GDPR is coming in less than 2 months Are you ready?

Transcription

1 GDPR is coming in less than 2 months Are you ready? Charles-Albert Helleputte Partner, Brussels chelleputte@mayerbrown.com 30 March 2018

2 2

3 GDPR is everywhere... You were invited by UNICEO to attend today s event In order to register to the event, you sent an to UNICEO with your contact details What should have happened between UNICEO and Mayer Brown? What happens now? The Mayer Brown Privacy Team will use your contact details to invite you to the next Privacy event You exchange your business card with the Mayer Brown Privacy Team. Next week we invite you to a meeting to present you our firm 3

4 GDPR Compliance for Events Organisers Inform Your Leadership, Formulate a Plan 1 2 Map the Personal Data that Your Organisation is Processing 3 Decide Whether a Data Protection Officer Should be Appointed 4 Address the Risks Identified in Any Data Processing Activities 5 Review the Grounds Under Which Personal Data is Being Processed 6 Draft or Review Information Notices 7 Update Your Data Governance Policies and Procedures 8 Review Your Contracts with Third Parties 4

5 Agenda Based on the specific questions UNICEO shared with us, we will focus on: 1. Data Mapping (Step 2) 2. Review of the Legal Grounds for Processing (Step 5) 3. Information Notices (Step 6) 4. Review of Contracts with Third Parties (Step 8) 5

6 Step 2: Map Your Personal Data What do I need to map? Type of data and any classification Location of data Form of collection (or how it is obtained) Purposes of the collection and processing Details on storage (including where stored and who manages the system; whether there are back-ups) Encryption and destruction schedule Transfers and disclosures between business and third parties How do I map it? Gather information Make a plan Identify and review relevant policies Involve key actors (HR, Communication, IT, etc.) Ensure mapping is ongoing Make it visual (i.e., a map) Identify any gaps 6

7 Events Organisers Data Mapping Exercise Data processing activity Categories of personal data Data subjects Data collection method Data processing purpose Data are shared externally Safeguards Registration Event Event Followup Marketing activities HR Data Processing 7

8 Step 5: Review the Grounds for Processing On the basis of the information gathered during the data mapping exercise, review the legal grounds on which you rely on in order to process personal data Consider: The purposes of processing (if you collect personal data for one purpose, you cannot use it for another incompatible purpose) The context in which you collected the personal data in particular, your relationship with the individuals and what they would reasonably expect The nature of the personal data The possible consequences for individuals of the new processing; and Whether there are appropriate safeguards in place 8

9 Legal Basis for Processing: Consent Threshold for valid consent significantly increased Consent must be freely given, specific, informed and unambiguous Need for a clear affirmative action It must be recorded It must be unbundled (clearly distinguished from other matters) Could be withdrawn at any time 9

10 Review Legal Grounds for Processing - Registration When it comes to registration, be transparent about how you will use the personal data provided. If you intend to use personal data for purposes different from the original intended purpose (i.e., organisation of the event), you should identify a specific legal basis. For instance, consider whether you should ask specific consent to: Invite people to other events Conduct marketing activities Publish pictures of the events Publish the minutes of the event (if this will include individuals 'personal data) Share the list of the attendees with third parties (e.g., sponsors) 10

11 Collection of Business Cards during Events Often during events, you would be collecting as many business cards as possible, add these to your CRM and then start contacting individuals. When you collect a business card, consider in which context and for what reason this was collected. In the first communication to the individual: 1. Remind him/her in which context the personal data were collected 2. Inform him/her about the use of his/her personal data 3. Provide a link to a privacy policy 4. Provide him/her with the possibility to opt-out from this type of communication 11

12 Step 5: Review the Grounds for Processing Do you always need consent? Individuals attending your organisation s conferences and events When you send follow-up s to people attending your events, you could rely on the legitimate interest ground, but a STRICT TEST APPLIES! If you would like to invite them to other events, you should ask their consent! 12

13 Step 5 : Review the Grounds for Processing What happens to your old database? You would like to contact all the individuals already included in your database to ask their consent on whether they would like to receive your newsletter going forward Honda Motor Europe fined 13,000 Honda sent an to 289,790 contacts asking Would you like to hear from Honda? Honda was trying to comply with GDPR: the was sent in order to clarify how many of the subscribers would like to receive marketing s going forward. Key take-away: Even asking for consent is classified as marketing and is in breach of the upcoming GDPR! 13

14 Step 5: Draft or Review Your Information Notices Transparency of processing requires controller to provide information notices Notice must be provided at the time data is obtained (POC) and must include: Identity and contact details of the controller Details of representative and DPO (if any) Purpose and legal basis of processing Data storage period Details of data transfers outside EEA and safeguards Recipients Use of automated decision making or profiling Details of legitimate interests Rights of access and correction Right to withdraw consent Right of complain to DPA Right of object to data processing Right of data portability 14

15 Step 5: Draft or Review Your Information Notices The Registration often constitutes the first point of contact with the data subject. You should use registrations to provide information notices to individuals You can mention that there will be a photographer at the event, explain how the photos will be used and ask for consent for further use of them During the event, you can provide colored coded stickers for people that consent to having their photo taken If scanning badge and/or interactive badges will be used during the event, inform the individuals of which personal data are collected, which external vendors you use to provide this service, etc. 15

16 Step 8: Review Your Contract with Third Parties Controllers must use a high degree of care in selecting processors Contracts must be implemented that contain a range of information e.g., data processed and duration, obligations such as data breach reporting, use of technical measures, audit assistance obligations, etc. Data transfer restrictions apply to controllers and processors. Controllers should review whether any of the third parties they share personal data with is located outside the EEA and ensure they have a legal transfer mechanism in place IN PRACTICE When you share personal data with external vendors, such as sponsors, ticketing platforms, etc., signing a Data Processing Agreement is necessary : if something goes wrong, you will be liable under GDPR! 16

17 Conducting Surveys under the GDPR Event organisers often conduct surveys to collect feedback from attendees. In this case you should: Check who will receive the survey Why are they in your database? Do you have a legal ground for processing their personal data? Consider whether anonymisation of the results would be more appropriate when collecting survey responses At the moment of the registration, inform individuals that they will receive a survey and give them the possibility to opt-out 17 Conduct due diligence on the external vendor (online survey software) you use to conduct such survey: Where is it based? Do you have appropriate safeguards in place? Do you need to sign a data processing agreement with it?

18 Conducting Surveys under the GDPR Event organisers often rely on US based platforms to conduct surveys. Many of these companies have already taken steps to ensure compliance with the GDPR Example. Survey Monkey steps towards compliance include: Updating the privacy policy Offering Data Processing Addendum incorporating the EU Commission approved Standard Contractual Clauses Privacy Shield Certification Providing a list of sub-processors 18

19 You don t need our consent! 19

20 Thank you for your attention

21 Questions? Please contact: Charles-Albert Helleputte Partner (Brussels) T: + 32 (0) E: Chelleputte@mayerbrown.com Diletta De Cicco Legal Consultant (Brussels) T: +32 (0) E:Ddecicco@mayerbrown.com 21

22 Bios Diletta is a legal consultant based in the Brussels office. She is part of the global Cybersecurity and Data Privacy practice at Mayer Brown. She holds a Data Protection Officer Certificate from the University of Maastricht. She is a member of IAAP and of AmCham EU digital committee. Diletta advises clients in a wide range of global data privacy and security issues. She assists organizations in complying with EU and national privacy laws, including developing global datatransfers mechanisms, privacy statements, data breach notifications, privacy policies and procedures. She regularly speaks at conferences and events on privacy matters and contributes to various GDPR groups and initiatives. Charles is a partner based in the Brussels office. He is part of the global Cybersecurity and Data Privacy practice at Mayer Brown. He is a member AmCham EU digital committee and HTNG GDPR workgroup. Charles is active in a number of sectors (hospitality, financial sector, travel platforms, aviation, infrastructure, etc.) and a range of practices (counseling on regulatory developments, data privacy aspects of employees monitoring and investigations, data collection and exchanges in the context of export control). He is regularly in contact with DPAs around Europe and has represented clients in front of the WP29. 22

23 Notice The material in this presentation is provided for informational purposes only and does not constitute legal or other professional advice. You should not and may not rely upon any information in this presentation without seeking the advice of a suitably qualified attorney who is familiar with your particular circumstances. Mayer Brown Practices assumes no responsibility for information provided in this presentation or its accuracy or completeness and disclaims all liability in respect of such information. Mayer Brown Practices is, unless otherwise stated, the owner of copyright of this presentation and its contents. No part of this presentation may be published, distributed, extracted, reutilized or reproduced in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) except if previously authorized in writing. Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices ). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe Brussels LLP; two limited liability partnerships established in the United States, Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership. The Mayer Brown Practices is known as Mayer Brown JSM in Asia. 23