CMCP Diversity Matters - May/June 2018
California Minority Counsel Program Diversity Matters - May/June 2018
California Minority Counsel Program Diversity Matters - May/June 2018
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
degree of risk posed to the<br />
rights and freedoms of data<br />
subjects, and the breadth and<br />
scope of the processing. For<br />
example, some organizations<br />
are required to develop a<br />
Data Protection Information<br />
Assessment (“DPIA”) and consult<br />
with the local supervisory<br />
authority (and potentially third<br />
party organizations) regarding<br />
their internal technical and<br />
organizational measures to<br />
ensure the proper handling<br />
and security of personal data.<br />
Further, certain organizations<br />
will be required to employ<br />
the services of a data privacy<br />
officer who is under the specific<br />
mandate to ensure that the<br />
organization is compliant with<br />
the GDPR and serves in the<br />
capacity as quasi-internal<br />
regulator within the organization.<br />
These requirements, however,<br />
are not limited to EU-based<br />
organizations, and therefore<br />
may require a complete overhaul<br />
of practices within US-based<br />
companies whose practices may<br />
fall under the scope of the GDPR.<br />
Derived from a historical<br />
evolution of data privacy<br />
protection from WWII, GDPR<br />
promotes various fundamental<br />
principles such as Transparency,<br />
Fairness, and Lawfulness in<br />
processing personal data,<br />
including data minimization<br />
and proportionality to ensure<br />
that organizations only collect,<br />
use, share, combine, organize,<br />
adapt, transfer, retain, etc.<br />
personal data only to the<br />
extent necessary to fulfill the<br />
lawful purposes prescribed<br />
under the GDPR. Companies<br />
must be strategic about under<br />
what “lawful purposes” they<br />
are acquiring personal data,<br />
and may have different “lawful<br />
purposes” depending on the<br />
type of personal data they<br />
collect (i.e. employee data vs.<br />
customer data). Additionally,<br />
one must understand if one<br />
is acting in the capacity of a<br />
“controller” or “processor”<br />
as each characterization has<br />
specific legal obligations<br />
under the GDPR (and in some<br />
cases, an organization may be<br />
characterized as both).<br />
To illustrate a key element<br />
of the fairness requirement,<br />
organizations collecting data<br />
directly from data subjects are<br />
required to provide clear and<br />
easy-to-understand privacy<br />
notices at the time of collection<br />
(or if collecting indirectly from a<br />
third party, within one month of<br />
collection), specifying:<br />
• the identity and contact<br />
details of the organization<br />
and, if applicable, its data<br />
protection officer<br />
• the types of personal data<br />
being collected and the<br />
specific purposes and legal<br />
basis for processing each<br />
type of personal data<br />
• the recipients of the<br />
personal data<br />
• the organization’s intention<br />
to transfer the personal<br />
data to a third country or<br />
international organization,<br />
and whether such territory<br />
has been issued an<br />
adequacy determination by<br />
European Commission<br />
• the legitimate interests<br />
of the organization if<br />
this is the legal basis for<br />
processing the personal<br />
data<br />
• retention periods for storing<br />
personal data<br />
• disclosure of a data<br />
subject’s rights to withdraw<br />
consent at any time (if<br />
the lawful basis is derived<br />
from consent), or otherwise<br />
request access, and object<br />
to, rectify, block, restrict or<br />
demand permanent erasure<br />
of their personal data<br />
• disclosure of the data<br />
subject’s right to lodge a<br />
complaint with their local<br />
supervisory authority<br />
• the specific nature of<br />
organization’s use of<br />
automated decision making<br />
with respect to personal<br />
data and consequences<br />
thereof<br />
• if there are any statutory or<br />
contractual requirements<br />
to which the data subject<br />
is required to provide their<br />
personal data, and the<br />
implications for failing to<br />
do so<br />
16 | California Minority Counsel Program