Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2018 Eversheds Sutherland (US) LLP
All Rights Reserved. This communication is for general informational purposes only and is not intended to constitute legal advice or a recommended course of action in any given situation. This communication is not intended to be, and should not be, relied upon by the recipient in making decisions of a legal nature with respect to the issues discussed herein. The recipient is encouraged to consult independent counsel before making any decisions or taking any action concerning the matters in this communication. This communication does not create an attorney-client relationship between Eversheds Sutherland (US) LLP and the recipient. Eversheds Sutherland (US) LLP is part of a global legal practice, operating through various separate and distinct legal entities, under Eversheds Sutherland. For a full description of the structure and a list of offices, please visit www.eversheds-sutherland.com.
An Electric Cooperative Bar Association (ECBA) webinar: How the EU’s General Data Protection Regulation May Impact Electric Cooperatives:
What you need to know about the EU General Data Protection Regulation (GDPR)
June 13, 2018
Michael Bahar
Partner
Dan Frank
Partner
Eversheds Sutherland
The information contained in this program is not intended to provide legal advice. Please consult your attorney on legal issues and matters related to your electric cooperative.
Additionally, by joining this webcast, attendees agree not to adversely use the information shared during the presentation against NRECA or NRECA voting member cooperatives.
A note about this program
2
Eversheds Sutherland
Presenters
3
Partner, Co-Lead of Global Cybersecurityand Data [email protected]+1 202 383 0882
Michael Bahar Daniel E. Frank
[email protected]+1 202 383 0838
Eversheds Sutherland
Primary takeaway: It’s about risk-based compliance
The key for any US company – including electric coops – when facing any degree of GDPR exposure is to develop a GDPR compliance strategy that incorporates appropriate levels of compliance based on risk.
Eversheds Sutherland
GDPR has an ambitious, extra-territorial reach beyond the EU which can impact businesses in the US
Why are we talking about a European regulation?
─ US businesses of all sizes and across all sectors can be subject to GDPR requirements as “controllers” if they:
• Have a presence in the EU;
• Offer goods or services into the EU; or
• Monitor behavior of EU residents
─ US businesses are subject to GDPR requirements as “processors” if they:
• Process personal data on behalf of controllers
• GDPR also applies intra-enterprise, as with the provision of a shared service function by a US parent to an EU subsidiary
5
Eversheds Sutherland
─ GDPR is new EU-wide data protection legislation that came into force May 25, 2018
─ Designed to be future-proof against technological developments
─ Intended to harmonize data privacy laws across the EU—but not necessarily intended to harmonize with the laws of other jurisdictions, particularly the US
─ Demands greater transparency and accountability from companies
─ Supported by enhanced individual rights
─ Enforced by EU data protection regulators, each having a new range of effective sanctions
─ Unlike the US “sectoral” approach, the GDPR applies to all companies that EU jurisdiction can reach!
What is it?
Why should you care?
6
Eversheds Sutherland
The three-step process to develop a risk-based GDPR compliance strategy
Eversheds Sutherland
Step 1: Does the GDPR apply directly?
─ Presence in EU?
─ Offering goods or services in EU?• Not merely having a website accessible in Europe
• Not merely having EU citizens as customers
─ Monitoring behavior in EU?
8
Eversheds Sutherland
Step 2: Does the GDPR apply indirectly?
─ Processor obligations
─ Market pressures
9
Eversheds Sutherland
Step 3: Know thyself or the 5 Ws
─ What data do you have?
─ Who do you collect or receive it from?
─ Where do you get it?
─ Why do you collect it?
─ When do you collect it?
─ And how long do you retain it?
10
Eversheds Sutherland
Three tiers of compliance
Eversheds Sutherland
Armed with this information, you can then develop your GDPR compliance strategy along three possible lines:
Three tiers of compliance
─ Take no action either because GDPR doesn’t apply or because the costs of compliance are not justified by the risk of non-compliance
─ Apply GDPR across the board (“the high water mark”)
─ Selectively apply GDPR (“GDPR light”) to mitigate risks
12
Eversheds Sutherland
Even if you avoid GDPR (directly or indirectly), or even if you choose to take a very light approach to compliance, the day of increased privacy protections is coming
A note of caution
─ CA Privacy Law?
─ NY DFS
─ NAIC Model Law
13
Eversheds Sutherland
Specific issues
─ Consent versus legitimate business interest
─ The so-called “right to be forgotten”
─ International data transfers
─ Cybersecurity
14
Eversheds Sutherland
Questions?
15
eversheds-sutherland.com© 2018 Eversheds Sutherland (US) LLP
All rights reserved.
Michael BaharPartner
[email protected]+1 202 383 0882
Eversheds Sutherland (US) LLP700 Sixth Street, NW, Suite 700Washington, DC 20001-3980
[email protected]+1 202 383 0838
Dan FrankPartner