GDPR’S Paper Anniversary · UDSL PILT Annual Seminar. June 7, 2019. 2 2018 – A Big Year for...
Transcript of GDPR’S Paper Anniversary · UDSL PILT Annual Seminar. June 7, 2019. 2 2018 – A Big Year for...
1
GDPR’S Paper AnniversaryHow We Have Documented Progress & Lessons Learned
Zachary Heck, Esq., CIPP/USTaft Stettinius & Hollister LLP
UDSL PILT Annual SeminarJune 7, 2019
2
2018 – A Big Year for Regulation
• April 16, 2018 – NIST Framework Version 1.1• May 25, 2018 – General Data Protection Regulation Goes Into
Effect• June 1, 2018 – 50th U.S. Breach Notification Law Goes Into Effect• June 28, 2018 – California Consumer Privacy Act of 2018 Signed• August 3, 2018 – Ohio Data Protection Act Signed Into Law• August 31, 2018 – Amendments to California Consumer Privacy
Act of 2018 Passed by Legislature
3
A little history…
4
Version 2.0Data
Protectionact 1998
“the Directive”95/46 ec)
5
• Revisions/improvements to the Directive • Effective: May 25, 2018• Countries Impacted:
– Directly: All EU Member States (28)– Indirectly: Any country or business that
collects and processes the personal data of individuals in the Union
GDPR- What’s New?
6
Source: Fortytravels.com
7
GDPR Goals
(1) Protection • Protects personal and sensitive data and strengthens privacy rights
of EU individuals.
(2) Control • Gives internet users control over their data.
8
General Data Subject Rights
9
Impact of Brexit on GDPR
• Brexit will have limited impact on GDPR compliance. – GDPR will still largely apply to the UK once it has left the EU
because the GDPR and Britain's Data Protection Act (DPA) are essentially identical.
– Compliance with GDPR should translate to DPA compliance. – Under the GDPR the UK will be a “third country”
10
GDPR Fines & Sanctions – By The Numbers€55,955,871 in fines
281,088 cases
37.0% of cases ongoing62.9% of cases closed0.1% of cases appealed
€50,000,000 was a single fine against Google
144,376 = complaints89,271 = data breach notifications47,441 = other
11
Google Violation • In January, France issued a €50 million fine against Google.
• France fined Google for 2 major GDPR violations: 1. Google violated GDPR’s transparency requirement by
“excessively” disseminating essential information.
2. Google failed to get specific and unambiguous consent for its methods of processing personal data from its users.
12
What does a GDPR Violation Look Like
• In 2014, 145 million eBay users’ personal info was compromised.
• Info included the names, addresses, date of birth and passwords of eBay users.
• Upper level GDPR fine would have been $264M
• In 2017, personal information of 143 million consumers was compromised.
• 209,000 customers had their credit card data exposed when a breach was discovered.
• Upper level GDPR fine would have been $124M
13
14
Right of Access
15
Right to be Forgotten
16
Right to Data Portability
Control, but not Empowerment
More akin to “data downloadability”
17
Right to Opt Out of Data Processing
Limits services or Increases prices
____________________
Enables Free Riders
18
California Dreamin’
19
Processes• Disclose to requesting data subject the categories and specific
pieces of personal information the business has collected.• At or before the point of data collection, inform consumers as to
the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
• Map and classify data so that your business can comply with a data subject’s request (such as an accounting of data or erasure).
20
Processes
• Retain any personal information collected for a single, one-time transaction, if the information is not sold or retained by the business
• Re-identify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
21
To Delete or Not to Delete?• Complete transaction• Debug to identify and repair errors that
impair existing intended functionality• Exercise free speech, ensure the right of
another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest
• Comply with legal obligation
22
Zachary S. Heck, Esq., CIPP/US Taft Stettinius & Hollister LLP
40 North Main Street, Suite 1700Dayton, OH 45423-1029
Direct: [email protected]
www.taftlaw.com