General Data Protection Regulation

If you glance at the “countdown clock” in the left hand sidebar of our blog, you’ll see that it has reached 00:00:00.  GDPR Day is here.   But, unlike Y2K (for those of you old enough to remember the near-hysteria), 25 May 2018 is only the beginning of the GDPR compliance road and not a “completion date.”   It’s more like the new Sarbanes-Oxley.

Continue Reading HAPPY GDPR DAY!!

We are now in the 10-day countdown to the GDPR enforcement date that we’ve been talking about since 2015.   If you are a charter member of Procrastinators Anonymous, or just secretly hoped that this would all go away, the sands in the hourglass are running low.    Remember that this is not like Y2K.   May 25 just represents the date on which the EU will start to enforce the GDPR.  Compliance is ongoing and, if your company collects, processes, uses EU-origin personal data, the compliance obligation runs to you, regardless of where in the world you are located.

Here is a quick refresher list of the webinars that we’ve produced on GDPR issues.   Pick a topic and get going!

EU Data Protection GDPR for Life Sciences (3/14/2018)

https://mintz.webex.com/mintz/lsr.php?RCID=12a7441da963333b01da237ca419396b

This webinar, the ninth in our EU General Data Protection Regulation Series, focuses on topics that are vital to life sciences companies seeking to come into compliance, including handling clinical study data, other scientific research, CRO and other contractor agreements, and transferring personal data outside of the EU.

Getting Your Contracts Ready for GDPR (11/16/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=fe0eed5640a85a8ebb2beb6bc83e83e8

This webinar, the eighth in our EU General Data Protection Regulation Series, reviews the GDPR’s express contract requirements and discusses additional matters that you may want to address in your contracts.

Handling Human Resources Data Under Privacy Shield and the GDPR (10/5/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=880eaf4c652aad528de47cde6be78578

This webinar, the seventh in our EU General Data Protection Regulation Series, reviews current options for transferring personal data, including under Privacy Shield, and previews the new landscape under GDPR.

Access, Correction and Erasure: How to Minimize the Burden (2/16/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=9f6b274207228673ad6d4fe938991ee8

This webinar, the sixth in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it.  We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.

Transferring Data from the EU (1/12/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=f49a18275f1088209190e48151bec9ec

This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Data Protection Officers: Do You Need One? (12/15/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=86d1f2c36c05bcfc89eec5077f1cf921

This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.

Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=de3b01c1f3d3828f8b8d12dc585a8cfe

This webinar, the third in our EU General Data Protection Regulation Series, reviews the new restrictions on relying on user consent to data processing and data transfers. In addition to the general “imbalance of power” problem, we consider the implications of the Directive on unfair terms in consumer contracts and changes that may need to be made to terms of use and privacy policies when dealing with consumers.

Accountability, Data Security, Data Impact Assessments and Breach Notification Requirements (10/13/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=dadbef107c41c287059e1dcf0db3cc49

This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.

One-Stop Shopping Mall? The New Regulatory Structure (9/14/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=9b389aa85bb81e0af962ff4a5d8226df

This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.

As the clock ticks down to May 25, 2018, when the European Union’s General Data Protection Regulation (“GDPR”) becomes fully enforceable throughout the EU, the Internet and airwaves have become saturated with guidance for companies about what to expect and how to prepare for its new protections and restrictions.  However, we’ve seen little intelligence for companies and their litigation counsel in situations where electronically-stored information (“ESI”) containing “personal data” resides in the EU and is relevant to discovery requests in American civil litigation.

In many ways, the process and procedures relating to transfers of personal data to the U.S. under the GDPR are similar – and similarly burdensome – to those of the existing privacy regime.  However, the GDPR does introduce new transfer options and clarifies others.  It has also added record-keeping and compliance reporting requirements as well as hefty penalties for non-compliance.

Our GDPR e-discovery series will examine these new and clarified transfer options for ESI containing personal data.  We begin our series with a newly added transfer option – the Hail Mary pass of transfer options – contained in a GDPR provision permitting a one-time limited transfer where necessary to further a “compelling interest” of the transferring party.

Continue Reading Will the GDPR Ease Cross-Border Data Transfers for Purposes of E-Discovery?

We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception.   “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.

Privacy can also be a key differentiator and a competitive advantage.  Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage

In case you had not heard, the European Union is replacing its current privacy laws with a new, comprehensive General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The essential principles of the EU’s privacy laws are unchanged, but the new Regulation imposes many new obligations on many more entities – all backed up by fines modeled on European antitrust laws. US Life Sciences companies are likely to find that the GDPR applies to their use of personal information that originated in the EU. This post suggests some pragmatic steps companies can take to assess and begin to meet their GDPR obligations.   We’ll be presenting the next webinar in our GDPR series particularly targeted to life sciences and biotech companies and that will be coming up in March.  Watch this space for more information and registration.

Step 1 – Confirm that the GDPR Applies Continue Reading Practical GDPR Steps for US-Headquartered Life Sciences Companies