Special Edition February 2016 Print Version For more information, please contact one of our global Privacy team members: Anne-Marie Allgrove Global Chair, IT/C Partner, Sydney +61 2 8922 5274 email@example.com EMEA Elisabeth Dehareng Partner, Brussels +322 639 3705 firstname.lastname@example.org Daniel Fesler Partner, Brussels +322 639 3658 email@example.com Francesca Gaudino Partner, Milan +39 0 2762 31452 firstname.lastname@example.org Raffaele Giarda Partner, Rome +39 06 4406 3224 email@example.com Dyann Heward-Mills Partner, London EU General Data Protection Regulation (GDPR) Game Plan Series – Part 1 The end of the year saw a flurry of activity with respect to the GDPR. The biggest change in EU data protection law in two decades is imminent. The GDPR will affect the way companies collect, process, store and transfer personal data in and out of the EU. The GDPR is set to become effective mid-2018. Companies should assess how the GDPR will affect their business models and data processing practices and start formulating a Game Plan to address the transitional steps they would need to take locally, regionally and globally to meet compliance when the GDPR comes into force. We have identified 13 areas of particular interest that companies could use to prepare for the new regulations and prioritize their actions. Baker & McKenzie's GDPR Game Plan programme includes a series of three webinars in which our experts explore those Game Changers in the GDPR. To complement our webinar series, we are publishing practical analyses of those 13 Game Changers to help companies prepare for the GDPR. Our GDPR Game Plan series will provide practical step-by-step guidance to: a) help organisations understand the GDPR requirements, in a global, EU-wide and local context; b) assist privacy and compliance teams prepare for the GDPR; and c) provide practical implementation steps for your GDPR Game Plan. In this Special Edition of LegalBytes we are delighted to present the first set of our practical analyses exploring the major GDPR Game Changers. In this edition, we will cover DPOs, data breach incident management, cross-border data transfers, consent and data mapping. We will address the remaining Game Changers in the next couple of months. +44 20 7919 1269 firstname.lastname@example.org Daniel Krone Partner, Munich +49 89 5 52 38 156 email@example.com Denise Lebeau-Marianna Partner, Paris +33 1 4417 5333 firstname.lastname@example.org Nicolas Passadelis Partner, Zurich +41 443 841 209 email@example.com Raul Rubio Partner, Madrid +34 91 436 6639 firstname.lastname@example.org Michael Schmidl Partner, Munich +49 89 5 52 38 155 email@example.com Wouter Seinen Partner, Amsterdam +31 20 551 7161 firstname.lastname@example.org Julia Wendler Partner, Munich +49 89 552 38242 email@example.com Anna von Dietze Senior PSL, Dusseldorf firstname.lastname@example.org North America Lothar Determann Partner, Palo Alto +650 856 5533 email@example.com Brian Hengesbaugh Partner, Chicago +1 312 861 3077 firstname.lastname@example.org Theo Ling Partner, Toronto +416 865 6954 1. Data Protection Officers – Must have, nice to have or safe to ignore? The Data Protection Directive 95/46/ EC does not provide for a mandatory Data Protection Officer (“DPO”) appointment. Under the GDPR, this is set to change: certain private and most public sector organisations will be required by law to appoint a DPO to oversee their data processing operations. The agreed compromise version of the DPO requirement is a DPO requirement ‘lite’ compared to what the EU Commission and Parliament had originally proposed. Businesses may, however, give serious consideration to appointing a DPO on a voluntary basis to discharge compliance obligations under the GDPR. Key Points to Note 1. Virtually all public sector bodies will be required to designate a DPO under the GDPR. 2. When it comes to the private sector, the GDPR introduces a limited mandatory DPO requirement. Controllers and processors will only be required to designate a DPO if their core activities consist of: processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or processing on a large scale of special categories of data or data relating to criminal convictions and offences. 3. That said, Member States are free to introduce broader national DPO requirements. 4. Even if not required to designate a DPO, multinationals operating across the EU would be well advised to consider appointing a DPO on a voluntary basis as this might be the most effective and efficient way to discharge their comprehensive GDPR compliance obligations. 5. Organisations will have substantial discretion in designing and implementing their DPO strategy and would be wise to thoroughly consider available options. Please click here for our detailed analysis of the DPO requirement under the GDPR and your “DPO” Game Plan. 2. New Pan-European Data Breach Notification Obligations email@example.com Latin America Guillermo Cervio Partner, Buenos Aires +54 11 4310 2223 firstname.lastname@example.org Another key change under the GDPR will be the introduction of general (non-sector specific) data breach notification obligations. Subject to limited exceptions, data controllers will be required to notify personal data breaches to the competent supervisory authority and, in certain cases, also to affected data subjects. The pan-European data breach notification scheme is set to become a major compliance hurdle for organisations operating within the EU. Businesses are well advised to treat this as a compliance priority. Key Points to Note 1. Controllers must notify a personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals. 2. Subject to limited exceptions, controllers must communicate a personal data breach to data subjects without undue delay if the breach is likely to result in a high risk for their rights and freedoms. 3. Organisations will need to put in place data breach incident management plans and update their controller/ processor contracts. 4. Non-compliance exposes organisations to substantial fines and damage to reputation. Please click here for our detailed analysis of the new data breach notification requirements and your “Data Breach Notification” Game Plan. 3. Overhauled Cross-border Data Transfer Rules Designing and implementing a privacy-compliant cross-border data transfer strategy is a complex and challenging task. It requires a thorough analysis of one’s data flows as well as the applicable legal frameworks which vary between countries and are generally complex sets of rules. It further requires a complicated risk assessment to determine if the proposed transfers will provide an adequate level of protection for the rights of the data subjects or if additional safeguards must be adduced. As cross-border data transfers are poised to remain a top priority for EU privacy regulators in the foreseeable future, businesses would be prudent to start now the (potentially lengthy) process of designing and implementing a GDPR compliant cross-border data transfer strategy. Key Points to Note: 1. In principle, the GDPR will retain the cross-border data transfer rules of the Data Protection Directive: data may be transferred out of the EU/EEA only to countries which have been recognised as providing an adequate level of data protection, unless the transferor can rely on specific derogations or adduces specific additional safeguards ensuring an adequate level of data protection. 2. Subject to the changes listed under (4) below, the list of available derogations and options for adducing additional adequate safeguards will remain the same. 3. Adequacy decisions and standard contractual clauses issued by the Commission under the Data Protection Directive as well as BCRs and contractual clauses approved by national supervisory authorities under the Data Protection Directive, will remain valid unless and until formally amended, replaced or repealed. 4. Noteworthy changes to the cross-border data transfer rules include the following: i. Transfers will no longer be subject to countryspecific authorisation processes except that transfers based on contractual clauses which have not been adopted or approved by the Commission will require specific supervisory authority approval. ii. Adequacy decisions will be subject to clearer and more prescriptive standards as well as regular review and may be made in relation to territories and industry-sectors within a country. iii. The GDPR offers certification mechanisms and codes of conduct as additional options for adducing appropriate safeguards. iv. BCRs will be formally recognised as measures adducing appropriate safeguards and will be subject to uniform rules when it comes to their adoption. v. Approved standard contractual clauses may be supplemented with additional clauses or safeguards subject to certain conditions. vi. Transferors wanting to rely on consent as a derogation will need to inform the data subject about the risks resulting from the transfer before obtaining his/her explicit consent. vii. The GDPR will introduce one new but very limited derogation which may help legitimise occasional transfers which are small in scope and would otherwise be prohibited. Please click here for our detailed analysis of the overhauled cross-border transfer rules and your “Cross-border Data Transfer” Game Plan. 4. Consent under the GDPR The concept of consent has long been enshrined in European data protection legislation and is a core processing condition under the Data Protection Directive. The GDPR will retain the concept of consent as a processing condition, and the requirements for consent will largely remain unchanged. Nonetheless, organisations would be well advised to assess the validity of any consents they might be obtaining now or in the future given that failure to comply with the consent requirements may trigger the maximum applicable administrative fines under the GDPR. Key Points to Note 1. Consent as a processing conditions is retained in principle. 2. The GDPR is more prescriptive when it comes to the requirements for consent but the new rules largely transpose into law what was required anyway by supervisory authorities under the current regime. 3. The key change is that, under the GDPR, consent will require a clear affirmative action. Silence, pre-ticked boxes and inactivity will no longer suffice for there to be valid consent. 4. The GDPR also introduces a requirement for parental consent where information society services are offered to children. 5. Pre-GDPR consents will continue to be valid under the GDPR (without any confirmation or other action from data subjects required) provided they conform to the GDPR requirements for consent. 6. Non-compliance exposes organisations to substantial fines. Please click here for our detailed analysis of the revised concept of consent and your “Consent” Game Plan. 5. Data Mapping In the past years, we have witnessed an incredible increase in the amount of data that organisations of all sizes and natures collect and process. Personal data has been heralded as “the new gold” and using personal data smartly will most certainly boost profitability. Unfortunately, using data smartly is easier said than done. It warrants a strategic approach which takes into account the operational needs, capacities and goals of an organisation on the one hand and the applicable legal and regulatory privacy requirements on the other hand. This, in turn, requires organisations to understand their data flows, i.e., what categories of data do I hold where, who “owns” and who gets access to that data, and to which recipients do I disclose the data. However, in reality, organisations are frequently not (or, at least, not sufficiently) aware of what data exactly they collect and process for what purposes, who has access to that data and where that data is being held for how long. This is where Data Mapping comes into play. Data Mapping is the process of identifying, understanding and mapping out the data flows of an organisation. A good Data Map (also referred to as a “Data Inventory”) will provide a comprehensive overview of the data flows within, to and from an organisation. Key Points to Note 1. Data Mapping is an prerequisite for any privacy compliance strategy. 2. Data Mapping will help organisations comply with various GDPR obligations and/ or other applicable privacy laws and regulations. 3. A Data Map can be a valuable business asset beyond privacy compliance as it can deliver various operational benefits, such as improved efficiencies of business processes and IT systems and smarter use of data. 4. Data Mapping requires a structured and planned approach involving various steps and, ideally, the use of specialised software. Please click here for our detailed analysis of Data Mapping requirements under the GDPR and beyond as well as your “Data Mapping” Game Plan.