The GDPR Question and Answer Guide A Roadmap to Business Requirements and Risks Under the European Union’s Landmark Data Privacy Regulatory Scheme
CYBERSECURITY AND DATA PRIVACY
Attorney Advertising
The GDPR Question and Answer Guide: A Roadmap to Business Requirements and Risks Under the European Union’s Landmark Data Privacy Regulatory Scheme Attorneys in Goldberg Segalla’s Cybersecurity and Data Privacy, Global Insurance Services, and other practice groups have fielded countless questions from clients and colleagues curious (or concerned) about the European Union’s (EU) General Data Protection Regulation (GDPR), the landmark legislation governing data protection and privacy for all individuals within the European Union, as well as the export of all data from the EU and European Economic Area (EEA). Here, we answer the most frequently asked questions pertaining to the GDPR’s who, what, when, where, how, and why, and offer practical guidance on compliance with the new regulatory scheme. GDPR OVERVIEW: ORIGINS, INTENT, AND SCOPE GDPR Legal Background and Public Policy Objectives As a replacement for the EU’s Data Protection Directive adopted in 1995, the goal of the GDPR was to create clear, enforceable protections for EU citizens (data subjects) with respect to the use (processing) of their personal data (information that can be linked directly or indirectly to a natural person), while encouraging the free transfer of safeguarded data across the EU, and, in certain circumstances, outside the EU to third countries with adequate protections for data subjects. The GDPR promotes the public policy goal of incorporating data protection as a fundamental and automatic aspect of modern business, termed “Data Protection by Design and by Default” (explained below). Throughout the “data lifecycle,” from collection through processing and to destruction, the GDPR incorporates express limitations on what can be collected and processed, safeguards against the potential abuse of individual rights, and requires transparency in the handling of data by controllers and processors. With the appropriate safeguards, enforced by supervisory authorities in each member state and overseen by the European Data Protection Board, the GDPR strives to balance the contentions of the European Convention on Human Rights (and especially Article 8, pertaining to privacy, and Article 10, pertaining to expression) against the social need for economic development. The Who and the What: GDPR’s Practical Application GDPR applies to controllers and processors who collect, record, organize, structure, store, adapt, alter, retrieve, use, disclose, or make available (collectively, “process”) any information (personal data) relating to an identified or identifiable natural person within the EU. This includes personal electronic and analog data, such as paper located within a filing cabinet. Controllers are the entities that determine the purposes and means of processing personal data, while processors are the entities that process the personal data on behalf of the controller. The Where: GDPR’s Global Scope The single biggest factor driving the ongoing business-world discourse about GDPR is the regulation’s extraterritorial application. GDPR addresses personal data of data subjects within the EU, and applies to all companies within the EU and, beyond that, to any company processing personal data of EU citizens in connection with offering goods or services within the EU, or monitoring citizens’ behavior within the EU. GDPR is a truly global regulation, and as such imposes significant burdens and restrictions on countless non-EU companies in ecommerce, social media, communications technology, professional services, and other sectors that operate globally and traffic in personal data. GDPR DEFINITIONS, DIRECTIVES, DUTIES, AND MORE The Privacy Notice: Requirements for Contents and Timing A controller must provide a notice “in a concise, transparent, intelligible, and easily accessible form using clear and plain language” at the time the data is obtained from a data subject. The notice must contain: • The identity and contact details of the controller • The purposes of the processing for which personal data are intended and legal basis for processing • The recipients or categories of recipients of the personal data 1
Goldberg Segalla | The GDPR Question and Answer Guide
• The period of time the data will be stored • The data subject’s right to request access to the personal data, right to data portability, and right to have errors corrected • The data subject’s right to withdraw consent at any time • The data subject’s right to lodge a complaint with the government • Whether the data will be used in automated decision-making, called profiling • Whether the data disclosure is a statutory or contractual requirement • The contact details of the Data Protection Officer, if applicable • The controller’s “legitimate interests” forming the legal basis for processing • Whether the controller intends to transfer personal data outside the EU If personal data was not obtained directly from the data subject, i.e., from another controller, the controller must still provide the same notice to the data subject within 30 days. Legal Processing of Personal Data: Situations, Special Categories, and Limitations Assuming the appropriate privacy notice has been given (discussed below), there are six situations when processing data is lawful under the GDPR: • The data subject has given consent (in a manner a controller can objectively demonstrate), which can be withdrawn at any time • The data is necessary for the performance of a contract involving the data subject • The data is necessary for compliance with a legal obligation on the controller • The data is necessary for the protection of the vital interests (life, health, and safety) of the data subject or another natural person • The data is necessary for a task carried out in the public interest or exercise of official authority • The data is necessary for the “legitimate interests” pursued by a non-public controller Special rules apply to “special categories” of personal data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as data pertaining to a person’s genetic or biometric identity, health, or sex life or sexual orientation. When a controller has legal permission to process personal data, the GDPR contains six additional principles (limitations) limiting how a controller can proceed with the processing: • Processing must be lawful, fair, and transparent • The amount of data collected must be limited to what is specified, explicit, and for legitimate purposes (“purpose limitation”) • The minimal amount of data, limited to what is necessary to achieve the purpose of processing, can be used (“use limitation”) • Data must be accurate and kept up to date as necessary (“data quality”) • Data must be stored only as long as necessary for processing • Processing must occur in a secure manner that protects against unauthorized or unlawful processing, or accidental loss, destruction, or damage (“security safeguards”) The Rights of Data Subjects Under EU law, data subjects have enumerated rights, which are not absolute, but are strongly protected in almost all circumstances. These include: • Right of access to the data and to the information contained in the privacy notice • Right to have the controller rectify mistakes in the data, or to complete the data • Right to have data erased where no longer needed, where consent is withdrawn, where processing is not lawful, or in other circumstances • Right to restrict data processing if data accuracy is in question, or where processing is no longer necessary or legitimate 2
Goldberg Segalla | The GDPR Question and Answer Guide
• Right to notification from controller if data has been erased or rectified • Right to obtain a copy of personal data in a usable format (“data portability”) • Right to object at any time to processing or use of data • Right against “profiling” (use of automated processing of personal data to make decisions; unless permitted by contract or consent or authorized by law) The data subject also has enforcement rights, including: • Right to lodge a complaint with/against a supervisory authority • Right to an effective judicial remedy against a controller or processor • Right to compensation “for the damage caused by processing which infringes” the GDPR • Right to representation in accord with law of the member state The Controller: Identification and Duties Controllers decide the purpose(s) for collecting and processing personal data, and are ultimately responsible for ensuring that processing complies with the GDPR. Controllers are expressly required to implement appropriate technical and organizational measures to ensure (and to objectively demonstrate) such compliance. The controller must also select processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that processing will comply with the GDPR and protect the rights of the data subject. The controller must adopt a data protection policy setting forth the technical and organizational measures implemented to ensure data protection. Such policy must include Data Privacy by Design as a Default (see below). A controller must also maintain written records of each processing activity including the following information: • Controller’s name and contact details • Purpose of the processing • Description of the categories of data subjects and categories of personal data • Categories of recipients to whom data have been or will be disclosed • Whether data will be transferred outside the EU • Estimated time limits for erasure of different categories of data • A general description of the technical and organizational security measures taken to ensure processing will comply with GDPR Data Privacy by Design (and as a Default) Controllers must execute and oversee technical and organizational measures designed to implement data-protection principles, such as data minimization, in an effective manner, and to integrate the necessary safeguards into the processing in order to protect the rights of data subjects. Such measures must ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed, including the amount of personal data collected, the extent of processing, the period of storage, and accessibility. There are several practical considerations in developing a data protection policy in accord with this principle: • Proactive assessment of privacy (not reactive) • Privacy is the default setting (individuals do not need to opt into privacy) • Privacy is embedded into the design of the product, process, or system (not added as an afterthought) • End-to-end security spanning entire data lifecycle • Data minimization (the least amount of data is collected, processed, disclosed, stored) • Visibility and transparency in data collection, handling, processing, and deleting • Keep the user (“data subject”) at center of analysis (not IT systems or costs) 3
Goldberg Segalla | The GDPR Question and Answer Guide
The Processor: Identification and Duties The processor processes data on behalf of a controller pursuant to a written contract or other legal act, sometimes called a Data Processing Agreement (DPA), setting forth the controller’s instructions for processing, subject matter and duration of processing, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations and rights of the controller. The processor is also obligated to ensure confidentiality in handling personal data, including in deletion, and assists the controller with complying with GDPR. A processor must also maintain written records of each processing activity including the following information: • Processor’s name and contact details • Controller’s name and contact details • Categories of processing being carried out • Whether data will be transferred outside the EU • A general description of the technical and organizational security measures taken to ensure processing will comply with GDPR Security Measures Required Under GDPR In addition to ensuring processes comply with the data-protection principles and respect the rights of data subjects, controllers and processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with processing (accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, etc.), including: • Pseudonymization and encryption of personal data • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services • Ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident • A process for regularly testing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing Data Breach Reporting Requirements “Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons,” a controller must notify the supervisory authority (government) of a breach within 72 hours of learning of it, including: • The nature of the breach • Categories and approximate number of data subjects and data records concerned • The name and contact of the controller’s contact point, including the data protection officer (described below) • The likely consequences of the breach • Measures taken to address the personal data breach, including measures to mitigate damages The processor shall also notify the controller of a breach without undue delay, without limitation. If the breach “is likely to result in a high risk to the rights and freedoms of natural persons,” the controller must also notify the data subject of the breach without undue delay using clear and plain language; however, no notice is necessary if the controller has taken steps before or after the breach to ensure the risk to rights and freedoms will not materialize, including encryption. The Data Protection Impact Assessment (DPIA) If a type of processing uses “new technologies … likely to result in a high risk to the rights and freedoms of natural persons,” the controller shall carry out an assessment of the impact of the proposed new processing on the protection of personal data containing the following information: • Systematic description of the proposed processing including purposes • Assessment of the necessity and proportionality of processing compared to purposes 4
Goldberg Segalla | The GDPR Question and Answer Guide
• Assessment of the risks to the rights and freedoms of data subjects • The proposed measures intended to address the risks, including safeguards, security measures, and mechanisms Such DPIAs are also required for evaluation of special categories of data and systematic monitoring of publicly accessible areas on a large scale. The controller must also consult with the supervisory authority prior to processing where the DPIA indicates the processing would result in a high risk in the absence of mitigation measures, providing the DPIA and related information for government review. The Data Protection Officer (DPO) A DPO is an independent employee designated on the basis of professional qualities, expert knowledge, and specific abilities, who: • Informs and advises the controller and processor regarding obligations under the GDPR • Monitors compliance with the GDPR, including assignment of responsibilities, awareness-raising and training of staff involved in processing, and audits • Provides advice regarding DPIA and monitor its performance • Cooperates with government/supervisory authority • Acts as point of contact for the government/supervisory authority, including prior consultation regarding DPIA The DPO must be independent of the controller or processor and must report directly to the highest management level of the controller or processor. The DPO cannot receive any instructions from the controller or processor regarding the discharge of these duties. While a DPO can be designated in any case, the GDPR requires public bodies and controllers to appoint a DPO when processing special categories of data or conducting regular and systematic monitoring of data subjects on a large scale. GDPR COMPLIANCE OVERSIGHT “Supervisory Agencies” and the European Data Protection Board Each member state must create a “supervisory agency” to oversee compliance with GDPR. These agencies will have the following broad powers: Investigative: To order controllers and processors to provide information, to review and audit, to conduct on-premises investigations, and to review all personal data. Corrective: To deliver warnings, reprimands, compliance orders, and communication directives; to withdrawal certifications; to impose administrative fines; to suspend data flows. Authorization and Advisory: To approve DPIA and codes of conduct, certificates, standard contract clauses, and binding corporate rules. The European Data Protection Board consists of representatives from each supervisory agency, and the European Data Protection Board Supervisor. The board resolves disputes between supervisory agencies of member states, among other things, and to render opinions regarding proposed codes of conduct, certifications, binding corporate rules, contractual clauses, accreditation, etc. Fines, Penalties, Liability, and Corrective Action Liability: Controllers and processors are jointly and severally liable to any data subject who was injured as a result of a violation of the GDPR. Corrective Action: Supervisory authorities can order controllers and processors to take any number of corrective actions to comply with the GDPR.
5
Goldberg Segalla | The GDPR Question and Answer Guide
Penalties: Member states of the EU are authorized to set down penalties against controllers and processors, in addition to what is provided for within the GDPR. Fines: Each supervisory authority is empowered to assess fines based on a number of factors, including the nature of the infraction, mitigation of damages, prior history, degree of responsibility, categories of data, cooperation with law enforcement, etc., with two specific instances of “maximum” fines for significant violations: • EUR 10M / 2 percent annual turnover — infringements of obligations under GDPR, of certification body, of monitoring body • EUR 20M / 4 percent annual turnover — violation of basic principles of processing, violation of basic rights, any obligation with member state law, non-compliance with orders, or unauthorized transfers to third countries outside EU Certifications and Approved Codes of Conduct The supervisory authority can approve a number of tools to demonstrate compliance with the GDPR, including codes of conduct, certifications, standard contractual clauses, and binding corporate rules, all of which are “shorthand” for compliance with GDPR. The national supervisory authority or commission must approve the relevant devices, and the controller and processor must of course ensure compliance with the same (the EU-US Privacy Shield and EU-Japan Economic Partnership Agreement are examples). Lawful Transfer of Personal Data Outside the EU To allow the transfer of personal data outside the EU, a member state’s supervisory authority can make an adequacy determination finding the third country ensures an adequate level of protection based on: (1) the rule of law, respect for human rights and fundamental freedoms, and relevant legislation; (2) the existence of independent supervisory authorities; and (3) international commitments involving the third country. Secondly, a controller or processor can provide adequate safeguards, provided enforceable data subject rights and effective legal remedies for data subjects are available. Adequate safeguards include: • Legally binding and enforceable instruments between public authorities or bodies • Binding corporate rules • Standard data protection clauses adopted by the commission or supervisory authority • Approved codes of conduct • Approved certification mechanisms • Provisions in contracts or administrative agreements Thirdly, in “specific situations” where the controller has informed the supervisory authority, transfer is allowed with the data subject’s consent, or if transfer is necessary for performance of the contract involving data subject, for the public interests, for the exercise or defense of legal claims, or for protection of vital interests.
6
Goldberg Segalla | The GDPR Question and Answer Guide
The Goldberg Segalla Cybersecurity and Data Privacy Practice Group is a multidisciplinary team of attorneys working across the country to counsel, train, and defend clients in numerous industries facing all conceivable cybersecurity and data-related matters. With verdict-tested trial lawyers, preeminent intellectual property litigators, and leading regulatory attorneys collaborating to provide 360-degree cyber counsel, our team offers strategic partnership and comprehensive defense to industry-leading companies, their executives and IT professionals, and their insurers.
To learn how our teams can work together, contact: John F. Stephens Cybersecurity and Data Privacy Practice Group Chair 213.415.7201 | jstephens@goldbergsegalla.com James M. Paulino II 585.295.8351 | jpaulino@goldbergsegalla.com
711 3rd Avenue | Suite 1900 | New York, NY 10017
New York | Illinois | Florida | California Maryland | Missouri | North Carolina | Pennsylvania New Jersey | Connecticut | United Kingdom Attorney advertising. ©2018 Goldberg Segalla.
www.goldbergsegalla.com