Embed Size (px)
Citation preview
General Data Protection Regulation (GDPR)
January 2018 • Lockton Companies
L O C K T O N C O M P A N I E S
SELIMA CRUMGlobal Benefits Consultant
NICK DOBELBOWERVice President
Intellectual Capital Practice Leader202.412.8767
After several years of extensive negotiation, the European Union (EU) adopted the General Data Protection Regulation (GDPR)1 on 27 April 2016. The GDPR is intended to harmonize the data protection framework across Europe, which will drastically change the way businesses manage digital information. Unlike EU directives, the GDPR does not require national governments to transpose it into their national laws. It will be directly binding on all EU member states and applicable as of 25 May 2018.
The EU has also introduced a new directive on the Data Protection Impact Assessment (DPIA) process, Directive 2016/680, that member states will need to transpose into their national laws by 6 May 2018. Together, these new laws create significant new requirements for businesses in the EU and businesses that process the personal data of EU residents. They also impose significant fines on businesses that fail to comply.
Who and what is affected?
EU member states, including the United Kingdom, are directly affected by the GDPR, which protects the personal data of all European residents on an extraterritorial basis. The GDPR applies to all information related to basic identity, web, IP and email addresses, health, genetic, biometric, racial, political opinions and sexual orientation. That means that all companies,
1Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It repeals Directive 95/46/EC (General Data Protection Regulation). It is available at: http://eur-lex.europa.eu/eli/reg/2016/679/oj/.
2
whether they are located in the EU or not, must comply with the GDRP so long as they have European residents’ personal data.
The cost of implementation of the GDPR, incurred by businesses, is expected to be as high as USD 1 million,2 according to TrustArc’s GDPR study, though other surveys price it at USD 10 million.3
Data transparency rights of EU residents
The GDPR strengthens the rights that individuals enjoyed under the previous data protection framework and introduces new rights.
� The right for individuals to request information about all their personal data. For transparency purposes, the information provided should be free of charge, concise and written in clear and plain language.
� The right of rectification that individuals are entitled to when their personal data are inaccurate or incomplete.
� The “right to be forgotten,” allowing individuals to request the deletion of their personal data when it is no longer needed. Unlike the previous legislation, individuals no longer have to demonstrate that the data causes substantial damage to justify the removal.
� The right to restrict processing when the individual requests it. In that case, the information can still be stored but no longer processed.
� The right to data portability allows individuals to request the transfer of their personal data to different services or organizations. It only applies when the data has been provided to a controller, based on individual consent and when the processing is automated.
� The right to object to certain processing activities including direct marketing, profiling, processing for research purposes and public interest.
� An individual’s rights cannot be subject to automated processing decisions.
Businesses are required to process individuals’ requests within a month.
2http://www.trustarc.com/blog/2017/06/28/trustarc-privacy-gdpr-compliance-research-part-2/
3https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html; PWC study - https://www.pwc.com/us/en/increasing-it-effectiveness/publications/general-data-protection-regulation-gdpr-budgets.html
January 2018 • Lockton Companies
3
Key features of the GDPR
Roadmap of recommended company actions � Create a data protection plan.
� Provide training for employees on the consequences of the GDPR on their daily work.
� Conduct an audit of the information flows across the business domestically and internationally.
� Update all contractual documents with the new requirements of the GDPR.
� Conduct a Privacy Impact Assessment and a DPIA.
� Appoint a Data Protection Officer when the business meets the following criteria:
h It is a public authority.
h It processes or stores a large amount of EU residents’ special category of data, such as health information.
h It carries out regular monitoring of individuals on a large scale.
� Review and update the way individuals’ consent is recorded and managed.
� Establish a system to strengthen the protection of children’s personal data.
� Ensure that there are enough procedures in place to protect individuals’ rights under the GDPR.
� Review and update insurance documents based on the new risk of GDPR administrative fines.
� Establish necessary procedures to permit the detection, report and investigation of data breaches within 72 hours of awareness.
Greater accountability for businesses
Right to transfer data
Mandatory notification of data breaches
Increased individual
rights
Required data audits by Data
Protection Officer
4
The United States Privacy Shield and the GDPR
International data transfers between the EU and other countries are allowed if they have adequate protection or use approved privacy protection means, such as EU model clauses, binding corporate rules or the EU-US and Swiss-US privacy shield certifications. The US-EU privacy shield framework agreement that came into force on 12 July 2016, covers only one aspect of the GDPR, which is international data transfers between the US and EU. While the privacy shield certification will continue to apply simultaneously with the GDPR, US companies still need to comply with the new provisions introduced by the GDPR, when EU residents’ personal data are involved. US companies should comply with both regulations for all EU residents’ data, including UK’s residents despite the uncertainties introduced by Brexit. Brexit is shorthand for “British exit” — the UK’s vote in a 23 June 2016, referendum to leave the EU.
Punitive fines
Starting 25 May 2018, noncompliant organizations will face significant punitive fines of up to EUR 20 million or 4 percent of global turnover, whichever is higher. For smaller violations, the fines would be up to EUR 10 million or 2 percent of global turnover.
Article 83 (2) of the GDPR lists the circumstances that would be taken in consideration when determining the amount of the fine, such as the nature and gravity of the infringement, the existence of previous infringement, the data affected or the actions taken to mitigate the risk. There are still many uncertainties on how the regulation is going to be enforced and how penalties will be assessed. Therefore, it is strongly recommended that companies start getting ready to be as compliant as possible by the deadline.
Next steps
EU member states should transpose Directive 2016/680, and companies should follow an implementation plan to ensure compliance by the deadlines. Businesses should be aware that each member state can introduce derogations to the GDPR based on national security, prevention and other circumstances as long as the measures “respect the essence of fundamental rights and freedoms and is necessary and proportionate in a democratic society,” as stated in Article 23 of the GDPR.
January 2018 • Lockton Companies
5
Disclaimer: The content in this paper is provided for general informational purposes only and should not be construed as legal advice from Lockton Companies or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this paper should act or refrain from acting on the basis of any information included in, or accessible through, this paper without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.
ReferencesProtection of personal data (European Commission)
� http://ec.europa.eu/justice/data-protection/index_en.htm
Full text of the General Data Protection Regulation (European Commission) � http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Is your company on track for GDPR compliance? (Lockton Companies) � https://www.locktoninternational.com/articles/your-company-track-gdpr-compliance
General Data Protection Regulation fines: Are they insurable? (Lockton Companies) � https://www.locktoninternational.com/articles/general-data-protection-regulation-fines-are-they-insurable
© 2018 Lockton, Inc. All rights reserved.
Our Mission
To be the worldwide value and service leader in insurance brokerage, risk management, employee benefi ts and retirement services
Our Goal
To be the best place to do business and to work
RISK MANAGEMENT | EMPLOYEE BENEFITS | RETIREMENT SERVICES
lockton.com
KC: 39179
