General Data Protection Regulation GDPR 992020 PACE CONVENTION

General Data Protection Regulation (GDPR) 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 1

Agenda • GDPR Scope • Principles • Data Subject Rights • Additional Obligations • Next Steps: Processors • Brace Yourselves: Privacy beyond 2018 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 2

Overview • What is the General Data Protection Regulation (GDPR)? • A set of standardized data protection laws across all EU member countries • Effective Date • May 25, 2018 • Why was it created? • Protect the fundamental rights and freedoms of EU citizens; particularly, the protection of an individual’s personal data • Fragmented data protection in the EU • Legal uncertainty • Negative perception of online activity • How does the GDPR differ from the EU Data Protection Directive 1995? • Extends jurisdiction • Strengthens conditions for consent • Previous legislation was a directive, GDPR is a legislative act 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 3

Overview Cont. • Who is covered? • All companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. • Processing of personal data by controllers and processors based in the EU, regardless of whether the processing takes place in the EU • Processing of personal data by controllers and processors not established in the EU if the processing relates to the offering of goods or services to EU citizens and the monitoring of behavior that takes place within the EU • Who enforces it? • Supervisory Authorities in EU Member States where company operates, coordinated by the European Data Protection Board (EDPB) • One stop shop for companies? • Hardly • Countries can still regulate specific types of data • Human Resources data, health data 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 4

Key Definitions • Personal Data: Any information relating to an identified/identifiable natural person, a “data subject”. A data subject is a natural person, who can be identified, or is identifiable, directly or indirectly • Processing: Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means • Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data • Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 5

Responsibilities of Controllers & Processors Controller • Decision-maker • Responsible for ensuring compliance • Obligations with respect to the use of processors • Governed by contract; specific requirements set forth by the regulation • Monitor to ensure compliance Processor • Processes the data at the direction of the controller • Obligations • Technical controls • Records of processing • Monitor compliance • Comply with contract; facilitate controllers ability to comply with GDPR 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 6

Contract Considerations • Contract should identify the subject matter, duration, nature, purpose, types of personal data that will be processed, categories of data subjects, and the obligations and rights of the data controller. • Contract should address the following: • The confidentiality and security of personal data • The ability to sub-contract • Responding to requests related to the exercise of rights by a data subject such as lawfulness, fairness, transparency, access, accuracy, correction, retraction and erasure • Record retention: personal data shall be kept for no longer than is necessary to carry out the purpose for which it is being processed • Availability of information necessary to prove compliance • Audit rights • Security Breach Notification, and • Transfers to third countries 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 7

Data Processing Principles Holistic approach towards data privacy 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 8

Lawful, fair & transparent processing At least one of the following must apply: • • • Sufficient consent (more later) Necessary to perform a contract Necessary to comply with a legal obligation Necessary to protect the vital interests of a data subject or another natural person Necessary to perform a task carried out in the public interest or in the exercise of official authority vested in a controller • Necessary for the purposes of the legitimate interests pursued by the controller Examples of “legitimate interests” • Direct marketing or fraud prevention • Network and information security • Reporting criminal acts or threats to public security 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 9

Additional Principles • Purpose Limitation - Collect for specified, explicit and legitimate purposes - Do not process in a manner incompatible with those purposes • Data Minimization - Collect only what is necessary • Accuracy - Ensure data is accurate and up-to-date - Erase or rectify inaccurate data “without delay” 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 10

Additional Principles Cont. • Retention - Retain data for no longer than is necessary • Security - Ensure “appropriate security” of personal data - Protect against unlawful processing and accidental loss, destruction or damage • Accountability - Comply and be able to demonstrate compliance - Vulnerability/penetration testing, monitoring of compliance program, simulation testing of rights 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 11

Transparency, communication and modalities for data subjects to exercise their rights 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 12

Transparency, Communication & Modalities If not disclosed elsewhere the following information must be disclosed to a data subject • Name and contact information of the controller and its data protection officer (DPO) • Purposes of the processing • Legal basis of processing (consent, “legitimate interests”, or others • Recipients of personal data • Details of data transfers outside of the EU • Right and access to control, correct and port data • Right to object to processing and withdraw consent • Right to complain to a supervisor authority • Whether providing personal data is required by law or contract and consequences of not providing • Categories and sources of information under certain circumstances • Any automated decision-making used NOTE: requirements vary based on whether the data is obtained directly from the data subject or indirectly. 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 13

Transparency, Communication & Modalities Time of Disclosure • Data obtained directly from the individual: • Disclose at time of data collection • Data obtained indirectly: • Disclose - Within a reasonable period of time (max one month) - At the time of first communication - Before disclosure to another recipient, if applicable • Exemptions: disclosure not required if • Notice is impossible or involves disproportionate effort • Already abiding by appropriate Member State Law • EU or Member State law requires that data remain confidential and secret 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 14

Data Subject RIGHTS 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 15

Data Subject Rights Right of Access • Right to obtain confirmation as to whether or not personal data concerning him or her is being processed • If data is being processed, the data subject has a right to the following information: • • • The purposes of the processing The categories concerned Recipients of the data Timeframe the data will be maintained The right to request rectification, erasure (in limited cases), right to lodge a complaint A copy of the personal data being processed • Exemptions • Risk to intellectual property rights and trade secrets • If the request impacts the rights and freedoms of others 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 16

Data Subject Rights cont. Right to Rectification • Right to have inaccurate information updated without undue delay Right to Data Portability • Right to receive a copy of the personal data they provided to the controller or have the data transmitted directly from one controller to another • NOTE: applicable only where processing is based on consent, explicit consent, or to fulfill a contract and the processing is carried out by automated means. 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 17

Data Subject Rights cont. Right to Object • Right to object, at any time, to the processing of his/her personal data - If processing is pursuant to a legitimate or public interest, controller must demonstrate grounds for the processing to continue - If processing is for marketing/profiling, controller must cease processing upon objection; right is absolute Right to Erasure • Right to have personal data erased without undue delay 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 18

Data Subject Rights cont. Right to Restrict Processing • Right to request that the controller stop certain processing activities • Applicable if: - The accuracy of the personal data is contested - Processing is unlawful and the data subject does not want the data erased - The data is no longer needed, however the data is needed by the data subject for the exercise or defense of legal claims 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 19

Data Subject Rights cont. Right to not be subject to automated decision-making including profiling • Right to object to automated processing • Exceptions: automated processing permissible if - Necessary for entering into, or performance of, a contract between the controller and data subject - It’s authorized by Union or Member State and suitable safeguarding measures are in place - Explicit consent is provided • 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 20

Additional Obligations 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 21

Privacy by Design and Default Taking into account the state of the art, the cost of implementation and the nature, scope, context, and purposes of processing the controller must: • Implement appropriate technical and organizational measures designed to implement data protection principles in an effective manner • Integrate necessary safeguards into processing • Implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 22

Designation of a DPO • Required if: - Public authorities - Core activities require regular and systemic monitoring of data subjects on a large scale - Large scale processing of sensitive data or criminal records - Obligated by local law (Croatia, Germany, Hungary) • May outsource to a third party • Contact details of the DPO must be published and communicated to the Data Protection Authority • Controller is obligated to support the DPO with appropriate resources and ensure tasks do not result in a conflict of interest 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 23

Data Protection Impact Assessment (DPIA or PIA) • Where processing is likely to result in a high risk to the rights and freedoms of data subjects, organizations should conduct an impact assessment • Particularly if implementing new technologies or a new processing activity • Transfers to third party countries could also be considered high risk • Automated decision making and processing of special categories of data will require a DPIA • The Data Protection Officer must be consulted when conducting a DPIA • When appropriate, the controller should seek the views and opinions of the data subjects impacted by the potential processing operation 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 24

Breach Notification Notice to Supervisory Authority: In the event of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority. Notice to Data Subjects: When the personal data breach is likely to result in high risk to the rights and freedoms of natural persons, the controller shall notify the data subject without undue delay. Processor: A processor must notify a controller without undue delay after becoming aware of a personal data breach. 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 25

Article 30: Records of Processing • Controllers and processors must maintain records of processing activities • Records should include: • • Name and contact details of the controller Purpose of the processing A description of the categories of data Categories of the recipients of the data Transfers of the data to a third country Time limits the data will be maintained General description of the technical and security measures taken to secure the data • Records of processing must be made available to the Supervisory Authority upon request • Does not apply to organizations with less than 250 employees unless the activities are likely to result in high risk to rights and freedoms 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 26

Article 32: Security of Processing • Vague description and requirement that organizations implement appropriate technical and organizational measures to ensure a level of security appropriate to risk • Principles of Information Security must be implemented • Confidentiality • Integrity • Availability • Further, organizations should implement encryption and pseudonymization where appropriate • Ongoing and regular testing, such as vulnerability and penetration testing of the effectiveness of these measures, must occur per Article 32 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 27

Processor Obligations 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 28

9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 29

Processor Obligations Cont. • Assist with facilitation of data subject rights • Appropriate technical and security controls • Data Protection Addendum • • Data Protection Officer Processing outside of direction from the Controller is prohibited Leveraging sub-processors only allowed with explicit consent of Controller Records of processing • Applicable if employees > 250 • Assist the Controller with data protection impact assessments • Not required to conduct DPIA’s outside of this • Data protection by design and default is not a requirement if purely a processor • Many processors implementing as a competitive advantage 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 30

Penalties for Non-Compliance • Regulators, Administrative Fines, and Consumer Trust • Supervisory authorities and the EDPB administer fines • Fine amounts are not automatic • “effective, proportionate and dissuasive” Two tiers 1. Up to € 20, 000 or 4% of global revenue for violations of: 2. Up to € 10, 000 or 2% of global revenue for violations of: • Most other provisions 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 31

Beyond GDPR • Current: e. Privacy Directive • The “cookie law” • Directive apply to publicly available electronic communications system • Regulates marketing communications • Future: e. Privacy Regulation • Other the top providers in scope • Marketing regulations • Cookie consent • Member states also have privacy regulations • Austria and Germany 9/9/2020 PACE CONVENTION & EXPO | APRIL 15 -18, 2018 | ATLANTA, GA 32