If you glance at the “countdown clock” in the left hand sidebar of our blog, you’ll see that it has reached 00:00:00. GDPR Day is here. But, unlike Y2K (for those of you old enough to remember the near-hysteria), 25 May 2018 is only the beginning of the GDPR compliance road and not a “completion date.” It’s more like the new Sarbanes-Oxley.
We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception. “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.
Privacy can also be a key differentiator and a competitive advantage. Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage
In case you had not heard, the European Union is replacing its current privacy laws with a new, comprehensive General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The essential principles of the EU’s privacy laws are unchanged, but the new Regulation imposes many new obligations on many more entities – all backed up by fines modeled on European antitrust laws. US Life Sciences companies are likely to find that the GDPR applies to their use of personal information that originated in the EU. This post suggests some pragmatic steps companies can take to assess and begin to meet their GDPR obligations. We’ll be presenting the next webinar in our GDPR series particularly targeted to life sciences and biotech companies and that will be coming up in March. Watch this space for more information and registration.
Step 1 – Confirm that the GDPR Applies Continue Reading Practical GDPR Steps for US-Headquartered Life Sciences Companies
The European Commission has launched a new data protection website aimed at educating the public and helping businesses and other organizations comply with their new obligations under the General Data Protection Regulation. The Commission’s website contains some infographics to help readers get to grips with the key points of the GDPR. It also contains Q&A and examples that may be helpful in assessing when the GDPR’s various obligations are triggered in different situations.
While the infographics approach to explaining companies’ GDPR obligations have the virtue of simplicity, the Commission’s explanation of what smaller companies must do is far from exhaustive and might mislead readers into thinking they are in compliance when they are not. For example, the explanation of the record keeping requirements mentions three criteria that trigger the requirements for companies with under 250 employees (SMEs), but omits a critical “or” between the infographic’s second (risky processing of any personal data) and third criteria (processing of sensitive data or criminal records). Small companies could easily be misled into thinking that only processing that meets all three criteria requires record-keeping.
Larger companies that are subject to the GDPR will likely find the Commission’s SME-focused infographics useful, but should approach with a bit of caution. Their data processing activities will require record-keeping and, since larger companies are typically more complex, it may require deeper analysis to get to grips with their GDPR obligations.
That said, companies looking for a digestible, visually engaging explanation of their responsibilities under the GDPR will find this a useful addition to their GDPR preparation toolkit.
Happy 2018. You may notice a new widget in the right sidebar of our home page. Now you have a reminder as to just how close we are to the GDPR D-Day. GDPR is real. GDPR is here.
To brush up on your GDPR, or to help you get moving in the right direction, here is a link to all of the content from our 2017 GDPR webinar series. Each edition includes a link to the recording and slides. We will continue to produce targeted content throughout 2018, so stay tuned.
One of the most striking changes to EU privacy law under the EU’s General Data Protection Regulation (which goes into effect May 25, 2018) is the very strict approach to user consent. For many years, companies operating in the EU (as elsewhere) have relied heavily on user consent to achieve compliance with the relevant data protection and direct marketing laws. When the GDPR was first published, it became clear that the EU intended to crack down on the use of consent in many common situations where the EU felt that individuals were not being treated fairly.
Draft guidance published on Dec. 18 by a key advisory body representing the EU’s national data protection authorities , the Article 29 Working Party (WP29), has confirmed that regulators will approach consent strictly. The guidance is worth reading in full. Some highlights:
- Consent cannot be bundled. Instead, consents must be granular. You will need a separate consent for each purpose for which data will be processed. WP29 notes that this could easily lead to “click fatigue” (implicitly casting doubt on the validity of the consent) when individuals are routinely presented with a long set of check boxes, but WP29 says that this is a problem for data controllers to solve.
- Consent to “unnecessary” uses of personal data cannot be used as a quid pro quo for access to a service. This confirms our previous suggestion that the GDPR invalidates the prevalent business model of providing free services (such as a free app) in exchange for access to personal data that is used for behavioral advertising or other marketing purposes.
- The “explicit” consent needed for processing sensitive personal data requires something even stronger than the already-stringent standard for “normal” consent under the GDPR. The guidance suggests several mechanisms that primarily involve an extra confirmation step by the user, such as clicking on an opt-in box and then responding affirmatively to a text or e-mail to confirm the consent. It’s not clear that users will welcome the extra steps and delay, but WP29 maintains that there needs to be something “more” to reach the level of “explicit” consent.
- Data controllers must identify their legal bases for processing in advance and cannot “swap” bases if the initial basis for processing proves defective. In other words, controllers cannot have a “backup” basis for a given processing operation, even when a given processing activities could be done on one of a number of bases, such as necessity for contract performance, legitimate interest, or consent.
The draft guidance is open for public comment until January 23, 2018.
The clock is ticking down to May 25, 2018 , the date that the European Union’s General Data Protection Regulation (GDPR) goes into effect. The GDPR is likely to be a game-changer for US companies doing business with the European Union, and many are racing against the clock to figure out exactly what their compliance obligations are.
We are presenting an in-person seminar in three cities to help make sure your company is on the right course to GDPR compliance.
Join us in either Boston, New York or Washington, DC for a look at GDPR Essentials and GDPR Hot Topics. Register here.
Mintz Levin is an approved CLE provider and this seminar is accredited in California and New York. We are also approved by the International Association of Privacy Professionals for IAPP CPE credit.
Spoiler Alert: Behavioral advertising companies will find some bad news in the guidance.
The Article 29 Working Party (WP29) advisory group, which will soon become the more transparently-named (and very powerful) European Data Protection Board, is busy drafting and issuing guidance documents to help organizations understand how European data protection authorities will interpret various requirements of the General Data Protection Regulation (GDPR). WP29 recently issued draft guidance relating to automated decision-making and profiling that will be critical for all organizations that conduct those activities. The draft guidance is open for comments until Nov. 28, 2017. This post recaps some of the particularly interesting aspects of the draft guidance, which can be found in full here (scroll down to the items just above the “Adopted Guidelines” section).
But first, what counts as automated decision-making under the GDPR? And what is “profiling”? Continue Reading Key GDPR Guidance on Behavioral Advertising, Profiling and Automated Decision-Making
EU laws concerning the transfer of employee personal data to the US are complex, and penalties for getting it wrong are set to increase dramatically when the General Data Protection Regulation (GDPR) goes into effect in May 2018. Whether you’re in-house counsel, a human resources professional, or a business owner, join us for a review of the current options for transferring personal data, including under Privacy Shield, and a preview of the new landscape under GDPR.
New York and California CLE credit available – register here –
Many companies have started the potentially lengthy process of auditing their service provider contracts to make sure that they comply with the requirements of the General Data Protection Regulation, which comes into force on May 25, 2018.
Fortunately for those companies that are trying to kick-start their contract audit process, the UK Information Commissioner’s Office (ICO) is forging ahead with its promised series of guidance documents to help companies get ready for the GDPR. The latest addition is a draft guidance note on the GDPR’s requirements for contracts between data controllers (the folks who make decisions about what personal data will be processed, and for what purposes) and data processors (the folks who carry out processing activities on behalf of a data controller).
The requirement that there be a contract between data controllers and their data processors is not itself new. Current EU data protection law requires data controllers to have contracts with data processors governing the security of the personal data held by the processor and requiring processor to process the personal data solely in accordance with the instructions of the controller.
But the contract requirements under the GDPR are much more expansive. Continue Reading Have you started auditing your contracts with your service providers that handle EU personal data? UK Information Commissioner’s Office issues draft guidance for compliance with the GDPR’s contracting requirements.