GDPR Compliance for U.S. Entities
Learn about the scope and legal basis of the EU General Data Protection Regulation (GDPR) as it applies to U.S. entities offering goods or services to individuals in the EU. Explore the importance of consent, contracts, legitimate interests, and direct marketing in ensuring GDPR compliance.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
GDPR Overview Christina Krysinski Associate Powers Pyles Sutter & Verville PC christina.krysinski@powerslaw.com | 202-872-6732
Scope of the GDPR EU General Data Protection Regulation ( GDPR ) Governs processing of personal data by controllers and processors The controller determines the purpose and the means of processing. The processor processes the data on behalf of the controller (i.e., a vendor, a contractor, etc.). Personal data includes any information that allows an individual to be identified.
How does the GDPR apply to U.S. entities? GDPR applies to a U.S. entity that offers goods or services to individuals located in the EU. Only applies to the extent that data processing relates to the those EU individuals.
Legal Basis for Processing Consent* Contract* Legal Obligation Vital Interest of Data Subject Public Interest Legitimate Interest of Data Controller* *These are the legal bases that most entities will rely on.
Legal Basis for Processing: Contract Personal data can be processed when necessary for the performance of a contract. Membership Agreements Purchases Conference Registration
Legal Basis for Processing: Legitimate Interest Personal data can be processed when necessary for the purpose of legitimate interests pursued by an organization. Balance interests of organization v. rights of data subjects. Would an individual reasonably expect their data to be used in this way?
Legal Basis for Processing: Consent Consent must be freely given, specific, clear, and unambiguous. Must be an opt-in cannot use pre-checked boxes. Entity should document that consent was received. Consent may be withdrawn at any time.
Direct Marketing Marketing to existing members/customers can be based on an entity s legitimate interests. Marketing to others can only be done based on their consent. Individuals must be able to opt-out of marketing communications at any time.
Special Categories of Data Special categories of data include: Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic data or biometric data for the purpose of uniquely identifying a natural person Data concerning health Data concerning a person s sex life or sexual orientation Cannot be shared outside of the organization without the individual s consent. Can only be collected under certain circumstances.
Privacy Notices When data collected directly from individuals, must be provided at the point of data collection. When data collected from another entity, individuals must receive privacy notice within reasonable time.
Privacy Notices Must include information regarding: Contact information of the data controller Purpose and legal basis for processing Who will receive the data Data storage period Data subjects rights When not collecting data directly from an individual, must also include: Categories of data collected Who the entity received the data from
Rights of Data Subjects Right of access Right of rectification Right to erasure (right to be forgotten) Right to restrict processing Right to data portability Right to object to processing Right to withdraw consent
Data Storage Data should only be stored as long as necessary in relation to the purpose for which data was collected. Entity should be able to provide reasons for length of storage. Individual should be able to assess how long data will be stored.
Data Security Ensure an appropriate level of protection in light of the nature, scope, context, and purpose of the data processing, and the level of risk to individuals rights. Data Breaches Notify individuals without undue delay Notify supervisory authority within 72 hours
Data Processors Data processers process data on behalf of another entity. Must have a contractual relationship.
Data Processing Contracts Contract must include the following: Processor will only process data consistent with controller s documented instructions; Subprocessor provisions; Processor will ensure adequate protection and confidentiality; Processor agrees to assist controller with its data protection obligations; Processor will delete or return data at the end of provision of services; Processor is subject to audits by data controller.
Compliance GDPR is effective on May 25, 2018. Entities should: Examine what data you collect, how it is used, where it comes from, to whom it is disclosed, and how long it is stored. Update privacy policies. Put in place procedures to respond to questions from individuals or requests to exercise their rights. Update contracts that deal with EU individuals data (processor/controller contracts).
