond, President & CEO, Contoural, Inc.
Tom Mighell, Senior Consultant, Contoural, Inc.
Legal Information Is Not Legal
Advice
Contoural provides information regarding business, compliance and litigation
trends and issues for educational and planning purposes. However, legal
information is not the same as legal advice -- the application of law to an
individual or organization's specific circumstances. Contoural and its
consultants do not provide legal advice. Clients should consult with
competent legal counsel for professional assurance that our information,
and any interpretation of it, is appropriate to each client's particular situation.
EU Data Protection Directive
EU DP Directive (1995)
 Personal data
 Controller and Processor – where data is
processed in the EU
 Transfers of personal data outside the EU
 Model clause agreements and US Safe Harbor
 Different laws within Europe and different DPAs
and standards
2012 – draft EU DP regulation
Privacy
Principles
notice
purpose
consent
security
disclosure
access
accountability
Ongoing negotiations between EU Parliament Counsel and Commission
Expected adoption in 2015
Expected enforcement in 2017
Who Are You
• US Company?
• US Company with EU Affiliates?
What Should You Already Be Doing to
Comply with Current Requirements?
• Privacy Policy and Procedures
• Privacy Governance Organization
• Training for Employees
• Privacy Notices
• Information Security
• Audit Procedure
• Breach Response Process
Proposed Changes to EU Data
Protection Regulation
• Directive to regulation – harmonize regulations
across the EU
• Extends to all foreign companies processing
data of EU residents
• Incorporate privacy by design
• Significant penalties – up to 5% of annual
worldwide turnover (revenues)
• Notification of data breaches
• Data Protection Officer
• Right to be forgotten/erasure
What’s Driving the Changes?
• Desire to harmonize regulations across the
EU – the Directive relies on individual countries
to enact laws, the regulation will be consistent
across boarders
• The 1995 Directive isn’t up to date with current
technology
• Unhappiness on EU side for Safe Harbor
• Concern about privacy standards and abuses in other
territories
• Protectionism
Estimated Timeline for
Regulation Implementation
2014
Negotiations on
Amendments
Finalize Regulation
2015
Regulation
Becomes Law
2016
2017
Member States have 2
years from enactment to
bring regulation
into effect
Right to Be Forgotten
New Article 17:
The data subject shall have the right to obtain from the controller
the erasure of personal data relating to them and the abstention
from further dissemination of such data, and to obtain from third
parties the erasure of any links to, or copy or replication of that
data….
 Who is the controller? Does this apply to third parties?
 Non-European companies must apply EU rules when offering
services to European consumers
 Burden of proof reversed – now burden on the controller to prove
data is still relevant
 Balance against freedom of expression and the press
Google Spain v AEPD and Mario
Costeja Gonzále (2014)
• González lodged complaint with Spanish Data Projection Agency
asking that link to a newspaper article about him be removed
• European Court of Justice ruled that an internet search engine must
consider requests from individuals to remove links to freely
accessible web pages resulting from a search on their name
• Ruling related solely to allowing people to request that their names
not show up in search results when the information is “inadequate,
irrelevant or no longer relevant.”
• Google and other providers creating processes to allow individuals
to have links to their names removed
• Proposed EU Data Protection Regulation would be much more
broadly interpreted
Be Prepared for Right to be
Forgotten and Subject Access
Requests
• Establish a chain of command
– Train customer service and any other
employees who may receive such requests
• Understand where the data is
– Which databases, which backups, etc.
• Create a response timeline
– Be able to respond quickly
What Do You Need to Know?
• What data you have?
• PII? Sensitive PII?
• How you receive the data you have?
• Directly from the data subjects? From a third party?
• Whose data you have?
• Who are your data subjects?
• Who can access the data?
• What access controls are in place?
• Where the data is stored?
• Cloud? Servers? File Shares? BYOD?
• How long data is kept?
• Is there a record retention schedule in place?
What Do You Need to Do?
• Locally (in the EU)
• Binding Corporate
• Local filings
Rules
• Local Notices
• SCC/Model Clauses
• Safe Harbor
• US HQ
• Rest of the World
• Make sure that you have made all currently required
disclosures and that they are accurate
• Follow current regulations until the Regulation is finalized
and implemented – the one-stop shop principal is
controversial
Understanding Data Practices
Internal audits
Identify data collection points
Locate databases
Map data flows
Creating a Data Map
A Data Map is an inventory of the data sources that inform
prevention activities. It tells you what you have, where it
is, and who is responsible for managing it.
Common types of data maps include:
 Application & Infrastructure
 eDiscovery
 Records & Content Management
 Compliance
 Privacy & Sensitive Information
A Data Map may be a document, a diagram, a database, or
an application.
The Future of Safe Harbor
• Recent calls for suspension by EU – complaints about lack
of US enforcement and oversight
• Self-Certification is not trusted – perception vs. reality?
• EU recommendations for improving Safe Harbor –
Transparency, Redress, Enforcement, Access by US
Authorities
• Prediction: Safe Harbor will survive
• But see “Schrems vs. Facebook” – is Safe Harbor
incompatible with European human rights standards?
Impact on Binding Corporate Rules
• Expressly validated by Draft Regulation
• Strong backing by EU data protection
authorities
• Safe Harbor under increasing strain, and
even model contracts are scrutinized more
• Binding Corporate Rules (BCRs) are now
more familiar to companies and
consumers
• BCRs are easier to get than before – 1218 months vs. 4 years
Impact on Data Transfer Agreements
What is happening with data transfer
agreements?
The Draft Regulation offers 3 data transfer
solutions:
• Adequate Countries
• Appropriate Safeguards (like BCRs, SCCs,
Safe Harbor)
• Clearly Defined Specific Situations (such as
during an investigation)
Impact on Storing Data in the Cloud
• Data residency requirements apply to cloud storage
• Cloud solutions need to support:




Data residency
Appropriate security controls
Ability to search for PII within individual documents
Support better metadata
Vendors are often Part of the Gap
 Does the vendor have a Records Retention Policy that is enforced?
 What does the Service Level Agreement with the vendor say regarding record



retention?
Has the vendor been audited by internal self-audit or external regulatory authority
regarding its data privacy protections?
Does the vendor have a written Information Security Program applicable to all
records potentially subject to privacy regulations?
Does the vendor have U.S. Safe Harbor Certification?
Conflict or Inconsistency with
Other Regulations within the EU
EMA policy on clinical trial data transparency
Delayed to Oct 2 meeting (*need to update based on
meeting)
Considering impact on R&D and industry concerns
Need to protect patient data and commercial
confidential information
May be inconsistent with the scope of the consent in
informed consent forms
Conflict or Inconsistency with
Jurisdictions Outside the EU
Revelations of massive government
surveillance is a major source of
conflict with non-EU countries,
particularly the US
• US
 Patriot Act
 Dissatisfaction with US safe harbor
• Encryption restrictions in territories (Russia)
Impact of Dealing with Data Breaches
New Regulation: Notice of a data breach must be
disclosed to the supervisory authority within 24 hours of
detection if feasible.
What You Should do NOW:
• Update (or create) your Breach
Notification Process
• Conduct a data protection
audit – identify potential
weaknesses
• Assess / enhance detection
and response capabilities
Best Practice for Breach Response:
• Isolate compromised systems
• Preserve relevant information
• Required disclosure(s)
• Investigate cause of breach and
remediate
Is It Time to Rethink Your Privacy
Strategy?
What do I need to update or change?
• Follow local laws until Regulation passes
• Consider holding off on BCRs – you may
need to start the process over, and the
Regulation will likely make the process
easier
• Remember that the Regulation isn’t final
yet
• Get serious about information governance
Privacy by Design
Article 23: The controller shall implement mechanisms
for ensuring that, by default, only those personal data
which are necessary for the purposes of the processing
are processed.
• Safeguards built into products/services
• Privacy-friendly default settings (Hello,
Facebook)
• Collaboration with IT
• Duty to remediate existing systems?
Addressing the Middle
Data Privacy
Compliance
Gap
Security
Policies
Unstructured Data
on File Shares,
Cloud, SharePoint
Data Extracts
Key
Application
Monitoring
and Breach
Response
Paper
Records
Employee
BYOD
Documents
to Third-Party
Vendors
Breach
Response
Plan
Making Everything Right,
Preparing for the Regulation
Policies – Updating your policies
Clean Up – fix any problems that present themselves in
audits and create strict access controls
Train People – create data privacy trainings
Processes – Subject Access Requests, Right to be Forgotten
Audit – create a team to monitor and audit compliance with
the procedures you create
Privacy by Design – Design forward to incorporate your
knowledge
Documentation – practices need to be established to provide
guidance on how to handle data in accordance with the EU
directive
Is It Time for Information Governance?
• Ensure Records Policies are up to date
Records
• Harmonize records policies with
Disposition
privacy policies
Discovery
• Strengthen legal hold processes
Privacy
• Better manage data with a data
placement strategy
• Leveraging data map develop defensible disposition
processes
• Develop a “Culture of Compliance” through
Information Governance Behavior Change Management
• Rolling out a Policy and Procedures with no Change
Management is not enough
Additional Resources
ACC Docket Magazine October 2014 Issue Building a
Business Case for an Information Governance Program
ARMA Information Management Magazine October 2014
Issue All In One: Creating a Super Data Map and Schedule
Free Recorded Webinars at www.contoural.com
 Preparing for the EU 2015 Data Protection Rules: What You Need to Know
 Taking a Metrics Approach to Information Governance
 Creating a Records Management Project Plan
ACC Information Governance eGroup
Join the discussion
Thank You and Questions
• Gary Chun, Senior Corporate Counsel, Covance
Inc.
• Laura Hamady, Assistant General Counsel
Privacy, eCommerce & Retail, Levi Strauss & Co.
• Mark Diamond, President & CEO, Contoural, Inc.
• Tom Mighell, Senior Consultant, Contoural, Inc.
Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Download
advertisement