1. ACC Annual Meeting Washington DC
Session 404-Ready or Not, Here comes the Data Protection Regulation

2. Overview of GDPR

3. Overview of GDPR (cont.)

4. Key Areas under GDPR 1. Data Subject Rights
Right to request identification of information being held
No need to collect additional information in order to prepare for dealing with future requests
Respond to requests without undue delay and within one month (unless extended)
Free of charge, unless manifestly unfounded or excessive
Copies provided in electronic form
If request cannot or will not complied with:
Provide an explanation
Inform of right to lodge a complaint with the supervisory authority

5. Right to rectification
Right to access
The retention period or criteria
The existence of certain rights
The existence of any automated decision making (incl. profiling)
Appropriate safeguards in place for transfers
Right to rectification
Rectification of data which is inaccurate
Completion of incomplete data – supplementary statement
Right to object
Task carried out in the public interest, in the exercise of official authority (incl. profiling) or legitimate interests (incl. profiling)
Controller can refuse if compelling legitimate grounds exist 
Processed for direct marketing (incl. profiling)
Scientific and historical research purposes

6. Right to Data Portability
Obligation to
Make data available in structured, commonly used and machine-readable format
Transmission of data to another controller without hindrance
WHEN
Only data provided by data subject
Only if processing based on consent or contractual necessity; and
Processing carried out by automated means

7. How do you manage these rights in practice?
Consider existing operational processes
Revise existing privacy policies / draft new policies
Identify where processing based on legitimate interests / is profiling
Clear handling procedures to deal with requests from data subjects
Update existing technologies
Searchable electronic databases
Ability to restrict / erase data
Data portability
Notification to other controllers/recipients
DPIAs/Privacy by design

8. 2. Privacy Impact Assessment
Article 33 – When is PIA required

9. Article 33 – When is a PIA definitely required?

10. Article 33 – What should a PIA contain?

11. Articles 33 and 34 – Who and when to consult?

12. 3. Vendor Management: Challenges
No direct insight to third party data breaches
No insight into down flow of data from one third party to its subs
General lack of confidence in third parties’ ability to safeguard data or handle a breach or cyber attack.
Hard to conduct adequate security review of all vendors
Senior leadership and boards of directors are rarely involved in third party risk management.
Companies rely on contractual obligations instead of audits and assessments to evaluate the security and privacy practices of third parties.

13. 3. Vendor Management: Oversight
Know where your data sets are, which vendors have access to the data, and what privacy and security measures are in place.
Remember the Target is the weakest link
Develop a Plan
Map your vendors.
Put one department in charge of vendor management.
Document in your agreement who will have access to the data.
Enforce vendor compliance.
Conduct audits or require vendors to provide annual audit reports.

14. Vendor Management Governance
Policies- Network Security, Disaster Recovery, BCP, Data Retention, Disposal, Change Control, Training (privacy and security awareness for employees and vendors),Social Media, Acceptable Use.
Security – Administrative, Technical, Physical: Perform Assessment/ Pen Testing
Privacy - Collection, Use, Retention, Disclosure, and Disposal.
Data Transfers
Asset Management
Incident Response
Monitoring
Audits – certification(s)
Products and services covered in the report
Type (1 or 2) of the report and period covered
Opinion of the service auditor
User entities responses to the complimentary,
user entity controls stated in the report
Exceptions noted by the service auditor
*Key Point: As the business evolves and changes- revisit, review and re-assess.
Regulatory Oversight
GLBA, HIPAA,SEC.
Accountability
Security – CISO or equivalent
Privacy - CPO or equivalent

15. 4. DPO – Governance When must you appoint a DPO?
Processing is carried out by a public authority or body (except for the courts in judicial capacity);
the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

16. When must you appoint a DPO?
“Core activities”?
the key operations necessary to achieve the controller’s or processor’s goals.
primary, not ancillary activities e.g. processing of health data by hospitals vs payroll
“Large scale”?
“considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk” (Recital91)
Duration/permanence of processing
Geographical extent
Volume of data and range of items
Number of individuals

17. When must you appoint a DPO?
To DPO or not to DPO that is the question?
Unless a DPO is obviously not required, WP29 advise organisations to document the internal analysis determining whether to appoint a DPO;
WP29 encourages “voluntary” designations of DPOs, where they are not strictly required.
However, a “voluntary” DPO will be subject to the same GDPR requirements.
Organisations can employ individuals, who are not DPO’s, with data protection tasks but if you don’t want them to face the DPO requirements it must be clear with all parties that their title is not “DPO”.
Do both the Controller and the Processor need a DPO? ?

18. DPO – Expertise and Skills
Professional qualities
Level of expertise
Ability to fulfil tasks
Outsourced DPO Provider

19. Tasks of DPO and Responsibility
Inform/advise re obligations
Monitor GDPR/policy compliance
Provide DPIA advice when sought
Who is responsible for:
Implementing measures to demonstrate GDPR compliance?
Carrying out a DPIA where necessary

20. 5. Record of Data Processing Activities
Categories of personal data
Purpose of processing
Categories of data subjects
Categories of recipients including recipients in third countries or international orgs
Transfer to third country or international organization?
If applicable: Documentation of suitable safeguards for exceptional transfer to third country (according to art. 49)
Time limits for erasure for each category of data
General description of the technical and organizational security measures

21. 6. Applicability to US Companies
Operate in the EU
Operate outside the EU but hold EU resident PII

22. 7. Conclusions
New rights and obligations, and new tools to support them
Broader definition of personal data stricter consent requirements
Stricter security, mapping and breach notification requirements
Data portability and rights to erasure/restriction/objection
Pseudonymisation: a tool to secure personal data and preserve critical business processes
New fines, much higher stakes (fines of up to greater of 4% of worldwide turnover or €20M)
Vital to engage with stakeholders NOW and to start the planning asap as only approx 7 months to go
Vital to do GDPR audit asap so you know what you have to do and how much it will cost so you can budget for this for the rest of 2017 and 2018
For most businesses unless you actually start the compliance project by Fall 2017, it will be difficult to be reasonably compliant by May 2018
Regulators have clearly stated they will start audits very quickly after May 25, 2018 and so the clock is ticking.

23. 8. Useful GDPR Checklists

24. GDPR APP
Fieldfisher has developed an app which makes it more convenient for our clients to navigate the challenges of the GDPR. We compiled the most useful GDPR resources, which are available in the app at the touch of a button.
The app is fully searchable and cross-referenced which makes it easy to use and can help businesses better understand how the GDPR will impact them and how they can best prepare for implementation.
The app is currently available on the Apple iTunes store and is being developed for Android devices.