Data Privacy and GDPR Jane Shvets jshvets@debevoise.com

GDPR Highlights Came into force on 25 May 2018 Strict obligations on businesses “processing” individuals’ “personal data” Personal data: any information relating to an identifiable natural person that directly or indirectly identifies them Processing: any activity involving personal data Can apply throughout the EEA and extraterritorially Processing anywhere in the world when “in the context of” an EEA establishment Offering goods or services to individuals in the EEA Monitoring individuals in the EEA Creates risk of large fines, individual complaints, litigation, reputational harm

GDPR Highlights (cont.) Obligations tied to seven core principles: Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality Accountability Prohibits transfers to “Third Countries” subject to exceptions: EU Commission adequacy decision (e.g., Japan, Privacy Shield) Adequate safeguards (e.g., Standard Contractual Clauses) Derogations for specific situations (e.g., necessity for the “establishment, exercise or defense of legal claims”)

Impact on Compliance / Investigations Due diligence / KYC Criminal conviction data: differing local laws cause difficulties Document review and witness interviews Lawful basis: “legitimate interests” but need to be carefully assessed and recorded Transparency: need for privacy notice explaining how data used Minimisation: restrict review to data strictly necessary for aims Cross-border transfers To vendors: think about SCCs and need for GDPR compliant terms of service To authorities: consent or establishment, exercise or defense of legal claims Minimisation: limit to data truly necessary (redact if needed)

UK ICO Enforcement Broad range of enforcement powers Information notices to obtain information from controllers Assessment notices to gain access to documents, systems and people Enforcement notices requiring specific actions Monetary penalties up to greater of £ 17 million or 4% of turnover Many enforcement actions still coming through under pre-GDPR law so fines constrained to £ 500,000 cap (e.g., for Facebook, now being appealed including allegations of bias) Recent enforcement under GDPR (e.g., against HMRC for lack of consent to Voice ID service)