PRIVACY ACROSS THE POND

Transcription

1 PRIVACY ACROSS THE POND GDPR, PRIVACY SHIELD AND BREXIT OH MY! ACC NATIONAL CAPITAL REGION 2017 DATA PRIVACY AND SECURITY CONFERENCE SEPTEMBER 13, 2017 Michelle Beistle, CIPP/E/US Jessica Retka Gretchen Ramos, CIPP/E/US Counsel and Chief Compliance Senior Manager & Attorney Data Privacy Partner Officer - Privacy and Ethics Sony Corporation Squire Patton Boggs Unisys Corporation Disclaimer The handouts for this presentation were prepared and used to accompany a panel discussion given on September 13, Neither the information contained herein or the accompanying comments of the presenters should be construed as the provision of legal advice. Views expressed are those of the specific presenter. They do not necessarily reflect the views of Unisys, Sony or Squire Patton Boggs, LLP respectively.

2 OVERVIEW Preparation for GDPR Compliance WP29 Guidance on GDPR Data Transfers & Privacy Shield Impact of Brexit eprivacy Regulation 2

3 GDPR COMPLIANCE = 173 RECITALS, 99 ARTICLES Compliance Deadline May 25, Days Left 3

4 WHERE DO I START? Step 1: Educate C-Suite and obtain buy in and budget Step 2: Create a GDPR Readiness Group of key stakeholders from major departments (e.g., HR, Marketing, Legal, IT, Security, Research) to assist with compliance Step 3: Conduct gap analysis of your current data privacy and security program Step 4: Develop work streams that include related projects, identify specific compliance steps, and map out deadlines between now and May 2018 Step 5: Assign responsibility for work streams and projects to appropriate members of the GDPR Readiness Group Step 6: Set deadlines for implementation Step 7: Conduct bi-weekly meetings with the work stream and project leads 4

5 COMPLIANCE GOALS LESSONS LEARNED Before anything else, preparation is the key to success - Alexander Graham Bell Preach the benefits of GDPR compliance Involve stakeholders and managers to ensure all operations considered Escape paralysis by analysis Document, document, document Hofstadter's law applies 5

6 GUIDANCE PLEASE Article 29 Working Party Guidance Final Guidance Issued Drafts Issued To Be Issued Right to Data Portability (Article 20) Data Protection Officers (Article 37) Lead Supervisory Authority (Chapter VI) Processing Personal Data in the Employment Context (Articles 7, 10, 11, 15, 88) Data Protection Impact Assessments (Article 35) Codes of Conduct and Certification Mechanisms (Articles 40-42) Administrative Fines (Article 83) Consent, Profiling and Transparency (Articles 12-14, 22) International Data Transfers (Chapter 5, Articles 44-50) Data Breach Notification (Articles 33-34) 6

7 INTERNATIONAL TRANSFERS & CONTRACT MANAGEMENT Standard Contractual Clauses Current (EU-)controller to (Non-EU/EEA-)controller (EU-)controller to (Non-EU/EEA-)processor Awaiting (EU-)processor to (Non-EU/EEA-)sub-processor End of GDPR compliant SCCs Schrems Ireland High Court inquiry EU Member States Code of Conduct Certification or Seal Binding Corporate Rules 7

8 WHAT ABOUT PRIVACY SHIELD? Annual Review WP29 15 June 2017 Request Word on the street Integration with GDPR 8

9 WHAT ABOUT THE UK? Seeking adequacy decision Possible issues Repeal Bill Five Eyes Surveillance Investigatory Powers Act ( Snoopers Charter ) Infraction proceedings UK s Data Protection Act (DPA) is, according to the European Commission, a defective implementation of EU Directive Could ignore CJEU judgments (and by implication European Data Protection Board determinations concerning harmonization of the GDPR across EU) 9

10 YET TO COME. eprivacy REGULATION 10

11 FINAL THOUGHTS 1. See GDPR as an opportunity 2. This is a process stay calm, get organized and start now 3. Do not aim for perfection 4. Prioritize accountability/record keeping 5. Think strategically about your data flows 11

12 THANK YOU Gretchen Ramos (415) Michelle Beistle (703) Jessica Retka (571)