1

GDPR’S Paper AnniversaryHow We Have Documented Progress & Lessons Learned

Zachary Heck, Esq., CIPP/USTaft Stettinius & Hollister LLP

UDSL PILT Annual SeminarJune 7, 2019

2

2018 – A Big Year for Regulation

• April 16, 2018 – NIST Framework Version 1.1• May 25, 2018 – General Data Protection Regulation Goes Into

Effect• June 1, 2018 – 50th U.S. Breach Notification Law Goes Into Effect• June 28, 2018 – California Consumer Privacy Act of 2018 Signed• August 3, 2018 – Ohio Data Protection Act Signed Into Law• August 31, 2018 – Amendments to California Consumer Privacy

Act of 2018 Passed by Legislature

3

A little history…

4

Version 2.0Data

Protectionact 1998

“the Directive”95/46 ec)

5

• Revisions/improvements to the Directive • Effective: May 25, 2018• Countries Impacted:

– Directly: All EU Member States (28)– Indirectly: Any country or business that

collects and processes the personal data of individuals in the Union

GDPR- What’s New?

6

Source: Fortytravels.com

7

GDPR Goals

(1) Protection • Protects personal and sensitive data and strengthens privacy rights

of EU individuals.

(2) Control • Gives internet users control over their data.

8

General Data Subject Rights

9

Impact of Brexit on GDPR

• Brexit will have limited impact on GDPR compliance. – GDPR will still largely apply to the UK once it has left the EU

because the GDPR and Britain's Data Protection Act (DPA) are essentially identical.

– Compliance with GDPR should translate to DPA compliance. – Under the GDPR the UK will be a “third country”

10

GDPR Fines & Sanctions – By The Numbers€55,955,871 in fines

281,088 cases

37.0% of cases ongoing62.9% of cases closed0.1% of cases appealed

€50,000,000 was a single fine against Google

144,376 = complaints89,271 = data breach notifications47,441 = other

11

Google Violation • In January, France issued a €50 million fine against Google.

• France fined Google for 2 major GDPR violations: 1. Google violated GDPR’s transparency requirement by

“excessively” disseminating essential information.

2. Google failed to get specific and unambiguous consent for its methods of processing personal data from its users.

12

What does a GDPR Violation Look Like

• In 2014, 145 million eBay users’ personal info was compromised.

• Info included the names, addresses, date of birth and passwords of eBay users.

• Upper level GDPR fine would have been $264M

• In 2017, personal information of 143 million consumers was compromised.

• 209,000 customers had their credit card data exposed when a breach was discovered.

• Upper level GDPR fine would have been $124M

13

14

Right of Access

15

Right to be Forgotten

16

Right to Data Portability

Control, but not Empowerment

More akin to “data downloadability”

17

Right to Opt Out of Data Processing

Limits services or Increases prices

____________________

Enables Free Riders

18

California Dreamin’

19

Processes• Disclose to requesting data subject the categories and specific

pieces of personal information the business has collected.• At or before the point of data collection, inform consumers as to

the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.

• Map and classify data so that your business can comply with a data subject’s request (such as an accounting of data or erasure).

20

Processes

• Retain any personal information collected for a single, one-time transaction, if the information is not sold or retained by the business

• Re-identify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

21

To Delete or Not to Delete?• Complete transaction• Debug to identify and repair errors that

impair existing intended functionality• Exercise free speech, ensure the right of

another consumer to exercise his or her right of free speech, or exercise another right provided for by law.

• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest

• Comply with legal obligation

22

Zachary S. Heck, Esq., CIPP/US Taft Stettinius & Hollister LLP

40 North Main Street, Suite 1700Dayton, OH 45423-1029

Direct: 937-641-2041zheck@taftlaw.com

www.taftlaw.com