European Economic Area’s General Data Protection Regulation EAA GDPR European Economic Area’s General Data Protection Regulation

What is the GDPR? The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to EU individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU inside the EEA, and applies to an enterprise established in the EEA, or regardless of its location and the data subjects' citizenship that is processing the personal information of data subjects inside the EEA. The GDPR also protects EU citizens and their data outside the EEA. As of May 25 2018 all organizations are expected to be compliant with GDPR.

Who does this apply to? GDPR applies to any organization operating within the EU + (Iceland, Liechtenstein and Norway). Any organizations outside of the EU which offer goods or services to customers or businesses in the EU. This also includes Britain even after Brexit. Any organization which has data on their customers that are EU citizens. This means that almost every major corporation in the world will need to be GDPR compliant.

Some GDPR terms: Data Subject: An individual or identifiable natural person. Data Controller: This role determines the purpose of the processing of the personal data. The data Controller is responsible to ensure and demonstrate that data processing is performed in accordance to the Regulation. Data Processor: This role processes person data on behalf of the data controller. Processing is any operation on personal data (includes storage and access). Personal Data is any information relating to a data subject. Person Information is any information that can be used to directly or Indirectly identify an individual. Examples: name, serial id, salary, home address, etc. Sensitive Person Information is any information that can misused to significantly harm the individual. Examples: Credit/Debit card numbers, medical information, date of birth including year, race, ethnicity, sexual orientation, etc.

What is Personal Data? Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymized but if it can be used to re-identify a person it remains personal data and falls within the scope of the law.

Roles involved? Controllers: A controller is "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data", Processors: is "person, public authority, agency or other body which processes personal data on behalf of the controller".

Rights of the Data Subjects Why care? Increased cost of noncompliance. The amount can be update €20M or 4% of revenue. Whatever is the greater amount per incident. The Data Processor has increased responsibilities to ensure the rights of the Data Subjects. Rights of the Data Subjects Higher standards for obtaining the Data Subject consent. Higher standards for transparency for the use of the Data Subject information. The Data Subjects right to access personal data. The Data Subjects right to rectification. The Data Subjects right to object to processing without penalty. The Data Subjects “Right to be forgotten”. The Data Subjects right to data portability.

What happens with data problems? Organizations will be obliged to report any breaches which are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage. The company is obliged to deliver breach notification. A breach must be reported to the relevant supervisory body within 72 hours of the organization first becoming aware of it. Meanwhile, if the breach is serious enough then customers or the public must be notified. The GDPR legislation says customers must be made responsible without 'undue delay.’ Failure to comply could mean billions in fines. Please see GDPR regulations for details.

Amount of fines If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. (83.3) However, the above may not offer much relief considering the amount of fines possible: Lower level Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of: Controllers and processors under Articles 8, 11, 25-39, 42, 43 Certification body under Articles 42, 43 Monitoring body under Article 41(4) Upper level Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of: The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9 The data subjects’ rights under Articles 12-22 The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49 Any obligations pursuant to Member State law adopted under Chapter IX Any non-compliance with an order by a supervisory authority (83.6)

Administrative fines Determination The GDPR imposes stiff fines on data controllers and processors for non-compliance. Determination Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm: Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing Intention: whether the infringement is intentional or negligent Mitigation: actions taken to mitigate damage to data subjects Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement Data type: what types of data the infringement impacts; see special categories of personal data Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement

Right to Erasure The right to erasure, also known as the right to be forgotten, stems from Article 17 of the GDPR and is a data subject’s right to have their data removed from a controller and/or processor for the following reasons: The original purpose for which the data was processed has been fulfilled, and the personal data in question is no longer needed. The data subject withdraws their consent. The data subject objects to the processing of their data, and there are no overriding legitimate interests. The personal data is collected and processed through unlawful means. The data must be removed to comply with a legal obligation. The data is processed in relation to the offer of information society services to a child. Response to a valid right to erasure request Confirm receipt of the request from the data subject to erase their data with a realistic erasure completion time frame. 30 days to provide information on the action your organization will decide to take on a legitimate erasure request. This timeframe can be extended up to 60 days depending on the complexity of the request. Locate the personal data and identify all processors and third parties that may also have the personal data. Notify all identified third parties that have access to the personal data to completely remove the data from their environments and confirm erasure. Remove the personal data from your environment. Respond to the data subject to confirm data erasure from your environment and all associated third parties.

Right to Erasure continued The right to erasure is NOT absolute, and there are instances where it may not be required to fulfill a request for erasure. A controller is not obligated to fulfill erasure requests under the following circumstances: Where the organization is exercising its freedom of expression and information. Where the organization may have to comply with a legal obligation for the performance of a public interest task or exercise of official authority. Where the processing activity is a requirement for the interest of public health, scientific research, historical research, or other statistical purposes. Where the organization needs to retain the information to defend itself in a legal claim. If it is determined that it is appropriate to apply any of the above exemptions that would deny the request of an individual to erase their data, a proper notice explaining the exception must be communicated to the data subject within 30 days, and they will have the right to file a complaint to the supervisory authority in their member state where they feel the request has been processed unlawfully or unfairly.

What should be done? Avoid processing personal data if it is not required. Follow the clients instructions for processing and be prepared for client conversations. Understand and used Data Breach procedures. Be watchful of any red flags. Examples: processing by others. Always remove personal data when it is no longer needed. Always follow established security policies to protect data and equipment.

GDPR Take away: GDPR brings extensive changes and major risks for any organization that processes personal information. For some there will be significant impacts - technically, contractually and financially. There are legal obligations as a processor associated with substantial financial penalties. Need to understand: Key GDPR terms. E.g., Data Subject, Data Controller and Data Processor. Processing data includes just storing it or having access to it. Data Processor obligations: The need for a contractual agreement, and for technical and organisational measures. The need for written instructions and records. Also, the need to report, and assist with any data breach. There is the additional need to assist clients in certain areas. Also assist with the requirements for moving data internationally and / or working with sub-processors. The roles and responsibilities for the alignment of accounts, proposals and solutions. We all need to be ready since the regulation is live as of May 25, 2018.

In conclusion… GDPR is the ground work for other countries as they create their own data privacy laws. Expect more regulation in the area of data privacy. There is a need to understand and review where you, your family and your company is with data privacy. More information at https://ec.europa.eu/info/index_en