Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY Peter Z. Stockburger, Senior Managing Associate, Dentons Francoise Gilbert, Shareholder, Greenberg Traurig, LLP Thomas Peistrup, General Counsel, InStyler/Tre Milano Elvis Stumbergs, Counsel, Office of Privacy, Sprint

Security – One of the 7 Data Protection Principles Personal data must be processed in a manner that ensures appropriate security of the personal data, including Protection against unauthorized or unlawful processing Protection against accidental loss, destruction, or damages Using appropriate technical and organizational measures Controller is responsible for, and must be able to demonstrate compliance

Security Obligations of Controllers & Processors Implement appropriate technical and organizational security measures that take into account the state of the art, the cost of implementation, the nature, scope, context and purpose of the processing, and the risk of varying likelihood and severity for the rights and freedoms of individuals (Art. 32) Including, as appropriate: Pseudonymization and encryption of personal data Ability to ensure confidentiality, integrity, availability and resilience of the processing systems and services Ability to restore the availability and access to personal data in a timely manner in the event of physical and or technical incident Process for regularly testing, assessing and evaluating the effectiveness of the measure Maintain a record of the technical and organizational security measures (Art. 30) May instead comply with a Code of Conduct

Security Obligations of Controllers & Processors Data Protection Impact Assessment (DPIA), when required, must: Indicate the measures envisaged to address the risks to the data and to the rights of the data subjects, including the security measures and mechanisms to ensure the protection of personal data, and Demonstrate compliance with the GDPR Controller dealing with Processors Conduct appropriate due diligence when selecting processors and subprocessors Enter into written contracts with processors regarding scope of data uses and protection of personal data

Personal Data Breach “Personal Data Breach” : a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, personal data transmitted, stored or otherwise processed Controller must document any personal data breach: Facts relating to the breach Its effects The remedial action taken Documentation must enable the Supervisory Authority to verify compliance Controller Notification to Supervisory Authority (Art. 33) Without undue delay, and where feasible within 72 hours of identifying an incident If notification is not made within 72 hours, Controller must provide reasons for the delay Exception: If Controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of individuals

Personal Data Breach Controller notification to affected individuals (Art. 34) Required only if the breach is likely to result in a high-risk to the rights and freedom of the individuals Not required if data is unintelligible, Controller has taken measures to ensure that the high risk is no longer likely; or contacting each individual would require disproportionate effort Supervisory Authority may require the Controller to make the notification, even if the Controller previously determined that the notification was not required Processor Notification to Controller Required without undue delay