GDPR 101 and ucsb’s response Information and Update
What is the GDPR? Intended to harmonize data privacy laws across Europe. Repeals and replaces the Data Protection Directive (95/46/EU) Increased territorial scope Penalties to both controllers and processors Strengthens consent requirements Takes effect May 25, 2018 GDPR: General Data Protection Regulation The GDPR applies to processing carried out by organisations operating within the EU. BUT: It also applies to organisations outside the EU that offer goods or services to individuals in the EU. Like UCSB.
How does the EU GDPR differ from US Privacy Law? Privacy is a FUNDAMENTAL RIGHT US PRIVACY LAWS: Laws create a right of privacy in specific sectors where it is needed HIPPA (health) FERPA (students) GLBA, FCRA (finance) TCPA, TSR< CAN-SPAM (marketing) EU: fundamental right to protection of personal data. What are some fundamental rights in the US? Due Process, Freedom of Speech, Religion, Travel, Voting… Privacy. But Privacy rights in this area are focused on concepts like marriage, contraception – not personal data. Here, personal data is protected by other laws and regulations but not recognize as a fundamental right.
What does GDPR do? It protects Personal Data. Namely, any information relating to an identified or identifiable natural person: Name Identification Number Location Data An online identifier (e.g. IP address) Any data element specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person. Basically anything about person in the E.U.
To Whom Does It Apply? The activities of... Controllers of Personal Data Processors of Personal Data Controllers: Determine the purpose and means of processing the personal data Processors: Processes personal data only on behalf of and on the instructions of the Controller. So, nutshell: the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Controller and Processor Obligations: 1 Controller and Processor Obligations: 1. Implement technical and organizational measures (e.g.psuedonymization); 2. Cooperate with supervisory authority; 3. Appoint a Data Protection Officer; Controller: Processor: 4. Maintain Records of processing activity: purpose of processing; description of categories of data subjects and categories of personal data; categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries; transfers of personal data to a third country, including identification of the country and documentation of suitable safeguards; time limits for retaining data; general description of technical and organization measures; Rep in the EEA; Processors must meet GDPR requirements; Breach reporting obligations to data subject AND Supervisory Authority. 4. Maintain Records of processing activity: controller for which processing; categories of processing for each controller; transfers for personal data to a third country, including identification of the country and documentation of suitable safeguards; general description of technical and organization measures; Must only process at direction and instruction of the controller; Notify controller of breach.
How must personal data be handled under GDPR? Data collected must be: Processed pursuant to a Lawful Basis; Collected only for specific, explicit, and legitimate purposes without further processing*; adequate, relevant, and limited to what is necessary; accurate**; Kept in a form permitting identification for no longer that necessary; Secure. (a) processed lawfully, fairly and in a transparent manner in relation to individuals – we’ll come back to the Lawful Basis Component; (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; * Exception: archiving for public interest, scientific or historical research purposes, or statistical purposes. (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; Namely: you must have a process in place. (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Processing Data Under the GDPR pursuant to a ‘Lawful Basis’: With consent; Necessary for the performance of a contract; Necessary to protect the vital interests* of the data subject or natural person; Necessary for the performance of a task carried out in the public interest or exercise of official authority; OR Necessary for a legitimate interest** – except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. *** Lawful Bases can include any of these items listed. * vital = risk to life or serious harm ** Research interests, perhaps, in our case. *** As you can see, this is essentially a balancing test similar to what we would use here in California – a “compelling interest” argument.
Processing based on: Consent Consent to one or more specific purposes; Distinguishable; Freely Given; Unambiguous; With a RIGHT TO WITHDRAW consent. Consent requirements are pretty specific under the GDPR – hence my pulling them out for you here: Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Opt-out will not work. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given. Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data. Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organization’s or a third party’s legitimate interests.
Fundamental Rights of a Data Subject: 1. The right to be informed; 2. The right of access; 3. The right to rectification; 4. The right to erasure; 5. The right to restrict processing; 6. The right to data portability; 7. The right to object; 8. Rights in relation to automated decision making and profiling. Not going to go into these with the same detail as previous slides – the 101 version is as follows: The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under present EU privacy law. Notice, essentially: when you must give it, at time of collection, when responding to requests from data subjects, before further processing, when received from a third party. There are exceptions. Access: copies of data, timeframe for response, at no charge. Rectify: Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. Can request suspension of processing while accuracy being verified. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. Data Portability: Right to require the controller to transfer their data to another controller where feasible AND where processing is carried out by automatic means and is based on consent or processing necessary to facilitate a contract. Erasure: Right to have your info erased when no longer necessary, upon withdrawal of consent, objection to processing – must be communicated to all recipients of data. Exceptions. Objection to processing: can happen in a variety of way, result is: at this point, entities can store, but not process data Data Portability: right to obtain and reuse – (move, copy, transfer) Objection: If objection, processing must stop while balancing test conducted; specific application of this might be: objection to marketing/profiling. Automated decision making: A data subject has the right NOT to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly effects him/her. Significantly Affects, in this context could mean: using personal data to evaluate health, preferences, behavior, location, etc. Exceptions apply.
Steps for UC: Inventory of Activities What is our presence is in Europe? What goods or services do we offer to data subjects in the EU? In what instances, if any, is UC monitoring behavior of individuals located in the EU? What vendors or third parties do we utilize to provide goods/services and/or monitor the behavior of data subjects in the EU? When do we receive personal data from EU? Are there contractual requirements this may impose on UC? When do we transfer data to EU? You might be thinking: who is doing this? How? What are my responsibilities??? UCOP is taking the lead on this. They are centralizing the process at this time and directing individual campuses to hold tight while they consider the implications, speak with outside counsel better versed in EU law, and determine best practices for how to organize a response to these changes. Privacy officers are presently working to coordinate a survey for individual campuses to use to weed out some of the answers to these questions. We can’t implement programs to meet these new requirements if we don’t know where this data, if any, is residing. Nutshell: We are in a holding pattern. Yes, even though it is to be implements in May of this year.
Areas that may be affected by these changes (i. e Areas that may be affected by these changes (i.e. compliance implications) Any department that is processing personal data from subjects in the EU will ultimately have to determine LEGAL BASIS for such processing – Consent? Other? Implementation of model clauses in contracts affected Consent forms, notices, etc. will be adapted to comply Appointment of a Data Protection Officer* Develop processes for maintaining records of processing activities and consents for processing Develop breach reporting procedures How to report to Supervisory Authorities Develop and Implement appropriate technical and organizational security measures Determine what data categories are likely to result in high risk to rights and freedoms protected by GDPR Again, this is starting at the systemwide level and is expected to trickle down so hold tight.