roadmap to the gdpr - brexit analysis outsourcing processors - presentation

Roadmap to the GDPR: Brexit Analysis, Outsourcing & Processors

July 14, 2016

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2

Speakers

Peter SwireSenior Counsel, Atlanta

Alston & Bird

Jan DhontPartner, Brussels

Alston & Bird

Karen SanzaroCounsel, Washington, D.C.

Alston & Bird


Overview

Update on the Privacy Shield.

Brexit and Data Protection in Europe.

The GDPR. Outsourcing and Processors.

Outsourcing. The US perspective.


Insert Peter’s slides


Brexit - The Broader Picture

Brexit has no immediate effect but complicates long-term planning

Process 2 years negotiation period after formal notification of the EU (Art. 50 EU Treaty)

Qualified majority of the European Council and approval by the European Parliament

Outcome unclear, a lot of speculation (EEA or EFTA-type deal; Free trade agreement)

After exit: Substantial legislation in place that implements EU Directives

Regulations will cease to apply


Brexit and Data Privacy


Brexit and Data Privacy

UK remains part of the EU until formal exit. UK companies may import/export personal data freely

Third-country transfer restrictions apply as usual

After exit? The UK will be a “third country”

GDPR will not directly apply – formal “inadequacy”

Main establishment status – uncertain future in the UK

UK may amend Data Protection Act to reflect GDPR and obtain adequacy (cf. Switzerland)

Privacy Shield can be used by UK companies until Brexit.

Practical guideline: Include the UK in GDPR implementation plan as before.


Outsourcing & Processors


Outsourcing & Processors

Introduction

- Controller / Processor duality maintained

- Processors are liable under the GDPR

- Increased importance of information security


Territorial Scope/Applicable Law

Directive GDPR

Controller Processor Controller Processor

Located inside the EU

Yes No Yes Yes (new!)

Located outside the EU

No, unless use of equipment (or processor) in

the EU

No Yes, if processing relates to (i) offering of goods or services to data subjects in

the EU; or (ii) monitor of their behavior in

the EU (new!)

Yes, if processing relates to (i) offering of goods or services to data subjects in the EU; or (ii) monitor of their behavior in the EU (new!)

In principle no direct obligations for processors

Varying national information security standards distort market

Vendor based in the EEA may trigger “use of equipment”standard

Direct obligations for processors

In principle only one information security standard

“Use of equipment” not maintained, but replaced by“monitoring” criterion


Territorial Scope/Applicable Law

Practical consequences:

- Companies (controllers and processors) outside the EU but subject to GDPR need to appoint a representative.

- Companies (controllers and processors) in the U.S. may be subject to the GDPR even if they have no presence in the EU and be required to apply outsourcing requirements.

- Processors in the EU may have competitive disadvantage compared to processors outside the EU.


The Controller’s Perspective


Outsourcing Requirements - Regime

Vendor must provide appropriate technical and organizational measures:

- to ensure processing is GDPR-compliant and,

- individuals’ data protection rights are observed (Art. 28 GDPR)

Requirement 1: Select Adequate Vendor Assessment

- Substantially higher standard than Directive- Vendor vetting (and tracking thereof) will

become key- Expected move towards increased

information security (especially encryption) and incident tracking services

- Vendors need to anticipate enhanced consumer choice and accommodate privacy-by-design/default

- Also vendors outside the EU if they want to maintain EU market share


Outsourcing Requirements - Regime (cont.)

Requirement 2: Controllers remain responsible for sub-contracting (Article 28(2) and (4))

- Subcontracting requires the specific or general written authorization of the controller.

- The sub-contractor must be held by “the same data protection obligations” as set out in the contract between the controller and processor.

- Processor is primarily liable to the controller for sub-processor’s failure to comply.

- Sub-contracting must be part of vendor vetting

- Applying “the same data protection obligations” can be problematic in practice

- Vendors acting as sub-vendors need to anticipate controllers’ compliance needs –may also create competitive advantages (e.g., providers of security monitoring/encryption services)

Assessment


Outsourcing Requirements - Regime (cont.)

- The processing must be governed by a contract or legal act under EU law and that binds the processor.

- Contract must be in writing – can be electronic.

- Commission approved “model contract” possible (Article 28 (7)).

- Existing arrangements not “grandfathered” under GDPR

- Review of service agreements required – requires in some cases strategic planning:

- Prioritization- Gap assessment- Documentation of vendor

commitments/agreed measures- Contract amendment/termination

- Negotiations may be difficult, e.g. liability caps, (in)sufficient cyber-security insurance, etc.

- Consider data processing templates and vendor onboarding process/program

Requirement 3: Mandatory Stipulations Assessment


Outsourcing Requirements - Mandatory Stipulations

Required Terms (Article 28 (3) GDPR).

Details on (i) subject-matter and duration of processing, (ii) nature and purpose of processing, (iii) type of personal data and data subjects, and (iv) obligations and rights of the controller

Processing on Instructions. Only process data on “documented instructions” from the controller. Including data transfers outside the EU.

Confidentiality undertaking. Personnel authorized to process data must be subject to confidentiality obligations.

Security measures. Implement adequate information security (Article 32 GDPR).

Engagement of sub-processors. The processor must respect the GDPR’s regime on sub-processing (including flow-down of obligations).

Assist on data subject rights.

Assist on controller obligations. Includes assistance with respect to (i) appropriate information security; (ii) breach notification: (iii) DPIAs; and (iv) audits by the Supervisory Authority.

Data deletion/return.

Information and audits. Processor must make available to controller “all information required to demonstrate compliance” with outsourcing requirements and permit controller (mandated) audits.


Accountability Requires Vendor Management Program

• Risk categorization

• Review of transfers and uses

• Subcontractors

• Security review

• Vendor solvency and cyber-insurance

Vendor Selection

• Develop template data processing agreements

• Service agreements should enable and facilitate oversight, including audit rights, on-site inspections, periodic testing, vendorreporting obligations

Contract Management

• Vendor inventory – record for each vendor containing basic vendor information/data-mapping/relevant documentation (service agreements, processing instructions, reports on data breaches, etc.)

• Review Procedures and Templates – SOPs on regularity and intensity of oversight and standard forms for conducting and documenting reviews

• Governance and Follow Up – Relevant company stakeholders should be involved and sign-off responsibility for oversight assessment and remediation

Audit & Oversight


The Processor’s Perspective


Obligations for Vendors

1. Maintain record of processing activities and keep available to SAs

- Processor Information/Contact Details- Controller (client/customer) Information – for each controller- Categories of Processing – categories of processing carried out on behalf of each controller- Transfers – identification of any “third countries” to which data are transferred- Security Measures – general description “where possible” of the technical and organizational

measures


Obligations for Vendors (cont.)

2. Cooperation duty with Supervisory Authorities.

3. Designate a representative (if applicable) and/or a DPO as required under the GDPR or by national law.

4. Comply with data transfer regime.*

5. Comply with sub-contractor and “down-flow” requirements.

6. Obligation to notify the controller without undue delay in case of personal data breach.


Considerations for Processors

Work on strategy to deal with potential liability and customer demands:- Assess potential liability exposure and options to reduce exposure (e.g., contractual, relocation of

data center, etc.).

- Anticipate specific demands in terms of enhanced information security, breach response, privacy-by-design/default and cooperation with SA inspections.

- Accommodation of client-driven GDPR expectations may cause system/back-end issues (heavy lifting may be required for IT).

Focus on sub-contractor oversight and controls.

Develop data processing language for service agreements in anticipation of customer request.

Secure certain data uses (e.g. data analytics, improvement of service platforms) in agreements.


Liability Regime

Administrative Liability.

Both the controller and processor are liable for compliance with requirements applicable to them – up to 10 million Euros or 2 percent of the company’s global TO.

Processor is liable as controller for processing outside instructions (Article 28 (10)).

Civil Liability.

Controller is liable for damage caused by processing in violation of the GDPR.

Processor is liable for damage caused by processing in violation of provisions to which it is specifically subject.

Joint and several liability for obligations to which both controller and processor are subject. Possible to redistribute liability by contract.


Conclusion

GDPR is expected to result in heavy recalibration of legal and commercial relations between controllers/processors.

Vendor management should be high up on GDPR preparation list given expected complexities.

Vendors should start getting prepared. Challenges but also opportunities for vendors to anticipate client demands.

Large-scale processors may come under SA scrutiny – not the case under Directive.


Practical Considerations

What does it all mean? Enhanced Accountability for Controllers

“Sufficient Guarantees”

Direct application to processors

Mandatory Contract requirements

Joint and Several Liability

Enhanced Rights for Data Subjects

Breach Notification Requirements


Vendor Management Updates


Risk-Based Approach

Risk classification will drive level of due diligence and oversight

Data Protection Impact Assessment may be required

High risk processing (new technology, widespread processing, sensitive data, processing that makes it difficult for data subjects to exercise rights)

Specific activities designated by Supervisory Authorities

PIA should take vendors into account


Data Security Considerations

• Pseudonymization / encryption

• Business Continuity / Disaster Recovery

• Participation in approved codes of conduct

• Financial / cyber and other insurance

Due Diligence

• Allocation of responsibilities / liabilities

• Notification Requirements

Contracts

• Audits

• Regular Testing (e.g., annual penetration tests)

• Security questionnaire updates

• Participation in customer incident response planning and testing

Oversight


Enhanced Data Subject Rights

• Assessment of processor capabilities

• Right of access / erasure

• Data portability requirements

Due Diligence

• Allocation of responsibilities

• Fees

• Response Times

Contracts

• Reporting requirements

• Service Levels

• Audit rights

Oversight


Subcontractor Objection Rights

• Identify material subcontractors

• Include in PIA / due diligence as necessary

• Data portability requirements

Due Diligence

• Right to Object

• Multi-tenant cloud and shared service offerings?

Contracts

• Reporting

• Audit rights

Oversight


Controller Instruction

• Scope of data processing

• Analytics?

Due Diligence

• Vendors will want to specify controller instructions

• Joint controller risk

Contracts

• Reporting

• Audit rights

Oversight


Oversight and Governance

Identify Stakeholders:

Information Security

Privacy

Legal

Business

Active Monitoring

Remediation

Contract Support


New York Webcast Participation

If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet

AB7132016


About Alston & Bird’s Privacy and Data Security Practice:

Follow us: @AlstonPrivacy

www.AlstonPrivacy.com

Cybersecurity Preparedness & Response Team

Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in

both preventing and responding to security incidents and data breaches, including all

varieties of network intrusion and data loss events.

www.alstonsecurity.com

Privacy & Data Security Team

Our team helps clients at every step of the information life cycle, from developing and

implementing corporate policies and procedures to representation on transactional

matters, public policy and legislative issues, and litigation.

www.alston.com/privacy

Questions

roadmap to the gdpr - brexit analysis outsourcing processors - presentation

Documents