General Data Protection Regulations (GDPR)
Resources for Practice & Litigation Support
April 2016, Effective May 25, 2018
Are you GDPR ready? If so, can you provide an explanation on how you are complying? If not, can you explain why it does not affect your organization?
Gone are the days when an e-Discovery team strictly handles EDRM and document review. It is essential to evolve with the industry to understand what data is where, where it came from, why we have it, what we do with it, and know where we need to go to get what we need. Additionally, being compliant in the governance of data is also essential.
GDPR compliance brings new guidelines that require (or strongly suggest for some), data mapping, data placement, and educational efforts to properly handle sensitive data – specifically, personal data. Lit Support professionals can be an integral part of new matters and growing business if new regulations are recognized, optimized and applied.
There is no shortage of guidance for GDPR compliance; however, the information varies from over-simplified to extremely extensive. This is sort of a “nutshell” approach to review and assess, or just to answer some basic questions.
How Does GDPR Affect Practice & Litigation Support
Data Subject and Personal Data
Key Points to Understanding GDPR’s Purpose and Intentions
Key Changes Happening Under GDPR
Know Your Role: Controller v. Processor
So Many GDPR Acronyms
Public Resources: List
How Does GDPR Affect Practice & Litigation Support?
- Your team manages data within EU member states and/or personal data of EU citizens.
- You handle or manage Litigation Holds for global organizations; thus, potential EU data.
- You have vendors or third parties housing your international data:
Data Subject and Personal Data
Data Subject: A natural person whose personal data is processed by a controller or processor.
Personal Data: Any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person, unique to the person:
- General Information: Name, address, phone number, birthdate, ID number, etc.
- Can also include information such as IP addresses and pseudonyms.
- Special categories and other sensitive personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning a natural person’s sex life or sexual orientation, and data concerning a minor (https://gdpr-info.eu/art-9-gdpr).
KEY POINTS to Understanding GDPR’s Purpose and Intentions:
- Create a legal framework of trust
- Give back control of personal data; it redefines or reiterates “Consent,” accountability of data sharing source(s), and other parameters to guide processors and controllers of data.
- Enhance the data protections across 28 participating European Union (EU) member states.
- Base guidelines for EU – Member states can further specify
- Harmonize and grow business
- Make regulations uniform, create equal standing
- Reduce red tape
- Reduce costs
- Reiterate rules – most rules are not new. General Data Protection Regulations (GDPR), effective May 25, 2018, bring changes but most rules are not new. GDPR will supersede Data Protection Directive where there is conflicting or vague information
- Build Compliance – Create Compliance Pacts to transfer data, build certifications, and collaborate to “harmonize” data safe holds.
- Regulators to assist in understanding GDPR compliance, and to prevent sanctions.
- Data Protection is part of larger organizational operations, not just legal anymore.
- Establish common decisions on transporter issues
- Case Law precedes the effective date of GDPR.
- Penalties are applicable; these are not just guidelines for best practices.
- Have a legal explanation on how data is handled.
Key Changes Happening Under GDPR
Increased Territorial Scope (extra-territorial applicability) – Extended jurisdiction and will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
Penalties – Breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (Euros), whichever is greater. This is the maximum penalty.
- A tiered approach to fines also exists
- Applicable to both controllers and processors
Consent – Stronger conditions to require clear language! Ensure your terms and conditions are clear, as the request for consent must be given in an intelligible form, easy to use.
- Encourage clear language and forms, and reward transparency.
- Avoid long illegible terms and conditions full of legalese.
- It must be as easy to withdraw consent, as it is to give it.
- Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below 13.
Breach Notification – There is now a timeline for notifications required to both the lead supervisory authority and data subjects for personal data breaches.
Privacy by Design – This is not a new concept but is now a legal requirement in GDPR.
- “The controller shall…implement appropriate technical and organizational measures…in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects.”
- Controllers to hold and process only the data absolutely necessary (data minimization), and limit the access to personal data to processors.
Data Protection Officers – A new requirement under GDPR for controllers and processors “controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and .”
- The DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge data protection law and practices
- May be appointed internally or by an external service provider
- DPO contact information must be made public by .
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could result in a conflict of interest.
Data Subject Rights
- Right to Access – This dramatic shift to transparency and empowerment expands the rights of data subjects to obtain of data (processed or not), why and where it was processed, and the option for a copy of personal data.
- Right to be Forgotten aka Data Erasure
- subject is entitled to have the data controller erase his/her data, cease further dissemination of the data, and potentially halt processing of data.
- Erasure conditions apply, including the data is no longer relevant to original purposes for processing or data subject withdraws consent.
- Requires controllers to compare subjects’ rights to “the public interest in the availability of the data” when considering erasure.
- Data Portability – This is new. GDPR introduces this right for a data subject to receive personal data concerning them in a ‘commonly use and readable format’ [sic] and have the right to transmit that data to another controller. Types of formats are not defined.
Know Your Role: Controller v. Processor
Controller: The natural or legal person, public authority, agency or which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Article 24: Responsibility of the controller: (1) Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary (see more at http://www.privacy-regulation.eu/en/article-24-responsibility-of-the-controller-GDPR.htm ).”
Processor: A natural or legal person, public authority, agency or which processes personal data on behalf of the controller.
So Many GDPR Acronyms, So Little Time
BCR: Binding Corporate Rules
DPA: Data Protection Authority
DPIA: Data Protection Impact Assessment
DPO: Data Protection Office
ESI: Electronically Stored Information
GDPR: General Data Protection Regulations
MCC: Model Contract Clause
PIA: Privacy Impact Assessment
Public Resources:
Resource to Educate: https://www.eugdpr.org/
International Association of Privacy Professionals
https://iapp.org/train/gdprready/
Plan (GDPR Articles)
http://www.privacy-regulation.eu/en/index.htm
Consulate General of France in New York Resources:
the CNIL’s Guide to GDPR, the European press release on the subject, the detailed European guide on GDPR, the Commission’s Q&A and the Handouts for specific actors (especially SMEs).
New York University:
https://wp.nyu.edu/compliance_enforcement/2017/12/11/the-general-data-protection-regulation-a-primer-for-u-s-based-organizations-that-handle-eu-personal-data/
1995’s Data Protection Directive
https://en.wikipedia.org/wiki/Data_Protection_Directive
1998’s Data Protection Act (superseded by GDPR)
https://www.itgovernance.co.uk/data-protection
EXTRA HELP
https://gdpr-info.eu/
https://iapp.org/news/a/what-does-territorial-scope-mean-under-the-gdpr/
https://eugdprportal.godaddysites.com/more-resources-1.html
https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/
https://www.eugdpr.org/glossary-of-terms.htm
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://www.pwc.com/us/en/cybersecurity/general-data-protection-regulation.html
https://www.nymity.com/gdpr/
*Disclaimer: This is a collection of resources and not legal advice.
#GDPR#LegalSEC#IT Leaders with Modest Resources
#Security#LitigationSupportoreDiscovery