Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR is There, Are you Ready?

Published byHelen Underwood Modified over 5 years ago

Similar presentations

Presentation on theme: "GDPR is There, Are you Ready?"— Presentation transcript:

1 GDPR is There, Are you Ready?
30 May 2018 Charles-Albert Helleputte Partner, Brussels Diletta De Cicco Legal Consultant, Brussels

2 Welcome As members, you were invited by CIRFS to attend today’s event. Do you have any privacy expectations? In order to register to the event, we, as speaker, filed a registration form with many details (including dietary requirements) What should have happened (if anything) between CIRFS and Mayer Brown What happens now? 2

3 GDPR in 30 minutes The New Privacy Framework GDPR Jargon
Data Protection Principles GDPR: Key Changes and what they mean Legal Basis for Processing New Controller / Processor obligations Q&A

4 The New EU Privacy Framework
The GDPR introduces new rules for data processing activities: Directive vs. Regulation - Introduction of a single set of rules applying to all Member States New enforcement measures: Fines up to the greater of 20 million Euros or 4% annual worldwide turnover Extraterritoriality principle: GDPR will also apply to organisations based outside the EU if they target or monitor EU individuals

5 GDPR Jargon Personal data Processing Data controller Data processor
Any information relating to an identified or identifiable natural person Processing Any operation or set of operations performed on personal data or on sets of personal data Data controller Natural or legal person that determines the purposes and means of the processing of personal data Data processor Natural or legal person, that processes personal data on behalf of the controller

6 Data Protection Principles
8 core Data Protection principles Transparency Fairness Lawfulness Purpose limitation Security Integrity Quality Data minimisation

7 GDPR: The Key Changes … New data loss notification obligation: The relevant DPA must be notified without undue delay and where feasible within 72 hours. The individuals affected may also have to be notified New data privacy governance requirements: A data protection officer may have to be appointed and organisations will be required to map their processing activities and undertake data protection impact assessments for higher risk processing A requirement to implement ‘privacy by design’: Businesses must take a proactive approach to ensure that an appropriate standard of data protection is the default position taken Strengthening of individuals’ rights to personal data: Individuals will have ‘right to be forgotten’, the ‘right to data portability’ and the right not to be subjected to automated data profiling

8 GDPR: The Key Changes and what they mean
Practical Example, Newsletter sent to contacts Current footer (at best) : Upcoming footer: When you subscribed to our newsletter, you provided us with your name and address (“Personal Data”) and you consented to receive our newsletters. In order to send newsletters, we use MailChimp, a third party company based in the United States of America and providing marketing services. We have taken steps with MailChimp to ensure that the transfer of your Personal Data to them complies with EU Data Privacy Laws. You can find more information on the above in our Newsletter Privacy Policy [link to the privacy policy]. You can also contact us at [insert ]. If you would like to unsubscribe from our newsletter, please follow this link [insert opt-out link]. unsubscribe from this list why did I get this?    unsubscribe from this list    update subscription preferences

9 GDPR: The Key Changes and what they mean
Policies and procedures should be updated to detail how your organisation will practically comply with the new requirements Data breach notification Policy Retention and destruction policies IT security policies Data processing register Procedures to respond to data subjects’ requests

10 Legal Basis for Processing
You need to rely on specific legal grounds to process Personal Data: Consent Contractual necessity Legitimate interest Vital interest Public interest Compliance with legal obligations Are all of those new? Can you identify which one is the most affected under GDPR?

11 Legal Basis for Processing
Consent Threshold for valid consent significantly increased. Consent must be: freely given, specific, informed and unambiguous When relying on consent, you should provide a “tick-the-box” (and no pre-ticked ones) option or specific statement required to demonstrate acceptance of the proposed processing Necessary for the Performance of a Contract Controller must conduct a necessity test: you cannot process information that is not necessary for the purposes of the contract Relevant when you need to process your employees’ personal data to provide them with the payment of their salaries Legitimate interest Personal data may be processed if the controller has a legitimate interest in processing the data AND if the legitimate interest is not overridden by the rights or freedoms of data subjects Legitimate interest could include processing for direct marketing purposes

12 Legal basis for Processing: are re-consent emails an option?
What happens to your old database? You would like to contact all the individuals already included in your database to ask their consent on whether they would like to receive your newsletter going forward Honda Motor Europe fined £13,000 Honda sent an to 289,790 contacts asking “Would you like to hear from Honda?” Honda was trying to comply with GDPR: the was sent in order to clarify how many of the subscribers would like to receive marketing s going forward. Key take-away:  Even asking for consent is classified as marketing and is in breach of the upcoming GDPR

13 New controller/processor obligations
Controllers must use a high degree of care in selecting processors Contracts must be implemented that contain a range of information– e.g., data processed and duration, obligations such as data breach reporting, use of technical measures, audit assistance obligations, etc. Data transfer restrictions apply to controllers and processors Controllers should review whether any of the third parties they share personal data with is located outside the EEA and ensure they have a legal transfer mechanism in place IN PRACTICE Look at your vendors’ Terms and Conditions and consider whether signing a Data Processing Agreement is necessary. If something goes wrong, you will be liable under GDPR

14 You have done all of that … Why are you listening to us?

15 You haven’t, it is time to start

16 GDPR Compliance in 8 Steps
1 Inform Your Leadership, Formulate a Plan 2 Map the Personal Data that Your Organisation is Processing 3 Decide Whether a Data Protection Officer Should be Appointed 4 Address the Risks Identified in Any Data Processing Activities 5 Review the Grounds Under Which Personal Data is Being Processed 6 Draft or Review Information Notices 7 Update Your Data Governance Policies and Procedures 8 Review Your Contracts with Third Parties

17 You don’t need our consent!

18 Charles-Albert Helleputte Partner (Brussels) T: + 32 (0) 2 551 59 82 E: Chelleputte@mayerbrown.com
Diletta De Cicco Legal Consultant (Brussels) T: +32 (0)

19 Thank you for your attention

20 Notice The material in this presentation is provided for informational purposes only and does not constitute legal or other professional advice. You should not and may not rely upon any information in this presentation without seeking the advice of a suitably qualified attorney who is familiar with your particular circumstances. Mayer Brown Practices assumes no responsibility for information provided in this presentation or its accuracy or completeness and disclaims all liability in respect of such information. Mayer Brown Practices is, unless otherwise stated, the owner of copyright of this presentation and its contents. No part of this presentation may be published, distributed, extracted, reutilized or reproduced in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) except if previously authorized in writing. Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP; two limited liability partnerships established in the United States, Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership. The Mayer Brown Practices is known as Mayer Brown JSM in Asia.

Download ppt "GDPR is There, Are you Ready?"

Similar presentations

Mayer Brown is a global legal services organisation comprising legal practices that are separate entities (Mayer Brown Practices). The Mayer Brown Practices.

Mayer Brown is a global legal services organisation comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
Operationele blik op GDPR

Operationele blik op GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
Data Protection The Current Regime

Data Protection The Current Regime
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Similar presentations

Ads by Google