0. Nick Holland, Partner, Fieldfisher
Building a GDPR Compliance Program ACC Seminar for West Penns Chapter, Pittsburgh
Nick Holland, Partner, Fieldfisher
23 May 2017

1. Agenda Overview of Privacy Climate Route to the GDPR Brexit
Key GDPR Changes
International Data Flows
Prioritisation and Implementation Strategy
The Business case for GDPR Readiness
Option 1: Gap Analysis
Option 2: GDPR Capability Model
Option 3: GDPR : Risk Based Approach
Data Mapping
Draft Visual readiness report
Conclusions

2. Overview of current privacy climate
Privacy has become a global issue-new laws in Brazil, Japan, Turkey etc
Snowden ripple effects: Safe Harbor, data residency laws, etc..
New data protection , data security and e-commerce legislation in Europe- all arrive in May 2018
DPAs are better organised and are becoming tougher
Fines are getting higher and the risk of reputational damage is increasing
Privacy litigation is growing
Data breaches are on the increase and therefore…
Privacy awareness amongst customers and all consumers at all time high

3. Route to GDPR January 2012 European Commission publishes proposal
Jan 2012 – Oct 2014
Votes by EU Parliament and Council
June – Dec 2015
Trilogue negotiations between 3 EU institutions
December 2015
Final compromise agreement
25 May 2016
Final adoption of GDPR
25 May 2018
Implementation by 25 May 2018
Next steps through 2017/2018:
Member State carve outs
Establishment of EDPB
Supervisory authorities’ guidance
Brexit

4. Brexit UK votes to leave EU on 24 June 2016
Article 50 invoked on 29 March 2017 with a potential leave date of 28 March 2019
GDPR will apply to UK businesses selling into EU or monitoring EU citizens’ behaviour whether UK is part of EU or not
UK will either be part of EEA and therefore EU laws apply or will be a “third country” for privacy purposes
If third country, adequacy rules will apply and UK will be deemed adequate for data transfers provided existing UK legislation is updated-UK government already signalled it will do this.

5. Key Changes under the GDPR
Accountability: New explicit principle of accountability – ensure compliance through…
Key Issue
Changes introduced by the GDPR
Understanding expanded definitions / new concepts
Personal Data – much broader definition including online identifiers
Pseudonymous Data – no identification of individuals without additional information which must be kept separate
Anonymised Data – not within scope of GDPR
Profiling – automated processing of personal data used to evaluate an individual’s “personal aspects”
Data Protection Impact Assessments (DPIA), Privacy by Design/Default
Controller must carry out a data protection impact assessment prior to processing data where the processing is likely to result in a high risk for the rights / freedoms of individuals due to:
the use of new technologies; and
the nature, scope, context and purposes of processing.
Goes to meeting Privacy by Design/Default needs as well
Pseudonymisation , anonymisation and encryption
Requirement for data controllers and data processors to assess risk and implement “appropriate technical and organisational measures” to ensure the security of data (Recital 66 and Art. 30). Includes capabilities that provide security around information that would otherwise reveal one’s identity, or limiting access and use of personal data through “synthetic data”
Data breach notification
GDPR introduces an obligation to notify personal data breaches:
to the supervisory authority within 72 hours; and
to affected individuals without undue delay (where likely to result in a high risk to such individuals)
direct statutory obligations now for processors as well as controllers
Data subject rights and Consent
GDPR maintains existing rights (right to be informed, right to access and rectify data, right to object to the processing) and expands or introduces new rights:
right to erasure (and right to be forgotten) and to restrict the processing of personal data; and
right to the portability of data
Consent: must be either unambiguous or explicit (for sensitive personal data) in or to process in reliance on consent.

6. Key Changes under the GDPR
Key Issue
Changes introduced by the GDPR
Territorial Scope
Broader territorial scope – will apply to:
controllers and processors established in EU that process personal data; and
controllers not based in EU who target individuals residing in EU.
Data Processors
GDPR introduces direct statutory obligations for processors, including:
appointment of a Data Protection Officer; and
breach notification – duty to notify controller without undue delay.
Minors
Consent must be obtained from parents when personal data is collected from minors below the age of 16
Profiling
Individuals must not be subject to a decision based solely on automated processing (including profiling) that either produces a legal effect or significantly affects them, unless the decision is:
necessary to enter into or perform a contract with that individual;
authorised by law; or
based on individual’s explicit consent.
Data Protection Officer
Controllers and processors must appoint a DPO in case of:
regular and systematic processing of data subjects on a large scale; and
when the core activities of the controller or the processor consist of processing on a large scale of sensitive data or data relating to criminal convictions and offences.
Powers of supervisory authorities
Investigative and “corrective” powers
Impose fines of up to EUR 20 million or up to 4% of worldwide annual turnover, whichever is the higher

7. Health Data Broad definition of sensitive personal data
Now explicitly includes genetic data and biometric data
Expect further conditions from individual Member States
Processing health data
Consent issues
Is the processing Necessary for the purposes?
Public interest exemption
Onus on controller to demonstrate consent was given
Specific qualified framework for scientific research
Technical and organisational measures
data minimisation
Pseudonymsation
Repurposing of health data
Profiling
DPIAs / Exemptions

8. International Data Flows
Safe Harbor/ EU Privacy Shield
Safe Harbor declared invalid in October 2015
Privacy Shield announced in Feb 2016 and implemented on 1 August 2016
ONLY deals with data transfers between US and EU but is stricter than safe harbor
A large number of US companies have taken this up
Currently being challenged in the courts
Sign model clauses?
Fine for intragroup transfers of your own data, although many clause agreements required and therefore impractical
Unrealistic if you are a supply-side business
Do Binding Corporate Rules?
A great global solution for exporting data…
Expressly approved under Article 47 of GDPR
Key component to prove accountability and accelerates GDPR compliance
…but minimum 12 month implementation period
Sign “interpreted” model clauses/global DTA?
Can’t amend model clauses (so they say)
But is becoming an industry standard – AWS, MS, Salesforce, Rackspace, Softlayer etc.
Global DTA an easier solution
Better to sign something you can comply with, than something you can’t?

9. What are your options? VS. Exceptions (Art 26(1)) Unambiguous consent?
Contractual necessity?
Vital interests?
Public interest?
Legal claims?
Compliance Solutions
Model clauses?
Safe Harbor/Privacy Shield?
Global DTA?
Binding Corporate rules?
VS.

10. Everything you need to know about Model Clauses
Data export contract, blessed by the European Commission
Bipartite – envisage a one-to-one relationship, not one-to-many
3 flavours exist – make sure to use the right one!
Controller-to-Controller (2001) – NEVER, EVER USE!
Controller-to-Controller (2004) – TYPICALLY USED FOR GROUP TRANSFERS
Controller-to-Processor (2010) –CUSTOMER TO SERVICE PROVIDER TRANSERS
Beloved by EU controllers – terms very much in their favour!
Enable transfers from exporting EU controller to importing entities anywhere in the world
The solution of choice for EU regulators

11. Model Clauses - pros and cons
An administrative nightmare for large transfers!
Wholly uncommercial terms
No real ability to amend
No limitation on liability
Subcontracting restrictions
Audit rights
Do little for privacy in practice
Need many hundreds of them for global transfers
Still have to file them with DPA’s
Pros
A ‘guaranteed compliant’ solution
Controller and processor versions exist
Relatively quick to execute
Enable worldwide exports (not just US)
Never enforced (yet)
Your EU customers will like it

12. What are your options? VS. Exceptions (Art 26(1)) Unambiguous consent?
Contractual necessity?
Vital interests?
Public interest?
Legal claims?
Compliance Solutions
Model clauses?
Safe Harbor/Privacy Shield?
Global DTA?
Binding Corporate rules?
VS.

13. Safe Harbor Under Siege
June 2010: Düsseldorfer Kreis resolution for German companies relying on Safe Harbor.
June 2013: Snowden revelations about NSA mass surveillance.
November 2013: EU Commission issues “Communication” to the European Parliament and the Council. 13 recommendations for improvement.
March 2014: EU Parliament votes to suspend Safe Harbor (but not their competence to suspend).
June 2014: Schrems v Irish DPC before Irish courts.
February 2015: Two German authorities (Berlin and Bremen) take action against two US Safe Harbor companies.
March 2015: Schrems v Irish DPC goes to the ECJ. Safe Harbor put in the dock.
6 Oct 2015: ECJ’s Schrems decision declares Safe Harbor invalid

14. Enter the EU – US Privacy Shield
16 Oct 2015: A29 WP gives EU-US authorities until end of January 2016 to find a workable solution.
28 Jan 2016: Amendment to Judicial Redress Act disrupts and delay negotiations on new framework.
2 Feb 2016: 11th hour agreement reached. EC issues press release – re: agreement on data flows
29 Feb 2016: EU Commission has publishes the Privacy Shield docs and a draft adequacy decision
16 March 2016: 27 civil rights organizations say draft Privacy Shield not good enough.
13 April 2016: A29 WP publishes (negative) opinion on the Privacy Shield draft adequacy decision.
26 May 2016: EU Parliament calls on Commission to re-open negotiations with US on the Privacy Shield
8 July 2016: A31 Committee (representatives of Member States) approve final version of Privacy Shield.
12 July 2016: Commission formally adopts Privacy Shield Framework.
26 July 2016: A29 WP press statement
1 August 2016: EU Privacy Shield commenced
12 April 2017: Swiss Privacy Shield commenced

15. Privacy Shield: Safe Harbor on steroids?
Requirements that are reinforced under Privacy Shield
Applies to transfers from both controllers and processors (agents)
7 Privacy Shield Principles: impose stricter and more comprehensive data protection obligations on U.S. organizations that handle EU personal data.
Transparency and administration by DoC reinforced:
DoC must make publicly available list of self-certified companies (Privacy Shield List) + update this list annually
DoC must keep a record of companies that have been removed from this List and why
DoC must provide link to Privacy-Shield related FTC enforcement cases on FTC’s website
Oversight and verification of compliance by DoC reinforced:
Privacy policies comply to the Principles;
Personal data returned, deleted or retained in accordance with Principles if company no longer member of Privacy Shield
Monitoring of websites for false claims and misrepresentations
Ex officio compliance reviews of self-certified organisations
Possibility to remove a company from the Privacy Shield in case of a failure to comply

16. Privacy Shield Redress Mechanisms
Individuals have access to multiple redress mechanisms:
Complaint to the self-certified organisation (response within 45 days)
Independent dispute resolution body (either in the U.S. or the EU) designated by the organisation itself
National Data Protection Authority: organization must cooperate with DPA when it has voluntarily submitted to the oversight by DPA or when the processing concerns employee data.
Department of Commerce: complaint made directly to a DPA and then channelled to DoC via a dedicated contact point
Federal Trade Commission: accepts complaints directly from individuals
Privacy Shield Panel: pool of 20 arbitrators designated by the DoC and the EU Commission + arbitration decision is enforceable in the U.S. courts under the Federal Arbitration Act.

17. Privacy Shield: going beyond Safe Harbor
New elements under the Privacy Shield
Voluntary withdrawal from Privacy Shield
Privacy Shield Panel
Limitations on access and use of personal data by U.S. public authorities
Privacy Shield Ombudsperson
Annual joint review mechanism
Role of the national DPAs
Suspension, amendment or repeal of the EU Commission’s adequacy decision

18. Privacy Shield: Pros and Cons
The only available compliance solution for some companies
Competitors will adopt it – and you need to keep up with the Jones’s!
(Mostly) enforced by a “known entity” regulator, not some unknown European DPA
Self-certification highly preferable as compared with lengthy BCR approvals
No need for consent to appoint data processors, and no customer audit rights
9 month “grace period” to sort out subcontractors for early registrants
In time US “sales cachet”?
A lot of uncertainty still – virtually guaranteed to be challenged
Customers will still want you to sign model clauses with them
FTC will be under intense pressure to enforce non-compliance
Joint annual review mechanism – unknown if and how the Shield will change with time
What is meant by “same level of protection” in the onward transfer mechanism
Still only a US-EU solution and not a global solution
Interplay between the Shield and Model Clauses very uncertain
Is being challenged by Digital Rights Ireland and French privacy groups and no doubt others will follow

19. What are your options? VS. Compliance Solutions Exceptions (Art 26(1))
Unambiguous consent?
Contractual necessity?
Vital interests?
Public interest?
Legal claims?
Compliance Solutions
Model clauses?
Safe Harbor/Privacy Shield?
Global DTA?
Binding Corporate rules?
VS.

20. Global DPAs Is a global agreement signed by all internal entities
Based on model clauses but modernised
Map of data flows and systems needed
Accession Schedule added to allow for growth or contraction of corporate structure
Is a good solution where BCR is considered too expensive, will take too long and/or you need something in the meantime while you wait for BCR

21. Global DPAs – Pros and Cons
Reasonably quick to finalise (1-3 months)
Deals with audits subcontracting rights and liability
Allows for growth and contraction of corporate structures
Shows to your employees and customers you have privacy and security protocols in place
Cons:
Still need to file with DPAs
Time is needed to map data flows
Will not cover Germany as model clauses will still be required.

22. What do BCR comprise? Audit Protocol Complaint Handling Procedure
BCR Policy
Audit Protocol
Complaint Handling Procedure
DPA Cooperation Procedure
BCR Updating Procedure
Subject Access Request Procedure
Training
Binding Mechanism

23. BCR – pros and cons Pros Cons The ‘gold standard’ in the EU
A solution for controllers and processors
High degree of self-determination
Good relationship-building with DPAs
Provides an entire compliance framework
Widely recognized in many non-EU territories
Good for PR and sales
High degree of future-proofing
Provides GDPR accountability
Accelerates and compliments GDPR compliance program
Cons
Long lead time to implement – months
Experience very dependent on lead DPA but you have some flexibility to choose
Heavier to implement but more effective for compliance
Requires approval from three DPAs before mutual recognition process.

24. What the process entails
Strategy + Drafting
(6 months)
Gap Analysis
(6 weeks)
DPA reviews (12 months)
Authorization
DPA reviews comprise:
Initial review by the Lead authority
Co-review by two supporting DPAs
Mutual recognition peer review (other DPAs)
Cooperation procedure review (DPAs not under mutual recognition)

25. BCR – Sounds great, but who else has them?
See:

26. What does it all mean for my business?

27. Getting GDPR ready.. …IS A transformation program
An opportunity to get your house in order
A way to unlock the value of personal data and gain competitive advantages
…IS NOT
Easy or quick
Insurmountable or rocket science
Something you can do on your own
The only DP law you must comply with

28. The business case for GDPR readiness work
Compliance / cost of getting it wrong
New compliance requirements and higher expectations of compliance
It’s not enough to be compliant. It’s whether you can prove it!
Mandatory data breach notification
Mandatory regulatory audits
Fines of up to €20,000,000 or 4% AWWT (whichever is higher)
Commercial / the benefits of getting it right
New ways to use data (e.g. pseudonymised data)
Competitive advantages: e.g empower consumers ( and understand them better)
Speed to market: DPIAs, PbD, deal closure and contracting – getting it right means less delay and deal lag
Mitigate risk of reputational damage

29. Prioritisation and implementation strategy
Strategic considerations
GDPR Action Plan and on-going compliance projects
Dealing with current non-compliance – in particular technical and organisational measures
Global companies should consider: is GDPR= the standard for EU or new global standard?
Interface with national carve outs and sectoral regulations
Cooperation strategy with EU regulators
“…Compliance with” the six data processing principles (lawfulness, fairness and transparency, purpose limitation , accuracy storage limitation , integrity and confidentiality) and in particular the principles of data protection by design and data protection by default Art.5(2), Rec. 61
Implementation prioritisation criteria
Quick wins and low hanging fruit
‘Baseline’ requirements that have knock-on effects on other requirements
Biggest business opportunities
Biggest risks (business and legal)
Biggest gaps identified in the gap analysis = biggest effort
Assess internal and external parties involved in data processing operations

30. Option 1 – Gap Analysis Why, how and who should do it
Why: understand where you are against GDPR standards and how much work you have to do
How: Gap Analysis Questionnaire
Who: privacy function / DPO lead; senior management backing ( GDPR Champion); support from legal and compliance; external counsel; project team to run it; all parts of business to input as required
What’s next: GDPR Readiness Report

31. Option 1 – GDPR Readiness Report
Sets out for each GDPR compliance area:
The GDPR requirement
What it means for your company
Where your company is now
Where it should be to meet GDPR standards
How to get there

32. Option 2 – GDPR capability model

33. Option 2 – GDPR – the capability model

34. Option 3 – Risk – Based Approach

35. Ensuring your compliance through data mapping
Using the OneTrust Privacy Management platform ("OneTrust"), Fieldfisher can ensure that you remain compliant with global data protection requirements (particularly the Article 30 record keeping obligations under the General Data Protection Regulation ("GDPR")), as well as your general information governance requirements.
Our methodology follows a simple three step process to ensure your ongoing compliance:

36. Step 1: Generate Inventory
We will create bespoke automated, intuitive and interactive questionnaires (see page 3) to map your data flows according to the processing activities you undertake (for example HR processing, CRM processing, sales and marketing processing, payment processing) and/or on a per application basis, depending on your requirements.
We will work with you to identify key stakeholders within your business who need to respond to questionnaires. We understand that these people will likely be busy people so we will ensure that the process is as simple for them as possible - they will receive a simple link via which will enable them to complete the questionnaires at their leisure and with no requirement to go through time consuming processes such as setting up accounts for respondents.
We will work with you to integrate any existing inventories or information about data flows that you already have so that you do not have duplicate effort.
As appropriate, we can make use of intelligent identity scanning.

37. Example: Automated Questionnaire

38. Step 2: Report
We will use the questionnaire responses to produce the following illustrative reports:
Article 30 Inventory:
This data inventory will act as your Article 30 GDPR data processing record (see page 5). Under the GDPR you must keep detailed records of your processing activities.
We will create a data inventory which will be the record of the data flows and assets throughout your business. A data inventory is typically organized according to the data lifecycle of collection, processing, transfers, storage, protection and retention – however we can tailor the inventory to comply with any framework to suit your needs.
The Inventory can be exported into common formats should you need to do so to satisfy a request from a regulator or a data controller customer.
Typically, you would create a data inventory in a tabular or Excel-based format and need to maintain it manually; however with OneTrust, we can ensure that your inventory is maintained live and updated automatically when your processing activities change, when you conduct a DPIA and so on (see Step 3 for more detail).
Using the information in the Inventory, we can then produce automated visual maps to represent your data flows:
Asset Heat Map to represent where your key IT assets are globally (see page 6)
Data Flow Charts to represent the flows of data both within your organisation and externally (see page 7).
Cross Border Transfers to represent your compliance with international data transfer regulations (see page 8)

39. Example: Data Inventory

40. Example: Asset Heat Map

41. Example: Data Flow Graph

42. Example: Cross Border Data Flow Map

43. Step 3: Keep it Up to Date
Once we have completed steps 1 and 2 to ascertain your current state of compliance, we will work with you to ensure you have a plan to maintain your records as your business changes.
Using OneTrust, we can ensure that your records remain current by using the platform’s capabilities:
Conducting automated “what changed” audits (see page 10) are the most common way to keep your inventories and maps up to date. When sending the audit questionnaire, instead of asking all the same questions over again, a best practice is to just ask “what changed” for each question so as to not create unwieldy time-consuming processes for your business people.
Conducting ongoing DPIA and Risk Assessments on new projects feeding into the data inventory.
Conducted ongoing Vendor assessments feeding into the data inventory.
Automation to keep the visual maps up to date dynamically based on the changes to the underlying inventory.
Automated scanning tools deployed in parallel to detect any changes in your data processing.

44. Example: ‘What changed’ audit

45. Fieldfisher’s Global Privacy & GDPR Readiness Assessment - Process

46. Sample GDPR Report Q1 Q2 Q4 Q3 Draft Priority Activities Key
E1: Update Customer and Employee Privacy Policies
E2: Update Web Privacy and Cookies Statements
E3: Discussion on Strategic intra-group data exports
E4: Arrangements with 3rd Party providers Inc. Data Transfer Agreements
E5: Update and Implement Data Security and Data Breach processes
E6: Implement Procedures to comply with Individual rights-DSAR, erasure, portability and consent
E7: Data Protection Impact Assessments Q1 Q2
Ongoing
E8: Update Registration with local DP Authorities and file DTA
E9: Data Protection by Design
E10: Record Keeping
E11: Data Privacy training and awareness
E12: Employee Contract/Notices/Works Council Agreements
E13: ( ) Privacy Organisation
E14: BYOD Q4 Q3
E16: Marketing Advice
E17: Employee Monitoring
E15: Data/Document Retention
Key
Target Completion
HIGH PRIORITY
MEDIUM PRIORITY
LOW PRIORITY
E18:
Project Management
Costs for all activities

48. Conclusions
New rules. Lots of new rules. Transition is rarely risk-free.
New rights and obligations, and new tools to support them
Broader definition of personal data stricter consent requirements
Stricter security, mapping and breach notification requirements
Data portability and rights to erasure/restriction/objection
Pseudonymisation: a tool to secure personal data and preserve critical business processes
New fines, much higher stakes (fines of up to greater of 4% of worldwide turnover or €20M)
Vital to engage with stakeholders NOW and to start the planning asap as only approx 12 months to go
Vital to do GDPR audit asap so you know what you have to do and how much it will cost so you can budget for this for the rest of 2017 and 2018-use Fieldfisher’s GDPR audit questionnaire and C-suite GDPR presentation
For most businesses unless you actually start the compliance project by summer 2017, it will be difficult to be compliant by May 2018
Regulators have clearly stated they will start audits very quickly after May 25, 2018 and so the clock is ticking.

49. Questions? Nick Holland Partner – London Fieldfisher
M: +44 (0) E: