EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know The General Data Protection Regulation (GDPR) The eprivacy Regulation (epr) The Network and Information Security Directive (NISD)
Our Topics & Agenda Highlights of the Triple Threat General Data Protection Regulation (GDPR) National Information Security Directive (NISD) eprivacy Regulation (epr) Designing a Compliance Program Legal Management Operational Technical Minefields and gotchas Conclusion 2
Highlights of the Triple Threats All three are effective May 2018 Expansion of territorial and sectoral application of data security and privacy obligations and sanctions Strict data security and privacy reporting obligations Reflects global trend (e.g., see DFARS, NYSDFS Cybersecurity Regulation) Implicates increasingly broader ecosystem of third- and fourth-party vendors 3
General Data Protection Regulation 4
Overview What is GDPR? General Data Protection Regulation Replaces local EU Data Protection Directive implementations (e.g., in UK the Data Protection Act ) Starts on May 25, 2018 Who is Subject? All organizations that collect and process personal data of EU Data Subjects regardless of size No longer applies only to organizations with an office the EU is borderless Applies to data processors not just data controllers What are the Penalties? Up to 20M or 4% of organization s annual global turnover, whichever is higher (board attention is now guaranteed) Data subjects can claim compensation for damages from breaches to their personal data
Key Requirements Breach Notification Privacy By Design & By Default Data Subject s Rights Consent Data Protection Officer (DPO) Requirement to report privacy breaches to the regulator within 72 hours and potentially to the data subject Firms must, when introducing new technology, minimize the collection of personal data and ensure that the right security controls are in place throughout all development phases New rights include the right to erasure ( right to be forgotten ) and the right to data portability Requirement to gain unambiguous consent (i.e., explicit) DPO required for organizations that conduct regular and systematic monitoring of data subjects on a large scale or process Special Categories of data (e.g., healthcare) on a large scale
Top Challenges Data Inventories Third Party Compliance Cross-Border Data Transfers Notice and Consent Right to Erasure Article 30 Requirement to develop Records of processing activities Processors held to essentially the same standard as controllers; Article 28 list of requirements Considerations: Scope, time, and expense Requirement to gain unambiguous consent (i.e., explicit) Is notice given at every collection point? How much search and deletion is enough?
Top Challenges Privacy By Design & By Default Breach Notification Art. 25 Two considerations: (1) data minimization and (2) information security Meeting the 72-hour requirement Data Protection Impact Assessments Data Protection Officer (DPO) Privacy Policy Art. 29 WP 248 list of 10 criteria Art. 37 Determining whether you need a DPO. Some confusion vs. Art. 35 Data Protection Impact Assessments (DPIA) Implied by Art. 32; a principle organizational control; policies vs. notices
eprivacy Regulation 9
eprivacy Regulation January 2017, the European Commission published draft eprivacy Regulation to replace current eprivacy Directive Consolidates member state implementation and Align with the General Data Protection Regulation Applies to any provider of electronic communications services ( ECS ) or to any entity that processes electronic communications data ECS includes voice telephony, SMS, email, internet access services, services consisting wholly or in part in the conveyance of signals (e.g., radio), VoIP, messaging services including services where the messaging function is ancillary (such as dating apps or video game services), web-based email, connected devices (e.g., Internet of Things devices), and public and semi-private Wi-Fi hotspots. 10
eprivacy What s in scope? Entities that process electronic communications data now include Telecoms Providers of publicly available directories Software providers permitting electronic communications, including the presentation and retrieval of online information Natural and legal persons who use ECS to send direct marketing communications or collect information from or stored in end users terminal equipment. The Regulation applies to: Data processed in connection with ECS in the EU, regardless of whether the data is processed in the EU or elsewhere. It also applies to data associated with electronic communications sent from outside the EU to users in the EU. 11
Liability & Penalties The Regulation Permits users to bring suit against any entity that violates the Regulation s provisions. Users may sue for both material and non-material damages. Data protection authorities also have the right to impose monetary penalties for violations of the Regulation. Administrative penalties for violations of the Regulation will correspond with those laid out in the GDPR, ranging up to $10m Euro or 2% of the worldwide annual turnover to up to $20m Euro or 4% of worldwide turnover, whichever is greater, depending on the type of violation. 12
The Network and Information Security Directive (NISD) 13
NISD The purpose is to ensure a high common level of network and information security across the Union. The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring: Preparedness via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority; Cooperation among Member States to support and facilitate strategic cooperation and exchange of information Establishment of CSIRT Network to promote swift and effective operational cooperation on specific cybersecurity incidents Creation of terms Operators of Essential Services ( OES ) Digital Service Providers ( DSP ) 14
NISD Directive covers sectors vital for our economy and society ( OES ) Energy Transport Water Banking Financial market infrastructures Healthcare and digital infrastructure Additional Providers in Scope Key digital service providers ( DSP ) Search engines Cloud computing services and Online marketplaces 15
NISD Adopted by the European Parliament on 6 July 2016. The Directive entered into force in August 2016. Member States will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services. Germany has passed the NIS Directive Implementation Act ( NIS-Umsetzungsgesetz ) in April 2017 Significantly increases the territorial and sectoral scope of organizations subject to EU cybersecurity and privacy obligations and introduces strict data security and breach disclosure obligations with potentially severe penalties for non-compliance 16
Discussion What are the opportunities for synchronizing internal initiatives to respond to the Triple Threat? What foundational steps should be taken over the next 3 months? How does the GC balance the business drivers associated with automated processing/profiling and the related security and privacy risks? What are three minefields in driving to the finish line? Who owns these initiatives? 17