© 2018 Eversheds Sutherland (US) LLP

All Rights Reserved. This communication is for general informational purposes only and is not intended to constitute legal advice or a recommended course of action in any given situation. This communication is not intended to be, and should not be, relied upon by the recipient in making decisions of a legal nature with respect to the issues discussed herein. The recipient is encouraged to consult independent counsel before making any decisions or taking any action concerning the matters in this communication. This communication does not create an attorney-client relationship between Eversheds Sutherland (US) LLP and the recipient. Eversheds Sutherland (US) LLP is part of a global legal practice, operating through various separate and distinct legal entities, under Eversheds Sutherland. For a full description of the structure and a list of offices, please visit www.eversheds-sutherland.com.

An Electric Cooperative Bar Association (ECBA) webinar: How the EU’s General Data Protection Regulation May Impact Electric Cooperatives:

What you need to know about the EU General Data Protection Regulation (GDPR)

June 13, 2018

Michael Bahar

Partner

Dan Frank

Partner

Eversheds Sutherland

The information contained in this program is not intended to provide legal advice. Please consult your attorney on legal issues and matters related to your electric cooperative.

Additionally, by joining this webcast, attendees agree not to adversely use the information shared during the presentation against NRECA or NRECA voting member cooperatives.

A note about this program

2

Eversheds Sutherland

Presenters

3

Partner, Co-Lead of Global Cybersecurityand Data Privacymichaelbahar@eversheds-sutherland.com+1 202 383 0882

Michael Bahar Daniel E. Frank

Partnerdanielfrank@eversheds-sutherland.com+1 202 383 0838

Eversheds Sutherland

Primary takeaway: It’s about risk-based compliance

The key for any US company – including electric coops – when facing any degree of GDPR exposure is to develop a GDPR compliance strategy that incorporates appropriate levels of compliance based on risk.

Eversheds Sutherland

GDPR has an ambitious, extra-territorial reach beyond the EU which can impact businesses in the US

Why are we talking about a European regulation?

─ US businesses of all sizes and across all sectors can be subject to GDPR requirements as “controllers” if they:

• Have a presence in the EU;

• Offer goods or services into the EU; or

• Monitor behavior of EU residents

─ US businesses are subject to GDPR requirements as “processors” if they:

• Process personal data on behalf of controllers

• GDPR also applies intra-enterprise, as with the provision of a shared service function by a US parent to an EU subsidiary

5

Eversheds Sutherland

─ GDPR is new EU-wide data protection legislation that came into force May 25, 2018

─ Designed to be future-proof against technological developments

─ Intended to harmonize data privacy laws across the EU—but not necessarily intended to harmonize with the laws of other jurisdictions, particularly the US

─ Demands greater transparency and accountability from companies

─ Supported by enhanced individual rights

─ Enforced by EU data protection regulators, each having a new range of effective sanctions

─ Unlike the US “sectoral” approach, the GDPR applies to all companies that EU jurisdiction can reach!

What is it?

Why should you care?

6

Eversheds Sutherland

The three-step process to develop a risk-based GDPR compliance strategy

Eversheds Sutherland

Step 1: Does the GDPR apply directly?

─ Presence in EU?

─ Offering goods or services in EU?• Not merely having a website accessible in Europe

• Not merely having EU citizens as customers

─ Monitoring behavior in EU?

8

Eversheds Sutherland

Step 2: Does the GDPR apply indirectly?

─ Processor obligations

─ Market pressures

9

Eversheds Sutherland

Step 3: Know thyself or the 5 Ws

─ What data do you have?

─ Who do you collect or receive it from?

─ Where do you get it?

─ Why do you collect it?

─ When do you collect it?

─ And how long do you retain it?

10

Eversheds Sutherland

Three tiers of compliance

Eversheds Sutherland

Armed with this information, you can then develop your GDPR compliance strategy along three possible lines:

Three tiers of compliance

─ Take no action either because GDPR doesn’t apply or because the costs of compliance are not justified by the risk of non-compliance

─ Apply GDPR across the board (“the high water mark”)

─ Selectively apply GDPR (“GDPR light”) to mitigate risks

12

Eversheds Sutherland

Even if you avoid GDPR (directly or indirectly), or even if you choose to take a very light approach to compliance, the day of increased privacy protections is coming

A note of caution

─ CA Privacy Law?

─ NY DFS

─ NAIC Model Law

13

Eversheds Sutherland

Specific issues

─ Consent versus legitimate business interest

─ The so-called “right to be forgotten”

─ International data transfers

─ Cybersecurity

14

Eversheds Sutherland

Questions?

15

eversheds-sutherland.com© 2018 Eversheds Sutherland (US) LLP

All rights reserved.

Michael BaharPartner

michaelbahar@eversheds-sutherland.com+1 202 383 0882

Eversheds Sutherland (US) LLP700 Sixth Street, NW, Suite 700Washington, DC 20001-3980

danielfrank@eversheds-sutherland.com+1 202 383 0838

Dan FrankPartner