THE GDPR - 4A's · The 4A’s offers this guidance to agency executives, ... email addresses from EU ... The GDPR establishes baseline principles that apply to all personal data

A JOINT PUBLICATION OF THE 4A’S AND VENABLE LLP

THE GDPR: WHAT UNITED STATES AGENCIES NEED TO KNOW

02 THE GDPR: WHAT UNITED STATES AGENCIES NEED TO KNOW

May 25, 2018 marks the date on which a new regulation becomes enforceable in the

European Union (EU). This regulation, known as the EU General Data Protection Regulation

(GDPR), will regulate the collection and processing of personal data in new ways, potentially

creating broad impacts on commerce, in particular how data-driven advertising is conducted.

The 4A’s offers this guidance to agency executives, in-house counsel, and operations

management who are engaged in serving the EU market. This guidance is meant to provide

a baseline understanding of the new requirements while providing practical tips for agencies

in assessing their current legal and data protection programs. We invite you to use this

guidance to help inform agencies’ considerations while implementing a privacy program to

bring your agency into compliance with the forthcoming GDPR, but we recommend you also

seek legal advice.

Below, we provide an overview of the substantive obligations imposed on agencies related

to the personal data they collect and process, both on behalf of clients and for their own

purposes. We have also included some suggested best practices and a general timeline for

GDPR readiness.

©2017 Venable LLP. This informational piece is published by the law firm Venable LLP. It is not intended to provide legal advice or opinion. Such advice may only be given when related to specific fact situations that Venable has accepted as engagement as counsel to address. This information is current as of November 29, 2017.

About 4A’sThe 4A’s, founded in 1917, is the leading authority representing the marketing communications agency business. It provides leadership, advocacy and training that empowers agencies to innovate, evolve and grow. It serves 740 member agencies across 1,400 offices that control more than 85% of total U.S. advertising spend.

The 4A’s is committed to protecting the best interests of its members, their employees and the industry at large. Its Benefits division insures more than 164,000 agency professionals, and the D.C. office advocates for policies that best support a thriving advertising industry.

With its best-in-class learning and career development programs, 4A’s and its Foundation fuel a robust diversity pipeline of talent for its members and the marketing and media industry, fostering the next generation of leaders.

About Venable LLP’s eCommerce, Privacy, and Cybersecurity TeamVenable is an AmLaw 100 law firm with the deepest eCommerce, privacy, and data security practice in the country. Chambers USA has awarded Venable the “Award for Excellence” for the leading privacy and data security practice in the United States.

One of the key distinguishing features of the firm and its truly global data protection practice is the interdisciplinary approach to multi-jurisdictional projects. Venable regularly advises clients in connection with privacy requirements in Europe, participates in a network of data-protection attorneys operating internationally, meets with privacy regulators from foreign countries, and attends international conferences. The firms provides clients with insight into laws and trends outside of the United States, and also helps shape the data-security standards that affect clients as they operate in the global economy.


CONTENTSI: The European Union General Data Protection Regulation (GDPR) What it is, and Why it Matters to U.S. Agencies

II: Basic Principles of Processing: Fundamental Guardrails that Apply to all Personal Data

III: Lawful Basis of Processing

IV: Transparency: What to Tell the World About Your Processing Activities

V: Rights: Individual Control Over Personal Data

VI: Tell Your Accountability Story

VII: Do you Need a DPO?

VIII: Security

IX: Breach Notification

X: Who Regulates Me: The Powers of the Supervisory Authorities

XI: Personal Data on the Move

XII: Best Practices to Consider

XIII: What to Do Now: A Timeline for Preparing for GDPR Compliance

04

06

07

08

10

13

16

17

18

20

21

22

23


I: THE EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (GDPR) WHAT IT IS, AND WHY IT MATTERS TO U.S. AGENCIES

The GDPR is the most significant change to European data protection law in twenty years. It goes into effect on May 25, 2018, but given the scope of the regulation, it is critical that agencies act now. This guidance highlights some of what marketing communications agencies should know about the GDPR in advance of the implementation date.

Why Does the GDPR Matter to U.S. Agencies?It may cover you, even if you’re not in the EU. Unlike current EU data protection laws, the GDPR may apply to any processing of personal data of an EU resident (i.e., “data subject”) if you offer goods or services to an EU data subject or monitor their behavior in the EU. If you monitor online behaviors to predict consumer preferences, behaviors, or attitudes that include EU personal data, you may be covered by the GDPR even if you do not have an office or employees in the EU. That means if you or your clients help determine what EU residents see in an ad, you may be subject to the GDPR.

⊲ Consider if you have employees or use contractors in the EU, have contracts that target services to the EU, or if your clients are based in the EU, or have hired you to advertise their services to EU residents. Remember that monitoring online behaviors, such as interests in certain ad campaigns or products, may sweep you into the GDPR’s scope.

The potential fines are significant. The GDPR allows EU Data Protection Authorities (DPAs) to levy hefty fines for non-compliance. Fines for fundamental violations of the GDPR could be up to €20 million or up to 4% of global turnover (i.e., revenue), whichever is higher. Fines for secondary violations, related to obligations such as privacy by design and children’s consent, could be €10 million or up to 2% of global turnover, whichever is higher.

Enforcement of the GDPR is carried out by a “supervisory authority.” There will be a supervisory authority established in every EU Member State.

Some Key DefinitionsThe GDPR applies to any “processing” of “personal data.” “Processing” is any operation that can be performed on personal data, whether or not automated, such as collection, use, disclosure, or storage.

What personal data is covered? The GDPR regulates “personal data,” meaning information about an identifiable person including employees, customers, consumers, or business partners. Personal data includes the usual suspects, like name, email address, and phone number, but also digital identifiers like device identifiers, IP addresses, cookies, and RFID tags.

⊲ Even if you do not collect names and email addresses from EU citizens, you may receive or collect digital identifiers (like a mobile device identifier) through your work with, or for, clients.


Additional safeguards apply to special categories of data. Certain categories of personal data are subject to additional safeguards. These categories are personal data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning a natural person’s sex life or sexual orientation. These sensitive data categories are subject to heightened requirements.

⊲ Consider whether through your work with clients you create profiles or segments of EU consumers that reveal or rely on any of these sensitive data categories. The GDPR describes profiling as any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, including to analyze or predict aspects including a data subject’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

⊲ Even if you do not process these special categories of data on behalf of clients, you may process it in relation to your own employees or contractors.

Are you a Controller or a Processor? The GDPR distinguishes between “data controllers” (the entity that determines the purpose and means of data processing) and “data processors” (the entity that processes data on behalf of a controller). Your agency could be either, or both, depending on your role in data processing activities. Data controllers must comply with essentially all obligations in the GDPR while data processors have some direct obligations with other obligations imposed on them via contract with a controller.

⊲ Consider what types of personal data you may receive through your work with clients, as well as any employees or contractors located in the EU. Are you determining the purposes and means of processing, or is your client making that determination?

Key Takeaways• The GDPR has extraterritorial effects, and will apply to U.S. agencies who meet jurisdictional criteria.

• The new potential penalties imposed by the GDPR are significant.

• Agencies should evaluate their practices against the GDPR requirements to determine what obligations apply.


II: BASIC PRINCIPLES OF PROCESSING: FUNDAMENTAL GUARDRAILS THAT APPLY TO ALL PERSONAL DATA

The GDPR establishes baseline principles that apply to all personal data processing. Whether you are working with personal data for your own purposes or on behalf of a client, agencies will need to develop processes that implement these principles as a key part of any operation that touches EU personal data.

Principle 1: Lawfulness, fairness and transparency. Personal data processing must be lawful, fair, and transparent to the data subject.

⊲ Consider the purposes for personal data processing currently disclosed in the relevant privacy policy and update to encompass all purposes relevant to your collection, use, and disclosure of personal data.

Principle 2: Purpose limitation. Collect personal data only for specified, explicit, and legitimate purposes. After collecting personal data, make sure that any additional personal data processing is conducted in accordance with these purposes.*

⊲ Consider updating disclosures around personal data collection to make sure they clearly specify the purposes for which personal data is being collected.

Principle 3: Data minimization. Personal data processing must be adequate, relevant, and limited to what is necessary for the purposes for which personal data is being processed.

⊲ Consider reviewing personal data assets and deleting data that is no longer relevant to the purposes for which it was collected.

Principle 4: Accuracy. Personal data must be accurate and kept up to date (where appropriate). Take reasonable steps to ensure that inaccurate data is erased or corrected without delay, while paying attention to the purposes for the personal data processing.

⊲ Consider implementing automated processes to allow individuals to correct or delete personal data, where appropriate.

Principle 5: Storage limitation. Store personal data in identifiable form for no longer than necessary, consistent with the purposes for which the personal data is processed.*

⊲ Consider deleting or de-identifying personal data when no longer needed for business purposes.

Principle 6: Integrity and confidentiality. Personal data processing must ensure appropriate security. Security measures should protect against unauthorized or unlawful processing as well as against accidental loss, destruction, or damage. Use appropriate technical or organizational measures to safeguard personal data.

⊲ Consider reviewing data security measures implemented around personal data, especially for data that is considered personal under the GDPR but not under U.S. law.

Principle 7: Accountability. Data controllers are responsible for demonstrating compliance with these principles.

⊲ Consider updating your current recordkeeping practices and form agreements.

*There are limited exceptions available for data processed in the public interest, for scientific or historical research, or for statistical purposes.


III: LAWFUL BASIS OF PROCESSING

To process EU personal data, you need a lawful basis for that processing. While the GDPR provides several lawful bases, agencies most likely will rely on either consent or legitimate interests.

Necessary for the Legitimate Interests of the Controller or a Third PartyAn alternative basis for processing is where the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party provided that an EU data subject’s interests or fundamental rights do not override the legitimate interest. Examples of legitimate interests include direct marketing, fraud prevention, intra-company transfers for administrative purposes, network security, and other processing that is reasonably expected given the transaction with the consumer. You should state the legitimate interests you are relying on to the individual. Remember that EU data subjects can object to processing based on a legitimate interest, so keep a record of how you determined that there is a compelling legitimate interest to perform the processing.

⊲ While a data controller can process data for direct marketing purposes, such processing must be necessary and is to be narrowly construed. This likely means that information gleaned from processing one client’s data may not be able to be used for a different client’s direct marketing purposes.

Other recognized basis for processing are: • Processing is necessary for the performance of a contract with an individual or is necessary to take steps at

the request of the individual prior to entering into a contract; • Processing is necessary to comply with a legal requirement to which the data controller is subject;• Processing is necessary in order to protect an individual’s vital interests; • Processing is necessary for performance of a task in the public interest or by as required by a government authority.

In these instances, the processing must be “necessary” for the stated purpose.

Do Don’tBe clear and concise and use plain language Use legalese

Make disclosures granular and explicit Word consent to generally cover a number of processing activities

Name any third party that will rely on the consent Use general catergories to name the third parties who will rely on the consent

Require an affirmative act Pre-check the box for the individual or rely on a default setting

Design your services so they can be offered to individuals who decline consent Condition your services on receiving consent

Make consent prominent and separate from other disclosures Bundle your consent with other disclosures

Document consent Fail to record how and when you got consent or what individuals were told at the time consent was obtained

Make it easy to withdraw Make it more difficult to withdraw consent than it is to give consent

Make it freely given Rely on consent in the context of an imbalanced relationship (like employer/employee)

The Dos and Don’ts of Consent

Consent — Consent is defined as a freely given, specific, informed, and unambiguous indication of the individual’s wishes. Consent requires consumers to take a clear affirmative action (e.g., checking a box) to show they agree to the processing. Consent can be electronic, written, or provided via an oral statement. Disclosure around the consent should include all types of processing to be applied to the data.


IV: TRANSPARENCY: WHAT TO TELL THE WORLD ABOUT YOUR PROCESSING ACTIVITIES

The GDPR provides individuals with a fundamental right to transparency. Agencies (to the extent they are acting as a data controller) and their clients should communicate processing activities to individuals using a form (such as a privacy policy) that is concise, transparent, intelligible, and easily accessible. The communication should use clear and plain language, particularly for information addressed specifically to children.

The GDPR requires disclosure of certain information, which varies somewhat depending on whether personal data is collected directly from the data subject or from other sources.

Required Disclosures Collected from Individuals

Collected from Other Sources

Controller’s name and contact information (and representative where applicable)

Data Protection Officer’s (DPO) contact information

Purposes for the personal data processing and legal basis for processing

Categories of personal data obtained

Names or categories of recipients of the personal data

Whether there are cross-border data transfers, a reference to the safeguards used, and how to obtain a copy of this information where it is availableHow long the personal data will be stored or the criteria used to determine that periodLegitimate interests of the controller or third party for the processing (if processing is based on legitimate interests)

Right to access, rectify, erase, and restrict the processing of personal data, in addition to the right to data portability

Statement regarding the data subject’s ability to withdraw consent without affecting the lawfulness of processing prior to the withdrawal

Right to submit a complaint to a supervisory authority

Whether the personal data is provided pursuant to a statutory or contractual obligation, or a requirement necessary to enter into a contract. Also whether the data subject is required to provide the personal data and the consequences for failing to do so

The original source of the personal data, and whether it came from publicly accessible sources (where applicable)

The use of automated decision-making technologies, including profiling and describe the significance and consequences of the processing for the data subject


Notes on Implementation• The disclosures can be provided in electronic form, most commonly, in a privacy policy. In the event that

the individual already has the information required under the GDPR, you do not need to separately provide it. Additionally, your clients may consider complying with the GDPR requirements by providing the required information in conjunction with icons, so long as the icons are machine-readable.

• Compliance with the GDPR requires disclosure of all data processing activities. As you and your clients review their privacy practices for GDPR compliance purposes, take care to explore the representations made throughout their platform, not just the representations made in the privacy policy.

• From time to time, individuals may request certain information regarding their personal data and related processing activities, as provided by the GDPR. Requests are expected to be responded to within a month, and information should be provided free of charge (subject to certain exceptions).


V: RIGHTS: INDIVIDUAL CONTROL OVER PERSONAL DATA

The GDPR provides substantive rights to EU individuals with regard to their personal data. In situations where you are the data controller, consider how you will comply with any requests made pursuant to these rights. In scenarios where you are acting as a data processor on behalf of your clients, you may still be required via contract to help your client comply with these requests.

Data Subjects’ Rights

Right to Access

Individuals have the right to ask a data controller to confirm whether it is processing his or her personal data, to access that data, and to receive a copy of that data. Providing access to personal data gives data subjects the right to obtain information about:

• The purpose of the processing• The categories of personal data• The current or future recipients (or categories of recipients) of personal data disclosed to third parties,

especially international or non-EU recipients• How long data will be stored, or the reasoning used to decide how long to store it• The right to request rectification (correction) or erasure of data or to restrict processing• The right to complain to a DPA• The sources of personal data when data is not collected directly from the consumer• Meaningful information about the logic involved in any automated decision-making, including any profiling,

and the significance and consequences of that processing• The means by which personal data is being transferred to a third country or international organization.

Additional Information• When providing personal data to an individual, that disclosure should not adversely impact

the rights of others, including rights related to trade secrets, intellectual property, or copyright. However, you cannot use this restriction to deny providing any information to a consumer.

• You should use all reasonable measures to verify the identity of an individual who requests access, in particular when they request access to personal data associated with online services or online identifiers.

• If you process a large quantity of data about a particular individual, you can request that the consumer specify what information or processing their request is related to.

• Where possible, you should provide remote access to a secure system in order to provide the individual with direct access to his or her personal data.

Right to Rectification

Individuals have the right to correct any inaccurate personal data a controller maintains about them, and (if appropriate) have any incomplete personal data completed.


Right to Erasure (“Right to be forgotten”)

An individual has the right to request the erasure of personal data about them without undue delay if:

• The personal data is no longer necessary for the purpose it was collected or processed • Consent is withdrawn and no other legal basis to process personal data exists• The individual objects to processing, and there is no overriding basis for the processing• The personal data is unlawfully processed • The personal data must be erased for compliance with legal obligations• The personal data was collected from a child in relation to providing online services to a childIf the personal data has been made public, take reasonable technological steps to stop additional processing, such as informing other controllers to erase links to, or copies of, that personal data.

Additional InformationYou are not required to erase data if that data is necessary for:

• The exercise of freedom of expression and information • Compliance with a legal obligation or for a task carried out in the public interest• Public health purposes• Archiving purposes in the public interest, for scientific, or historical research purposes or for

statistical purposes• To establish, exercise, or in defense of legal claims

Right to Restriction of Processing

The data subject can request that you stop processing personal data if:

• The personal data is claimed to be inaccurate so that the data can be verified• The processing is unlawful and the data subject does not want the personal data erased• You no longer need the data for the purposes of processing, but the data subject needs it for a legal claim• The data subject objects to processing and that objection is being validated

Additional Information• Personal data may still be stored following a restriction of processing, and can be processed

with consent, to establish a legal claim, the protection of the rights of another person, or for an important public interest.

• You should inform the data subject before any processing restriction is lifted.

Right to Data Portability

An individual has the right to receive personal data about them in a commonly used and machine-readable format (including having that data transmitted to another controller where feasible) if:

• Data processing is performed based on consent or on the basis of a contract with the data subject• The processing is performed by an automated process

Additional Information• Individuals do not have this right if processing is based on a legal ground other than consent or

contract, and it does not apply when data processing is done to fulfill a public duty.• If more than one individual is part of a requested data set, consider if fulfilling the request would

adversely affect the rights of those other individuals. The rights of other affected individuals should not limit requestor’s right to erasure or to limit data processing.


Right to Object

An individual has the right to object to data processing when that processing is based on the public interest or the legitimate interests of a controller or third party (including processing for profiling and direct marketing purposes).

This right should be made possible free of charge, and be brought to the attention of the individual data subject clearly and separately from other information at the time the controller first communicates with the individual.

Additional Information• If personal data is being processed in the public interest, to exercise official authority, or on the

grounds of a legitimate interest, the processing may be allowed to continue. However, it is the controller’s responsibility to show that there is a compelling interest that overrides the data subject’s right.

Right to not be Subject to Automated Decision-Making, Including Profiling

An individual has the right to request to not be subject to any automated processing that has a legal effect on the data subject (i.e., decision-making).

Automated decision-making should not use the special categories of personal data unless the individual consents or the processing is performed for a substantial public interest.

Additional Information• This right does not apply if the decision-making is necessary for entering into or performing a

contract with the individual, is authorized by another EU member law that provides safeguards for the subject’s rights, or is based on consent.

• If decision-making continues based on a contract or consent, data subjects should still be allowed to obtain human intervention, express their point of view, and contest the final decision.

Have you implemented processes to satisfy all individual rights? 9Access

9Rectification (correction)

9Erasure (right to be forgotten)

9Restrict Processing

9Data Portability

9Object to Processing

9Right to not be Subject to Automated Decision-Making (profiling)


VI: TELL YOUR ACCOUNTABILITY STORY

The GDPR emphasizes accountability, starting with the Accountability principle (discussed on page 6) which requires data controllers to be able to demonstrate that all personal data is being processed lawfully, fairly, and transparently. Agencies should be able to demonstrate compliance with relevant aspects of the GDPR to satisfy inquiries from their clients and the supervisory authorities. This means that agencies should maintain clear records memorializing processing activities, as well as other aspects of the GDPR including security and incident response. The GDPR incorporates accountability in other ways, as well.

1. Required processing agreements: The GDPR requires that data controllers only use processors that can provide “sufficient guarantees” that they meet GDPR requirements. In addition, all processing must be governed by a contract—a data processing agreement or DPA—where the processor specifies the following:

• That all processing is done only on documented instructions from the controller, unless required by law, in which case the controller must be informed prior to processing;

• That authorized individuals with access to personal data are bound by confidentiality;• That the processor has appropriate data security;• That it will not engage a sub-processor without prior authorization from the controller;• That the processor commits to assist the controller with fulfilling individual access rights;• That it commits to assist the controller with complying with breach notification requirements;• That the processor will delete or return all personal data at the end of the contract including by deleting

copies;• That the processor will make available all information to demonstrate GDPR compliance and allow for audits

and inspections by the controller or its auditor.

These requirements also generally flow down to sub-processors, which must be engaged via DPA with the processor.

Practical Note: Start the lengthy process of revisiting and renegotiating contracts as soon as possible. New client relationships will have to be documented with legally compliant DPAs while existing client relationships will likely need to be “re-papered.”

Practical Note: Develop processes to review new products and services to determine how they will collect and use personal data and to implement appropriate safeguards. Record your processes and the decisions made to demonstrate compliance to a supervisory authority or client.

2. Data protection by design and default: The GDPR requires building data protection by design and default into your operations. GDPR-mandated data protection by design requires data controllers to consider, both prior to and at the time of, processing:

• The current state of the art;• The cost of implementation; • The scope, context, and purposes of a processing activity; and• The likelihood and severity of potential risks to the rights and freedoms of individuals.

These considerations should lead you to implement appropriate data protection practices, such as pseudonymization and data minimization. Data controllers should also ensure that, by default, they only collect and use personal data that is necessary for specific processing purposes. You should consider implementing appropriate controls throughout the lifecycle of personal data, from collection and processing, through storage and accessibility.


3. Recordkeeping: The GDPR has explicit recordkeeping requirements for both data controllers and data processors.

Data controllers must keep written records of all processing it undertakes. These records may be maintained by the controller or its representative. Records must include the following:

• The name and contact information of the controller, any joint controller(s), and the controller’s data protection officer (“DPO”);

• The reason you are processing the personal data; • The types of data subjects and personal data that will be processed;• The types of entities that will receive personal data, including those in foreign jurisdictions;• If personal data will travel across borders, document how appropriate safeguards will be put in place (e.g.,

Privacy Shield compliance);• Time limits for when personal data will be erased; and • A description of the security measures you have in place.

Data processors must also keep written records of processing activities. Records must include all categories of processing carried out on behalf of a data controller, as well as:

• The name and contact details of the processor (and any other involved processors) and the controller, and contact information for all DPOs and legal representatives;

• The categories of processing carried out for each controller; • If personal data will travel across borders, document how appropriate safeguards will be put in place (e.g.,

Privacy Shield compliance); and• A description of the security measures you have in place.

Practical Note: Remember that data controllers have a right to audit the practices of data processors at any time, which means that, to the extent you are acting as a data processor, your client can audit your records at will. Incorporate recordkeeping procedures that streamline recordkeeping procedures and production of records.


A DPIA must contain, at a minimum:

• A systematic description of the processing operations, the purposes of processing, and where relevant, any legitimate interest necessitating that processing.

• An assessment of the need and proportionality of the processing when compared to the purposes for processing.

• An assessment of the risks to the rights and freedoms of data subjects.• A description of the measures, safeguards and mechanisms to mitigate any risk to data subject rights.• Any approved codes of conduct that impact the processing.• Where appropriate, views of individuals.

Key Takeaways• The GDPR puts extensive emphasis on accountability.

• It may not be enough to comply with the substantive obligations of the GDPR; you should also be able to demonstrate your compliance upon request.

• The GDPR adds new recordkeeping and documentation requirements and mandates assessment of new data practices.

Practical Note: Consider whether you are processing data to “score” consumers through a profile or predict their interests, to perform automated decision making, processing large amounts of data, processing sensitive data, or using new technology. Internal processes should be developed to “trigger” a DPIA in circumstances like these where a DPIA might be required.

4. Data protection impact assessments (DPIA or PIA): If you start developing new products or services, or undertake new activities that involve the processing of personal data, and the nature, scope, context, and purpose of the processing will likely result in a high risk to a data subject’s rights and freedoms, a DPIA is required. Where applicable, the DPIA will involve advice from the DPO. Note that DPIAs are required in three instances:

• When processing involves systematic and extensive evaluation of individuals’ personal characteristics, is automated, and results in legal effects to individuals or otherwise significantly affects them. This explicitly includes profiling.

• Large-scale processing of special categories of data, i.e., sensitive data, or processing of data related to criminal history.

• Large-scale, systematic monitoring of publicly accessible areas.


VII: DO YOU NEED A DPO?

Who Needs a DPO?Your agency is required to designate a data protection officer (“DPO”) if you fulfill the following criteria:

• Your core activities consist of processing, the nature of which requires regular and systematic monitoring of individuals on a large scale; or

• Your core activities consist of processing large amounts of the special categories of personal information.

What Does a DPO Do?A DPO must, at a minimum, do the following while taking into account risks associated with data processing, the nature, scope, context, and purpose of the processing:

• Advise about the requirements of the GDPR and other laws related to data protection• Monitor compliance with GDPR and other data protection laws, as well as compliance with internal policies

about the protection and use of personal data (including training and selecting appropriate staff to handle personal data)

• Provide advice when asked about data protection impact assessments and monitor compliance with those assessments

• Cooperate with a supervisory authority and act as a point of contact for any issues related to data processing• Interact with data subjects if there are questions about data processing activities

⊲ Consider whether you have the appropriate budgets and reporting structures put in place to support a DPO if you need one.

Design the DPO FunctionThe DPO should be selected based on professional qualifications, including expert knowledge on data protection law and practices, and be qualified to perform the tasks of the DPO. A DPO should be involved on all issues that relate to protection of personal data. The DPO should be supported with appropriate resources and access to personal data operations, as well as with resources to continue to be a subject matter expert. DPOs are subject to secrecy and confidentiality requirements imposed by other EU laws and regulations. DPOs are not to receive instructions on how to do their job.

The DPO should be independent. The DPO should report to the highest level of management, and should not be disciplined or fired for performing their role as a DPO.

⊲ Consider whether you already employ an individual that meets these qualifications. The DPO is allowed to have other job duties as long as they are able to independently perform their DPO duties. How you staff the position is flexible—your DPO can be U.S. based or outsourced, provided it meets the criteria.

Do you Need a Representative?In addition to a DPO, all non-EU companies subject to the GDPR need to designate a legal representative. The legal representative must be located in an EU jurisdiction relevant to your data processing activities. The representative exists to receive inquires from individuals or supervisory authorities.


VIII: SECURITY

Security RequirementsThe processing principles of Integrity and Confidentiality require appropriate security. The GDPR incorporates a flexible approach to safeguarding personal data processing, allowing companies to determine appropriate technical and organizational security measures based on a variety of factors. To determine appropriate technical and organizational measures, agencies and their clients should take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the data processing, and the likelihood and severity of any risk posed to the rights and freedoms of natural persons.

Suggested security practices include:• Pseudonymizing and encrypting personal data. Pseudonymized personal data is data that has been

processed in such a manner that it can no longer be attributed to an individual without use of additional information, provided that the additional information is kept separately and is secured in a manner that prevents it from being attributed to an identifiable person.

• Implementing measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

• Restoring availability and access to personal data in a timely manner in the event of a physical or technical incident

• Adopting a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Adherence to an approved code of conduct or an approved certification mechanism may serve as a factor in demonstrating compliance with the suggested security practices.

Practical ImplicationsWhen deciding which security measures are appropriate, account for the risks presented by your personal data processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Consider what steps you can take to educate employees that have access to personal data to ensure that the data is processed securely in accordance with the controller’s instructions.


*Examples taken from ARTICLE 29 DATA PROTECTION WORKING PARTY, GUIDELINES ON PERSONAL DATA BREACH NOTIFICATION UNDER REGULATION 2016/679 (2017), http://ec.europa.eu/newsroom/document.cfm?doc_id=47741.

Example: Do you need to notify?* An agency (acting as a data processor in this instance) who developed and hosts an advertiser’s website identifies an error in the code which controls user authorization. The effect of the flaw means that any user can access the account details of any other user.

• Should you notify the supervisory authority? As the processor, the agency must notify its affected clients (the controllers) without undue delay.

⊲ Assuming that the agency has conducted its own investigation, the affected clients should be reasonably confident as to whether they have suffered a breach. The client is considered as having “become aware” once they have been notified by the agency. The client must then notify the supervisory authority.

• Should you notify individuals? If there is likely no high risk to the individuals, no notice is required.

Note: If there is no evidence of this vulnerability being exploited, a notifiable breach may not have occurred, but the security event should still be memorialized to fulfill GDPR recordkeeping requirements.

IX: BREACH NOTIFICATION

What is a Personal Data Breach? A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Agencies and clients will need to consider their respective breach notification obligations after becoming aware of a personal data breach. We recommend outlining your procedure for meeting these notification obligations in an incident response plan.

GDPR Key Concept: When Do You Become “Aware”?*Some examples:

• In the case of a loss of a CD with unencrypted data it is often not possible to determine whether unauthorized persons gained access. Nevertheless, notification has to be provided if there is a reasonable degree of certainty that a breach has occurred; the agency would become “aware” when it realized the CD had been lost.

• A third party informs an agency that it has accidentally received the personal data of one of its clients and provides evidence of the unauthorized disclosure. As the agency has been presented with clear evidence of a breach, it has now become “aware.”


Summary of Processor and Controller Personal Data Breach Notification Requirements

Who am I?Who do I notify and when?

What must the notification say?

Are there recordkeeping requirements?

Additional Considerations

Processor, i.e., an agency when acting as a data processor for its client who is the controller

Controller

Without undue delay (immediately)

Provide enough information so that the controller can address the breach and determine the steps

Create records adequate to demonstrate compliance

Controllers are required to specify how the processor notification requirements should be met in the data processing agreement

Controller, i.e., the advertiser client, or the agency to the extent it is acting as a controller

Supervisory Authority

•Within 72 hours•Trigger for notification: Personal data breach that is likely to result in a risk to the rights and freedoms of natural persons

•Description of the personal data breach•Categories and approximate number of data subjects and of personal data records concerned (where possible)•Name and contact details of the data protection officer (or other contact point) •Likely consequences of the breach•Description of measures taken or proposed to address the breach, including to mitigate possible adverse effects

Document:

•Facts relating to the personal data breach•Breach effects•Remedial action taken

Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons

Data Subject

•Without undue delay (as soon as possible)•Trigger for notification: Personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons

•Breach description•Name and contact details of the data protection officer (or other contact point)•Likely consequences of the breach•Measures taken or proposed to address the breach, including measures to mitigate possible adverse effects

Retain proof of communication

Notification is not required if:

•The controller implemented appropriate technical and organizational measures to protect personal data prior to the breach (e.g., encryption) •The high risk posed to individuals’ rights and freedoms is unlikely to materialize•Providing notice is too burdensome


X: WHO REGULATES ME: THE POWERS OF THE SUPERVISORY AUTHORITIES

Each Member State will have a supervisory authority—the regulator responsible for enforcing the GDPR. Agencies are under the jurisdiction of a lead supervisory authority. If you have a headquarters in the EU or only one office in the EU, the lead supervisory authority is likely the country where that is located. But for agencies operating in multiple EU countries, you must designate your lead supervisory authority.

Who Takes the Lead?• For Data Controllers: The lead supervisory authority is the EU Member State where the controller has its

headquarters or the EU location for the office with the power to implement decisions regarding the purposes and means for processing personal data.

• For Data Processors: The lead supervisory authority is the place of central administration in the EU, or the EU location where the main processing activities occur.

For agencies that potentially could name multiple lead supervisory authorities, this decision is complex and fact-specific. It should be supported with facts, as it can ultimately be overridden to the extent that a supervisory authority thinks it is the result of “forum shopping.”

Identifying the Lead Supervisory AuthorityA client has its headquarters (i.e., its ‘place of central administration’) in Rotterdam, Netherlands. It has offices in various other EU countries, which are in contact with individuals there. All offices make use of the same software to process consumers’ personal data for marketing purposes. All the decisions about the purposes and means of the processing of consumers’ personal data for marketing purposes are taken within its Rotterdam headquarters. This means that the company’s lead supervisory authority for this cross-border processing activity is the Netherlands supervisory authority.

Why Does It Matter?A lead supervisory authority has primary responsibility for an organization’s cross-border data processing activities, and is responsible for coordinating investigations involving additional supervisory authorities. This “one-stop-shop” system streamlines GDPR compliance so that eligible organizations do not have to contend with multiple supervisory authorities.

Some agencies may not have an office in the EU. If so, they will not be eligible for the “one-stop-shop” system, and will need to deal with the local supervisory authority in every Member State in which they operate.


XI: PERSONAL DATA ON THE MOVE

The transfer of personal data outside of the EU (sometimes called a cross-border data transfer) requires a legal means to legitimize the transfer. A transfer can occur when data is stored or accessed from outside of the EU. Moving data within countries within the European Economic Area (EEA) would not be considered a cross-border transfer.

Agencies that plan to move personal data outside of the EEA would have to implement some measure to legitimize the transfer. Additionally, advertisers will require agencies to have one or more of these measures in place to legitimize transfers that the agency conducts on their behalf.

The three most common mechanisms to legitimize cross-border data transfers are the U.S. Department of Commerce administered Privacy Shield Frameworks, implementation of standard contractual clauses, and binding corporate rules. We compare those, below.

The Privacy Shield frameworks, SCCs, and BCRs are the most common ways to legitimize an international data transfer outside of the EU. However, there are alternative tools available for cross-border transfers which may be better suited to your client’s needs in specific situations.

• Adequacy decision. Transferring personal data to a country that has been deemed to have adequate protections for individuals does not require any additional means to legitimate the transfer. These countries are: Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, and Uruguay.

• Consent. Clients may obtain explicit consent from the data subject for a cross-border data transfer. Prior to providing the consent, the data subject must be informed of potential risks.

• Performance of a contract. The existence of certain contractual obligations may provide a means for cross-border data transfer. This includes when cross-border data transfers are necessary to perform a contract between the data subject and the controller or the controller and another person, as well as to implement pre-contractual measures at the data subject’s request.

• Other specific situations. Cross-border transfers of personal data necessary for the public interest, necessary to establish, exercise or defend legal claims, or when required to protect the vital interests of the data subject or other persons, are all recognized as legitimate.

Means to Legitimize Cross-Border Personal Data TransfersEU-U.S. Privacy Shield

Swiss-U.S. Privacy ShieldStandard Contractual Clauses (“SCCs” or “Model Clauses”)

Binding Corporate Rules (“BCRs”)

Scope

Covers data transfers from the EEA to the U.S. by a company or organization who voluntarily self-certifies to the program

Governs transfers outside of the EEA to any other country as part of a specific contractual agreement

Governs data transfers within a corporate group to any other country; does not provide a basis for transfer outside the group

Administration

Self-certification regime administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission

The European Commission determines and proscribes SCCs that contain adequate safeguards

BCRs must be submitted by applicants for approval by a supervisory authority

Fees

Mandatory administration fees paid upon filing and annually thereafter

No cost for using this mechanism, agencies may require assistance from legal counsel when finalizing SCCs

Requires extensive preparation from legal counsel, and an administrative fee may be charged in some jurisdictions upon submission


XII: BEST PRACTICES TO CONSIDER

1. Know Your Data AssetsUnderstanding your data assets is the first step—develop a data inventory or map that categorizes the personal data your agency holds, including personal data associated with your employees/contractors or held on behalf of clients. A data map will not only help you understand your processing operations and determine whether any gaps need to be remediated, but it also forms the centerpiece of your accountability program.

2. Understand Your Responsibilities As a Controller or ProcessorWhile controllers have more extensive obligations under the GDPR, processors will often be called upon to assist controllers with satisfying those obligations via their contractual relationship with the controller. Understand fully what responsibilities belong to both controllers and processors so that you are best positioned to assist your clients, as required.

3. Build a Cross-Departmental, Cross-Functional Plan for GDPR ReadinessGDPR impacts almost all functions within your agency, so build GDPR awareness and get buy-in agency-wide. You will need implementation help from a number of departments and business units.

4. Update Your Vendor and Client AgreementsIn most cases, new agreements will be required. Client master services agreements are likely to need to be updated, as are processing agreements with your own vendors. Contractual negotiations take time—update your agreement templates and start circulating them as soon as possible.

5. Evaluate Your Vendors and Vendor Selection CriteriaVendors you employ will be your processors or sub-processors (or, in some cases, co-controllers). You may be required to undertake due diligence regarding their own GDPR readiness and you may have to replace vendors who are not up to the task.

6. Consider Data Hygiene As you evaluate your data assets, consider whether you have sufficient consents or other grounds to use that personal data going forward—did any previous consents meet GDPR standards? If not, can you delete the data? Not only is data minimization a fundamental principle of the GDPR, it is also a good practice to reduce legal risk.

7. Use Technology To Your Advantage, Where PossibleIn some cases, data that has been pseudonymized falls outside of certain GDPR obligations. Also, encryption is a useful defense to notification of data breaches. Implement technology solutions that minimize your GDPR burdens.

8. Develop Your DPODPOs are required to report directly to the highest levels of management. Make adjustments to your reporting structure to verify your DPO meets legal standards. Verify this office has resources to be able to effectively operate.

9. Review Statements About Data ProcessingWhile there is extensive focus on the language used in connection with consents and in privacy policies, pay attention to everything you say about personal data. Check statements on your websites, in marketing materials, and in other sources to make sure you are not contradicting any new language in your privacy policies.

10. Partner with Experienced CounselThe complexity of the GDPR necessitates having a knowledgeable partner. Find outside counsel who have subject matter expertise in GDPR compliance and rely on them to help guide your agency over the next several months, and beyond.


Timing Suggested TasksNow 1. Generate Awareness

• Ensure key decisionmakers are aware of GDPR and its potentially significant impacts on key operations.

• Assemble capital resources and human resources to move your agency towards GDPR readiness.

2. Conduct a Gap Analysis• Review data flows—determine what personal data is held by your agency, its

origins, and the purposes for which you use and share this personal data.

Through the end of 2017

1. Conduct Legal Analysis of Applicable GDPR Concepts• Review your services and determine whether you are a controller or processor in

relation to various services you offer.• Review the legal basis for processing personal data.

2. Review Internal Processes and Procedures• Collect all relevant existing documentation—internal policies that apply to client

personal data and your personal data (such as HR data).3. Develop Your Compliance Roadmap

• Put together a team with designated roles and responsibilities and set timing and milestones.

January–May 2018

1. Revise Data Processing Agreements• Review existing agreements and to the extent necessary, revise and negotiate

agreements to meet GDPR standards.2. Modify Privacy Policies

• External facing privacy policies must include specific content. Prepare to post them by May 2018.

• Internal processes should be revised to ensure they include procedures for maintaining data quality, as required by the GDPR.

3. Develop or Modify Your Privacy Compliance Functions• Update employee training on privacy to include GDPR awareness.• Implement processes to ensure Privacy Impact Assessments (PIAs) are being

conducted and other GDPR requirements are being met.4. Consider Whether to Appoint a Data Protection Officer and/or EU Representative

• Review the scale and substance of your data processing activities.

XIII: WHAT TO DO NOW: A TIMELINE FOR PREPARING FOR GDPR COMPLIANCE

For agencies wondering where to begin, here are some suggested activities to help you prepare for the GDPR.


Timing Suggested TasksJanuary–May 2018

(cont’d.)

5. Review Legal Basis for Cross-Border Data Transfer• Review your certification to the EU-U.S. Privacy Shield framework, if applicable.• Become familiar with standard contractual clauses, in case clients wish to impose

them on you.6. Review Your Security Program

• Make sure it is comprehensive and covers EU personal data.• Edit your incident response plan to include EU data breach notification.

7. Develop Accountability Standards• Demonstrating compliance is key under GDPR. Make sure your recordkeeping

processes document your compliance activities.

Throughout the Process

1. Stay Aware of Guidance as it Emerges• Guidance is expected on compliance with a number of specific topics under the

GDPR, including consent, transparency, and accountability. • Guidance can come from the Art. 29 Working Party and also from individual

Member States.2. Understand the Evolving Business Landscape

• Market forces are constantly developing new solutions for particular GDPR compliance problems.

• Prepare FAQs and other internal guidance to use when talking to your clients about your GDPR readiness. Continue revisiting them as your internal processes evolve.

3. Learn About Available Resources• Agencies can outsource certain tasks and functions, if desired. For example, a

number of consulting and corporate services firms offer “DPO as a service” and GDPR gap analysis services.

Tom FinneranEVP, Agency Management Practices [email protected]

Louis JonesEVP, Media & [email protected]

Dick O’BrienEVP, Government [email protected]

WHO TO CONTACT

A JOINT PUBLICATION OF THE 4A’S AND VENABLE LLP

Stu [email protected]

Mike [email protected]

Kelly DeMarchis [email protected]

Emilio [email protected]

Shannon [email protected]

Jared [email protected]

Documents

THE GDPR - 4A's · The 4A’s offers this guidance to agency executives, ... email addresses from EU ... The GDPR establishes baseline principles that apply to all personal data