gdpr: preparing for the european general data protection ...€¦ · gdpr: preparing for the...
TRANSCRIPT
IP, Information and Innovation
Data Protection
GDPR: Preparing for the European General Data
Protection Regulation
The Background: from Directive to Regulation 1
Data Protection Principles 2
Accountability and Governance 3
Rights of Individuals 5
Embedding Data Protection in Your Organisation 7
Data Protection: by Design or by Default? 8
Supply Chain 9
International Data Transfers 10
Data Protection Officers 11
Data Breach Notifications 12
Supervisory Authorities and Sanctions 13
Putting the Theory into Practice: What Next? 14
Our European Team 15
Contents
RePrmacdis
It tGDJoupefo
ThThplawh
•
•
Orto re
T
FocoEuDst
HBab
Wot
eform begarotection Rember sta
ccount for tsposal. Ne
took nearlyDPR or Reg
ournal of theriod of twr 25 May 2
he long ahe GDPR apace in the hen:
goods or
the behav
rganisation operate ogulation p
The Ba
or a little ollection,urope byirective), tates.
How doeBy the time and processbeen assess
We have preorder for yohe data you
an in 2012Regulation,
tes. This rethe rise of w technolo
y four yeargulation) a
he Europeao years wa
2018, when
arm of thpplies to cEuropean
services ar
viour of EU
ns which doutside theursuant to
ackgr
over 20 use and
y the Data adopted
es this af the GDPR ises relatingsed and bro
epared thisou to betteru hold, whe
GDPR: P
aimed at which, as eform alsof personal togy means
rs of consund it was f
an Union oas then agrn the Regu
he law ontrollers Union or n
re offered
U citizens is
o not havee scope of o the GDPR
ound
years, thd processa Protectd and im
ffect yous applied in
g to the colleought into a
publication understan
ether it relat
Preparing for t
harmonisian EU reg
o sought totechnologys new risks
ultation to formally adon 4 May 2reed, durin
ulation bec
and procenot”. The e
to EU citiz
s monitore
e an estabEU data pr
R.
d: from
he protecsing of thtion Direplement
r businen May 2018ection and alignment w
n to lay out d what the tes to your
the European
ng data prulation, wo
o ensure thy and the vs as well as
agree the dopted on 016, enterng which oomes enfo
essors “regextra-territ
zens; or
ed or track
lishment inrotection l
m Dire
ction of iheir persoective (95ed in nat
ess? , you will neuse of pers
with the req
the new ob Regulationemployees
General Data
rotection aould have dhat the govvast array s new ways
General D 27 April 2ring into foorganisatioorceable.
gardless oftorial appli
ked throug
n the EU – aw – are n
ective
ndividuaonal data
5/46/EC) (tional law
eed to makeonal data auirements
bligations b expects fro, customers
Protection Re
across the direct effeverning lawof devices s of collect
Data Protec016 and p
orce 20 dayns would h
f whether tcation of t
h the use o
and whichnow subjec
e to R
als in relaa has bee(the Dataw by all 2
e sure that across your of the new
eing ushereom your bus or supplie
egulation Ree
EU via a Gct across a
w was upda now at thting and us
ction Reguublished inys later. A thave time t
the proceshe GDPR is
of technolo
h consider ct to data p
Regula
ation to ten govera Protect28 EU me
all practice organisatio Regulation
ed in by theusiness in reers.
ed Smith LLP
eneral Datall EU ated to e EU’s sing data.
ulation (then the Offictransitionato prepare
ssing takess triggered
ogy.
themselveprotection
ation
he rned in tion ember
es, policies on have .
e GDPR, in elation to
01
ta
e cial al e
d
es
D
Arre
Data P
rticle 5 ofequired t
Protec
f the GDo comply
GDPR: P
ction
PR sets oy with wh
Preparing for t
Princ
out the mhen they
the European
ciples
major priy process
General Data
nciples ts persona
Protection Re
hat all oral data.
egulation Ree
rganisati
ed Smith LLP
ons are
02
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 03
What will Accountability actually look like under the Regulation? Under the GDPR, there is no change in the definitions of the two key roles of data controller and data processor but how liabilities are negotiated—we expect increased complexity (at least initially)—to change. Why? Simply stated, for the first time data processors will take on a direct regulatory responsibility and, therefore, liability. Supervisory authorities may develop a new ‘contributory negligence’ approach to enforcement and sanctions.
Controller A data controller can be an individual or an entity. Data controllers determine the purposes for and means of processing personal data, and are accountable for compliance with the GDPR principles.
Processor A data processor is an individual or entity which processes personal data on behalf of a controller.
The concept of the data processor is well known from the Data Protection Directive. For the first time, data processors are subject to direct regulation by supervisory authorities under the GDPR. Although processors have several obligations, two of the most notable are:
• Implementation of sufficient security measures, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing.
• Maintenance of records of all categories of processing activities carried out on behalf of a data controller, including details of any international data transfers.
Accountability in practice Data controllers will continue to be responsible and accountable for compliance and governance, with the GDPR elevating the significance of their role.
Data processors will be in line for greater liability now that they will be directly regulated. As a result, we expect to see a significant impact on contracts with service providers.
Data Protection Officers (DPOs) will assume a vital and powerful role. We may see increasingly the voluntary appointment of DPOs as a means of centralising the accountability function.
Governance Accountability means that governance structures must have the spotlight shone on them. With the requirement for some organisations to appoint a DPO – as a minimum governance
Accountability and Governance
Some of the most important new requirements under the GDPR are those pertaining to accountability. Accountability means that organisations must demonstrate compliance with the GDPR.
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 04
requirement – some aspects of governance may become more prescriptive, with some decisions taken out of the hands of business. In practice, organisations will be expected to put into place comprehensive but proportionate governance measures, including: • Appropriate technical and organisational
measures • Recording of processing activities • Appointment of a Data Protection Officer
(where appropriate)
• Implementation of Data Protection by Design and by Default
• Development and use of Data Protection Impact Assessments
Demonstrating Compliance
As part of accountability, organisations must be able to demonstrate not only that they have a compliance framework in place but also that they implement and adhere to these measures.
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 05
Right Requirement
New Rights
Right to restrict processing
Controller to cease processing where: (i) accuracy is contested by the data subject; (ii) processing is unlawful but the data subject does not request erasure; (iii) processing is no longer necessary; or (iv) data subject has objected to the processing and controller determines that no overriding legitimate grounds exist. If data disclosed to third party, controller to inform them of restriction unless this is impossible or involves disproportionate effort.
Rights against automated decision making and profiling
Controller to identify whether operations constitute automated decision making and update such operations so as to ensure process allows for human intervention. Exemptions available to controller.
Right to data portability
Controller to provide the personal data (that are processed in an automated way) in a structured, commonly used and machine-readable format and, where requested and technically feasible, transmit them directly to another controller.
Rights of Individuals
The GDPR preserves a number of existing rights of data subjects to access their personal data but importantly, as well as providing further obligations on those existing rights, it also creates new rights. The below table summarises the impact and key obligations as regards controllers receiving requests from data subjects.
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 06
Right Requirement Changes to existing law(s)
Existing Rights
Right to be informed
Controller to provide data subjects with information relating to the processing of their personal data in a concise, clear and intelligible manner.
More detailed information to be provided and depends on whether data obtained directly from data subject.
Right of access Controllers to confirm whether personal data are being processed, and if so, provide access.
Information to be provided free of charge and within one month of receipt. Where request made electronically, information to be provided in a “commonly used electronic format”.
Right to rectification
Controller to rectify inaccurate or incomplete personal data without undue delay.
Where controller has disclosed personal data to third party, controller to inform them of rectification.
Right to object Controller to cease processing where data subject objection to processing is: (i) based on certain grounds (public interest or legitimate interest); or (ii) for certain purposes (research or statistics). Some exemptions may be available to controller. Data subject has absolute right to object to data processed for direct marketing purposes. No exemptions are available to controller.
Right to object to personal data being used for statistical or research purposes.
Right to erasure (‘right to be forgotten’)
Controller to erase personal data when: (i) no longer necessary; (ii) consent is withdrawn; (iii) data subject objects and controller has no overriding legitimate grounds to hold data; (iv) data is unlawfully processed; (v) necessary to comply with a legal obligation; or (vi) processed in connection with an online service offered to a child.
Broader, more specific rights created. If data disclosed to third party, controller must inform them of erasure unless it is impossible or involves disproportionate effort.
DaDPind• • • •
On•
•
•
•
•
•
PrIn co
E
Daid
W•
ata ProtecPIAs are mdividuals.
New techProfiling ProcessinSystemat
nce the neDescript– Descr– What
Assessme– How m
Identifica– What
Identifica– Evalua– What
Approval– Ensur– Recor
compIntegratio– Imple
projec
rior consu the absen
onsult the
mbed
ata Proteentificat
Worth coOrganisato use fo
ction Impaandatory wExamples
hnologies or automang sensitivtic monitor
eed for a Dtion of proribe how p legitimateent of necmany indivation and steps are ation and ate propos level of risl and recore DPIA recrd decision
pliance on of DPIA
ement, monct and whe
ltation wince of mea superviso
dding
ection Imion, asse
onsiderinations shouor any new
GDPR: P
act Assesswhen proc of “high r ated proceve data (spering of pub
PIA has beocessing oersonal da
e interest iscessity anviduals are assessmetaken to a evaluatiosed measusk is accepording ceives signns taken to
A outcomnitor, re-asen there is
ith lead Dsures to mory autho
Data
mpact Assessment
ng… uld think a process o
Preparing for t
sments cessing posisk” opera ssing ecial categblic areas (
een identifoperationsata is: (i) cos the contrd proport
e likely to bent of dataddress ris
on of data ures and satable?
n-off at theo eliminate
es in the pssess and s a change
ata Protemitigate ris
rity prior
Prote
sessmenand min
bout puttior activity t
the European
ses a “highations incl
gories of dae.g., CCTV/
fied, a nums envisageollected, (ii)roller purstionality oe affecteda protectik to: (i) the protectioafeguards
appropria, mitigate o
project plupdate the of risk
ction Authk where hi to proces
ection
t (DPIA) iimisation
ng a standhat involve
General Data
h risk” to thude:
ata) on a la/video surv
mber of steed and pu) used, anduing?
of process? on risks
e individuaon solution for addres
ate level or accept r
an e DPIA pla
hority gh risk is i
ssing.
n in Yo
is a procn of data
dard temples the proc
Protection Re
he rights an
arge scale veillance)
ps must burposes ofd (iii) delete
ing opera
l, and (ii) thns ssing risk
risk, and d
n over the
dentified, t
our O
ess invola protect
ate in placcessing of
egulation Ree
nd freedom
e taken: f processined
tions
he organis
emonstrat
life-cycle o
the contro
rganis
lving theion risks
ce for theirdata.
ed Smith LLP
ms of
ng
ation?
te
of the
oller must
sation
r business
07
n
DaAnthphApne
It m
• •
DaDacuBypr
Th
• • • •
At• •
D
Dade
ThDepr
F•
ata Protn organisatat complia
hase of anyppropriate ew project,
must be d
Nature, Likelihoo
ata Protata Protectustomer acy default onrocessed.
his applies
Amount Extent oPeriod oAccessib
t what stAt the timAt the co
Data P
ata Proteevelopm
he GDPRefault, wrotection
From theOrganisatmaking it
ection bytion needsance is moy product o technical , service or
emonstrat
scope, cood and sev
ection bytion by Defcquires a nnly person
to:
of personf processin
of time for bility
tage of tme when doncept and
Protec
ection is ent and
R introducwhich, in pn into con
e outset tions must t an integral
GDPR: P
y Designs to show tnitored. Dor service and organr business
ted that su
ntext and verity of r
y Defaulfault mean
new producnal data wh
al data colng storage of
he projeeterminat
d design ph
ction:
set to beorganisa
ces Datapractice, nsiderati
take data p part of the
Preparing for t
n that adequData protecor use of t
nisational m process.
ufficient ac
purposesrisks to rig
lt ns that thect or servic
hich are ne
llection
f personal
ect? ion of the
hase of any
by D
ecome anational st
Protecti means ton from
protection ine project de
the European
uate securiction is batechnologymeasures b
count is ta
s of proceghts and fre
strictest pce. ecessary fo
data
means of y project
Design
n integratructure o
on by Dethat all o the outs
nto considevelopment
General Data
ty measurked in, noty. become pa
aken in reg
ssing eedoms of
privacy sett
or specific i
processing
n or b
al part of of new p
esign andrganisatiset of pro
eration from process… f
Protection Re
es have bet bolted on
art of the d
gard to:
f individua
tings autom
identified p
g is made
by Def
both theproducts
d Data Pions musojects or
m the outsetfrom day o
egulation Ree
een implemn from at th
developme
ls
matically a
purposes a
fault?
e technoor servic
rotectionst take da new init
t of any newone.
ed Smith LLP
mented anhe concep
ent for eac
pply once
are
logical ces.
n by ata iatives.
w project,
08
nd pt
h
a
SuCopeguteinc
SuThsuthsu28
•
•
•
•
S
Thampraswre
HA2
Omdim
upplier dontrollers aersonal datuarantees, chnical ancluding me
upplier ohe processubject matte data sub
upplier and8 of the GD
only procedocumen
ensure thhave comconfident
takes all sthe Regul
ensures tsub-contr
Supply
he greatemounts treviouslys a legal rith sever
egulatory
How doeAll contracts2018 – in ot
Organisatiomost criticadeadline – omposed on
due diligeare requireta on their in particuld organisaeasures to
obligatioing by a suter, duratiobjects. It md the risks DPR the co
esses persted instruc
hose with ammitted the
iality;
security meation;
he same oractors;
y Cha
est impacto ensuriy being serequiremral aspecy guidanc
es this afs involving pther words,
ns should rl services fo
otherwise yon you which
GDPR: P
ence ed to carryr behalf. Thar in term
ational mea ensure th
ns upplier shoon, nature ust also tainvolved tontract mus
sonal data ctions;
access to pemselves t
easures re
obligations
in
ct of the ng sufficeen in th
ment in sts of thece as wel
ffect youpersonal da we are cur
review theiror their busou will risk could be (a
Preparing for t
y out due dhey will nees of expertasures wh
he security
ould be go and purpo
ake into acco the rightst stipulate
on
personal dao
quired und
flow down
GDPR oncient guahe Data Puch expl GDPR, gll as EU m
r busineata handlingrrently in th
r existing ariness operabeing non-ca) non-com
the European
diligence oed to ensut knowledgich will me of process
verned by oses of thecount the s and freee that the s
ata
der
n to
• acRrr
• de
• mto
n a contrrantees
Protectioicit term
greater clmember
ess? g or transfee transition
rangementations. Startcompliant opliant from
General Data
n supplierure suppliege, reliabili
eet the reqsing.
a written, e processinspecific tadoms of thsupplier:
assists the complianceRegulationrequests brights unde
deletes or end of the
makes avaito demonsobligations
roller’s deof data pn Directis as we slarity is estates’ d
ers must comn period.
ts with servit negotiatio
or having th your persp
Protection Re
s (processers can proity and resuirements
binding cong, the typsks and rehe data su
controllere with thei, includingy individuaer the Regu
returns allarrangem
ilable all instrate coms.
ealings wprotectiove but wsee now.expectedelegated
mply with t
ice providerons well in ahird party stpective and/
egulation Ree
sors) proceovide sufficources, to
s of the Reg
ontract, see of perso
esponsibilitbjects. Un
r with regar obligatio responseals to exerculation;
personal ent; and
nformationpliance wit
with its suon. This wwas not a. Howev through
d powers
he GDPR as
rs, starting advance of ttandard ter/or (b) unfa
ed Smith LLP
essing cient implemengulation,
tting out thonal data aties of the der article
rds ns under ts to cise their
data at the
necessaryth their
uppliers was nchored er, as
h s.
s at 25 May
with the the GDPR ms vourable.
09
nt
he nd
the
e
y
y
Int
1
If tinvtra
2
•
•
3
• •
In
UEc“oor
W•
ternationa
Adequathe Europevolved in tansferred,
AppropModel claModel cothe Euroorder to contracti
Binding CBinding Cexplicitly GDPR, whBCRs areinternatiowithin a gavailable processo
SpecificExplicit cContract
ntern
nder theconomic onward trrganisati
Worth noIn exceptspecific d
l transfers
acy Decisean Commhe transfe data may
priate Saauses ontractual pean Comlegitimise ng parties
CorporateCorporate recognisehich infers
e a methodonal transfgroup of co for both c
ors.
c Derogaonsent performa
ation
e GDPR, d Area (EEransfers”on.
oting… ional caseserogation.
GDPR: P
s under the
sions mission has
r providesflow freely
afeguard
clauses apmission mtransfers b.
e Rules Rules (“BCd in the te
s a level of d of legalisifer of persompanies
controllers
ations
ance
al Da
data tranEA) remai” of data
, the contro
Preparing for t
e GDPR ca
s adopted an ‘adequ
y between
s
pproved bymay be used
between th
CRs”) are ext of the legitimacying the onal data and are and
• Public • Legal c
ta Tra
nsfers to in subjec from an
oller may als
the European
n take plac
a decisionuate’ level othe EEA an
y d in he
.
• ET
• ET
interest claims
ansfe
countriect to rest importe
so invoke h
General Data
ce on the f
that the tof protectind country
EU Codes The GDPRof conductenforceabcontroller such codeapproved.
EU CertificThe GDPRcertificatiobasis for denforceabcontroller certificatioapproved.
rs
s outsiderictions.
er to ano
his compelli
Protection Re
following b
hird counton for the y, territory
of ConducR provides t
t along witle commit or process
es of condu
cation R also provion mechandata transfle commit or process
on mechan
• Vital• Publ
e of the E Restrictither thir
ng legitimat
egulation Ree
bases:
try, territor data beingor sector.
ct that approth binding ments of tsor may beuct have ye
ides for apnisms to befers along wments withsor. No su
nisms have
l interestslic source
Europeanons alsod countr
te interest a
ed Smith LLP
ry or sectog
oved codesand
the e used. Noet been
pproved e used as awith bindinh the ch
e yet been
s
n apply to
ry or
as a new
10
r
s
o
a ng
o
Co•
•
•
Thco
Thda
DThobco
Thlawas
PoOrdishig
D
W(Dth
CLasLa
Ad
ontrollerthe proce
the core scope or large sca
the core a
he DPO canorporate gr
he DPO muata protect
PO respohe DPO wilbligations, aooperating
he DPO muws, and witssigning re
osition organisationsmissed orghest leve
Data P
Whilst somDPO) as phe appoin
Case StuLiveWell, Incacross the gsurveys andLimited, a claccess to da
As yet theredata, proces
rs and pressing is ca
activities purposesale; or
activities co
n be an emroup can a
ust be desition knowle
onsibilitil be respoadvising o with the s
ust monitoth their orgesponsibil
of the DPns must enr penalisedel of mana
Protec
me organpart of thntment o
dy… c. is a U.S. hglobe, includd trials for re
oud providata for man
e is no regussed by Live
GDPR: P
rocessorarried out b
of the con, requires
onsist of p
mployee ofappoint a s
ignated onedge and a
ies nsible for n the perfo
supervisory
or compliaganisationlities, rais
PO nsure that d for carryagement.
ction
nisations heir accouof a DPO
headquarteding to 650esearch ander in Irelan
nagement a
latory guidaeWell could
Preparing for t
rs must aby a public
ntroller or pregular an
processing
f the organsingle DPO
n the basis ability to fu
informing ormance oy authority
ance with ’s policies ing aware
the DPO cing out the
Office
can voluuntability is mand
red busines0,000 customd product dd, though cnd IT opera
ance, but thd make it su
the European
appoint ac authorit
processor nd system
g on a large
nisation or .
of professulfil their D
and advisiof data proy.
the GDPR,on the pro
eness and
can operateir respons
ers
unarily apy prograatory.
ss offering hmers in thedevelopmencertain busiations. Will
he potentialbject to the
General Data
a DPO wty;
consist of matic mon
e scale of
hired exte
sional qualDPO respon
ng on the otection im
, with otheotection of staff train
e indepensibilities an
ppoint a mme, in
health and EU. LiveWent purposesness functiLiveWell n
l volume of e DPO requ
Protection Re
where:
processinitoring of
special ca
ernally, and
lities, in pansibilities.
organisatimpact asses
er EU or naf personal ning.
dently of ind is to rep
data pro certain c
wellness prell regularlys. Data are ons in the Ueed to app
data, includirement.
egulation Ree
g which, bf data subj
ategories
d compani
articular th
on’s data pssments, a
ational datadata. This
nstructionport direc
otection ocircumst
roducts andy carries outhosted by C
United Statepoint a DPO
ding sensiti
ed Smith LLP
y its naturjects on a
of data.
es within a
eir expert
protectionand
a protectio includes
, cannot bctly to the
officer ances
d services t customer Cirrus es have O?
ve persona
11
e,
a
on
e
al
Thpr
NIn
•
•
NNoof m
W
•
• • •
NHiex
• • •
D
Ho•
•
he GDPRrotection
ew rules the event
The natiorights an
Individualfreedoms
otice to otification t the breacillion or 2 p
hen you n
the naturof recordthe detaithe likely a descrip
otices togh risk dat
xemption a
the naturthe likely a descripindividua
Data B
ow to preTraining adata is aw
Responsedetection
R will requn authori
s of a data b
onal supervd freedoms affected s.
the Supeto the releh. Failure tper cent of
otify you s
re of the bds involvedls of the D conseque
ption of any
o Affecteta breacheapplies, an
re of the b conseque
ption of remal should ta
Breac
epare and awareare of wha
e plan: havmethods,
GDPR: P
uire dataty and, in
breach, co
visory authms of individ
where the
ervisory evant supeto notify wf global tu
hould inclu
reach, incld; DPO or anoences of thy, or propo
ed Individes must bed must co
reach; ences of thmedial actiake to min
h Not
eness: ensat amounts
ve an interinvestigati
Preparing for t
a breach n certain
ntrollers w
hority wheduals. e breach w
Authoritrvisory aut
when requirrnover.
ude:
uding cate
other persohe breach; osed, reme
duals e notified tontain the f
he breach; ion taken aimise poss
tificat
sure everyos to a brea
nal breachons and a
the European
notificatn circums
will be requ
re the bre
would likely
ty thority mured to do s
egories of
on if there and edial action
o affected following in
and as well as isible adver
tions
one in youach.
h responsen internal
General Data
ion to anstances, t
uired to no
ach would
y result in a
st be withso could re
individuals
is no DPO
n taken.
individualsnformation
nformatiorse effects.
ur organisa
e plan that reporting
Protection Re
n organisto affecte
otify:
d likely resu
a high risk
in 72 houresult in a fi
s and the a
O;
s without un in clear a
n about an.
ation who h
provides fprocedure
egulation Ree
sation’s leed individ
ult in the ri
to their rig
rs of becomine of up t
approxima
undue deland plain la
ny actions
handles pe
for robust e.
ed Smith LLP
ead dataduals.
sk to the
ghts and
ming awareo €10
te number
ay, unless anguage:
the
ersonal
breach
12
a
e
r
an
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 13
Controllers and processors must have a “lead supervisory authority” located in the jurisdiction where they have their main or sole establishment. There are complex rules in place to govern cooperation between an entity’s lead supervisory authority and other supervisory authorities, which take effect where a complaint is made by a data subject. There are also mutual assistance provisions in place, and supervisory authorities may operate jointly to conduct investigations and take enforcement action.
A European Data Protection Board, tasked with ensuring the consistent application of the GDPR, will also be established. The Board will have a number of responsibilities, including issuing guidance on a number of topics and resolving disputes between supervisory authorities.
Powers of Supervisory Authorities
Supervisory authorities have robust enforcement powers which go far beyond those under the Data Protection Directive. Supervisory authorities may, for example:
• order controllers or processors to provide information
• access a controller or processor’s premises and equipment
• issue warnings and reprimands;
• limit or ban data processing
• impose administrative fines of up to €20,000,000 or 4 per cent of total worldwide turnover.
The scope of enforcement powers available to supervisory authorities and their implications for businesses will ensure that GDPR compliance remains a board-level concern.
Supervisory Authorities and Sanctions
Supervisory authorities will continue to play a vital role under the GDPR. Each member state must have established at least one independent supervisory authority which will be responsible for enforcing the GDPR.
InThmpr
PaTh
1
2
3
4
5
6
7
8
9
10
P
n a nutshhe GDPR wember sta
repared an
ath to cohe ten step
Stakeho
Data Inv
GDPR G
Implem
Governstructur
Supply requirem
Cross-B
Accoun
Data Surespecte
0 Data Brand not
Putting
hell: will be fully
tes. The cond in place
ompliancps to comp
older Awa
ventory: A
Gap Analys
mentation
ance Strure to suppo
Chain (Proments
Border Tra
tability Pr
ubjects’ Riged
reach Notifications
g the
GDPR: P
in force froountdown for this se
ce pliance are
reness: Em
Assess and
sis: Determ
Plan: Crea
cture & Dort accoun
ocessors):
ansfers: Re
rocesses:
ghts: Put i
ification: C
Theo
Preparing for t
om 25 May has alread
eismic shift
:
mbed data
d record th
mine what
ate a proje
DPO : Appontability req
: Ensure su
eview cros
Utilise too
n place po
Create pol
ory int
the European
y 2018 anddy begun st in the reg
a protectio
he persona
additional
ect plan to
int data prquirement
upplier con
s-border d
ls and pro
olicies and
icy for bre
to Pra
General Data
d will applyso your orggulatory lan
on in your o
al data bein
l steps are
address th
rotection os
ntracts are
data transf
cesses to
procedure
each respo
actice
Protection Re
y in the UKganisation ndscape.
organisatio
ng process
required f
he complia
officer and
e amended
fers
document
es to ensu
nse, conta
e: Wha
egulation Ree
K and acros must have
on
sed
for GDPR c
ance gaps
create gov
d to meet G
t complian
re rights a
ainment, re
at Ne
ed Smith LLP
ss all EU e everythin
complianc
vernance
GDPR
ce
re
emediation
ext?
14
ng
e
n
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 15
London
Our European Team
As part of the IP, Information and Innovation Group, our IT, Privacy and Data Security team brings strength and increased connectivity in today’s information economy by developing a collaborative, cross-discipline practice focusing on data security, information governance, technology, and intellectual property services.
Cynthia O’Donoghue Partner, International Head of IT, Privacy & Data Security London +44 (0)203 116 3494 [email protected]
Kate Brimsted Partner London +44 (0)203 116 3620 [email protected]
Philip Thomas Counsel London +44 (0)203 116 3526 [email protected]
Katalina Bateman Senior Associate London +44 (0)203 116 2866 [email protected]
Chantelle Taylor Associate London +44 (0)203 116 3481 [email protected]
Curtis McCluskey Associate London +44 (0)203 116 3467 [email protected]
Tom Evans Associate London +44 (0)203 116 3653 [email protected]
GDPR: Preparing for the European General Data Protection Regulation Reed Smith LLP 16
Paris
Munich
Athens
Thought Leadership For more insight into the GDPR and other Data and Technology related matters, please take a look at our blog, the Technology Law Dispatch, at: www.technologylawdispatch.com
Recognition Our team has been recognised over a number of years with rankings in both the Chambers and Legal 500 directories.
"The team is responsive and approachable, very helpful and makes an effort to keep us updated about the latest important developments." Chambers & Partners 2017
Daniel Kadar Partner Paris +33 (0)1 76 70 40 86 [email protected]
Caroline Gouraud Associate Paris +33 (0)1 76 70 40 34 [email protected]
Thomas Fischl Counsel Munich +49 (0)89 20304 178 [email protected]
Alexander Hardinghaus Associate Munich +49 (0)89 20304 134 [email protected]
Anthony Poulopoulos Partner Athens +30 (0)210 41 99 423 [email protected]
Doretta Frangaki Associate Athens +30 (0)210 41 99 425 [email protected]
ABU DHABI
ATHENS
BEIJING
CENTURY CITY
CHICAGO
DUBAI
FRANKFURT
HONG KONG
HOUSTON
KAZAKHSTAN
LONDON
LOS ANGELES
MUNICH
NEW YORK
PARIS
PHILADELPHIA
PITTSBURGH
PRINCETON
RICHMOND
SAN FRANCISCO
SHANGHAI
SILICON VALLEY
SINGAPORE
TYSONS
WASHINGTON, D.C.
WILMINGTON
reedsmith.com
Reed Smith is a global relationship law firm with more than 1,800 lawyers in 26 offices throughout the United States, Europe, Asia and the Middle East.
Founded in 1877, the firm represents leading international businesses, from Fortune 100 corporations to mid-market and emerging enterprises. Its lawyers provide litigation and other dispute-resolution services in multi-jurisdictional and high-stakes matters, deliver regulatory counsel, and execute the full range of strategic domestic and cross-border transactions. Reed Smith is a preeminent advisor to industries including financial services, life sciences, health care, advertising, entertainment and media, shipping and transport, energy and natural resources, real estate, manufacturing and technology, and education.
This document is not intended to provide legal advice to be used in a specific fact situation; the contents are for informational purposes only. “Reed Smith” refers to Reed Smith LLP and related entities. © Reed Smith LLP 2016