EU General Data Protection Regulation

Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

Access, Correction and Erasure: How to Minimize the Burden (2/16/2017)

This webinar, the sixth and final in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it.  We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.

Transferring Data from the EU (1/12/2017)

This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Data Protection Officers: Do You Need One? (12/15/2016)

This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.

Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)

This webinar, the third in our EU General Data Protection Regulation Series, reviews the new restrictions on relying on user consent to data processing and data transfers. In addition to the general “imbalance of power” problem, we consider the implications of the Directive on unfair terms in consumer contracts and changes that may need to be made to terms of use and privacy policies when dealing with consumers.

Accountability, Data Security, Data Impact Assessments and Breach Notification Requirements (10/13/2016)

This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.

One-Stop Shopping Mall? The New Regulatory Structure (9/14/2016)

This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.

The European Union’s General Data Protection Regulation (the “GDPR”) goes into effect in a little over fourteen months and from a quick glance at our bullet points analysis you can see there is a lot to consider.  One crucial aspect you need to be thinking about now is how your organization collects and manages consents from individuals for processing their personal information.  Without a strong understanding of what valid consent means under the GDPR, before long you may find yourself holding valuable data that you are not able to process as you need to for your business.

To this end, the Information Commissioner’s Office (the “ICO”), the data protection authority for the UK, last week published a consultation draft of its GDPR consent guidance.  This is a practical resource meant to help organizations get to grips with the GDPR’s consent requirements and align their internal procedures and processing activities, as well as their customer-facing websites, marketing materials, and product infrastructure.   Although the UK ICO cannot speak for the other EU data protection authorities, they have a good track record of producing practical guidance set out in accessible language, which makes the ICO website a good first stop for US companies seeking to understand their obligations in the EU.  We encourage you to review this helpful resource and provide feedback to the ICO using their comment form by March 31.  We also offer this high-level snapshot of a few key points: Continue Reading It’s Not Too Early! ICO Guidance Regarding Consent Under GDPR