Come listen to industry experts and in-house privacy officers on how best to prepare.
Please join us on June 5, 2017 for a seminar and discussion on major EU privacy developments impacting US businesses in the upcoming year.
The forthcoming EU General Data Protection Regulation (GDPR) is the most sweeping change to the data protection landscape in the past 20 years and will become effective in just a year’s time. GDPR is not just the next incremental change to data privacy regulations. Rather, its impact will be felt by every organization that does business in the EU or handles personal information of EU citizens in any manner. Compliance with GDPR will require businesses to implement not only new procedures for data management and processing but also security and functional specifications that may affect product roadmaps and organizational priorities. Regulators have already signaled that they intend to aggressively pursue fines and actions for companies found not to be in compliance.
At this seminar, EU privacy expert Chris Jeffery, from the law firm of Taylor Wessing, will provide an update on the coming regulatory guidance. The presentation will be followed by a panel, moderated byStoel Rives partner Steve Lovett, including Anne Bradley (Chief Privacy Counsel and Global Counsel for Marketing and Digital Commerce at Nike, Inc.), David Fowler (Head of Privacy and Compliance at Act-On Software), Beth Sipula (Senior Privacy Consultant at TRUSTe), and Alex Wall (Senior Counsel & Global Privacy Officer at RADAR, Inc.), that will discuss how organizations of various sizes and industries are preparing for the implementation of GDPR in 2018, and an extended Q&A session. We will conclude the event with a happy hour to give all an additional opportunity to catch up and further discuss the topic.
This event is sponsored by Stoel Rives, Taylor Wessing, Act-On Software, and the Oregon Chapter of the Association of Corporate Counsel.
When: Monday, June 5, 2017 Event: 2:00 to 4:00 p.m. Happy Hour: 4:00 to 5:00 p.m.
Where: Stoel Rives LLP 760 SW Ninth Avenue, Suite 3000 Portland, OR 97205 Directions
Parking: We will validate parking in the Park Avenue West or SmartPark garages.
RSVP: Click here to register.
Questions: If you have any questions or need additional information, please email email@example.com.
EU General Data Protection Regulation (GDPR)
The EU GDPR is a law designed to enhance data protection for EU residents and provide a consolidated framework to guide business usage of personal data across the EU, replacing the patchwork of existing regulations and frameworks. The 200-plus page GDPR replaces the 20 year old Directive (95/46/EC). This new law has received a lot of attention due to its complexity and the associated penalties for noncompliance. Fines can be up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher).
As a result, many organizations are making significant changes to their privacy programs. To help with these changes, the Article 29 Working Party (WP29) has provided guidance on several of the requirements, summarized below.
1) Right to Data Portability
Article 20 provides data subjects with the right to data portability. The WP29 opinion on this Article helps data controllers understand what their obligations are and provides best practices and tools to help meet compliance obligations for this requirement.
2) Identifying Lead Supervisory Authority
If your organization conducts cross-border data processing, or is unsure whether it does, this guidance provides examples, key concepts to identifying a key supervisory authority, and even questions to guide the identification of the lead supervisory authority.
3) Data Protection Officer
WP29 helped clarify some terms used in Article 37(1), which lists the situations where a DPO would be required:
a) where the processing is carried out by a public authority or body
WP29 guides that “such a notion is to be determined under national law.”
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
WP29 clarified that “core activities” means “key operations necessary to achieve the controller’s or processor’s goals” or in other words “an inextricable part of the controller’s or processor’s activity.”
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses. While clarification on what “large scale” means is summarized below, WP29 also gave guidance on the meaning of “Regular and Systematic Monitoring” as well as the expertise and skills that a DPO should possess.
These factors should be considered when determining whether the “large scale” threshold is met:
– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
– The volume of data and/or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– The geographical extent of the processing activity
This guidance goes through when DPIAs should be conducted, beyond the official text: “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)). WP29 provides these example categories:
- Evaluation or scoring
- Automated-decision making with legal or similar significant effect
- Systematic monitoring
- Sensitive data
- Data processed on a large scale
- Data sets that have been matched or combined
- Data concerning vulnerable data subjects
- Innovative use or applying technological or organisational solutions
- Data transfer across borders outside the European Union
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” (Article 22 and recital 91)
While they suggest that a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA, organization must still use their judgement because two is only a suggested rule of thumb.
The guidance also goes through what should be included in a DPIA, and when an organization should consult a supervisory authority.
To help organizations deal with the new concept introduced by DPIAs, namely benefits being balanced against risk, TRUSTe is working with the Information Accountability Foundation (IAF) to develop a DPIA construct. It will help organizations understand the benefits that come with the processing. It will also be automated so that organizations can scale their DPIA process, and create the documentation needed for support in case the organization must go to a regulator.
TRUSTe has developed comprehensive solutions to help organizations comply with the GDPR. All solutions are backed by our technology platform so that implementations to comply with the GDPR will be sustainable and scalable. To learn more about TRUSTe EU GDPR solutions, or to speak with a consultant, contact us.