CMCP Diversity Matters - May/June 2018

More documents

Recommendations

Info

degree of risk posed to the rights and freedoms of data subjects, and the breadth and scope of the processing. For example, some organizations are required to develop a Data Protection Information Assessment (“DPIA”) and consult with the local supervisory authority (and potentially third party organizations) regarding their internal technical and organizational measures to ensure the proper handling and security of personal data. Further, certain organizations will be required to employ the services of a data privacy officer who is under the specific mandate to ensure that the organization is compliant with the GDPR and serves in the capacity as quasi-internal regulator within the organization. These requirements, however, are not limited to EU-based organizations, and therefore may require a complete overhaul of practices within US-based companies whose practices may fall under the scope of the GDPR. Derived from a historical evolution of data privacy protection from WWII, GDPR promotes various fundamental principles such as Transparency, Fairness, and Lawfulness in processing personal data, including data minimization and proportionality to ensure that organizations only collect, use, share, combine, organize, adapt, transfer, retain, etc. personal data only to the extent necessary to fulfill the lawful purposes prescribed under the GDPR. Companies must be strategic about under what “lawful purposes” they are acquiring personal data, and may have different “lawful purposes” depending on the type of personal data they collect (i.e. employee data vs. customer data). Additionally, one must understand if one is acting in the capacity of a “controller” or “processor” as each characterization has specific legal obligations under the GDPR (and in some cases, an organization may be characterized as both). To illustrate a key element of the fairness requirement, organizations collecting data directly from data subjects are required to provide clear and easy-to-understand privacy notices at the time of collection (or if collecting indirectly from a third party, within one month of collection), specifying: • the identity and contact details of the organization and, if applicable, its data protection officer • the types of personal data being collected and the specific purposes and legal basis for processing each type of personal data • the recipients of the personal data • the organization’s intention to transfer the personal data to a third country or international organization, and whether such territory has been issued an adequacy determination by European Commission • the legitimate interests of the organization if this is the legal basis for processing the personal data • retention periods for storing personal data • disclosure of a data subject’s rights to withdraw consent at any time (if the lawful basis is derived from consent), or otherwise request access, and object to, rectify, block, restrict or demand permanent erasure of their personal data • disclosure of the data subject’s right to lodge a complaint with their local supervisory authority • the specific nature of organization’s use of automated decision making with respect to personal data and consequences thereof • if there are any statutory or contractual requirements to which the data subject is required to provide their personal data, and the implications for failing to do so 16 | California Minority Counsel Program
In addition to the above, if an organization directly obtains the data subject’s personal data with their consent through electronic processing, it must also afford the data subject the ability to port it to another platform in a machine-readable format. This requirement fundamentally changes how companies need to think about their customers’ personal data moving forward. Personal data belongs to the data subject, not to the aggregator, and organizations will be forced to facilitate transfers to their competitor’s products and services at the direction of the data subject. Additional aspects of GDPR include specific requirements for limiting the purposes for personal data processing, maintaining data quality and accuracy, limiting retention periods, ensuring the integrity and confidentiality of personal data through technical and organization measures, accountability for compliance with applicable EU laws and breach notification responses. In many cases, however, US organizations receiving data from EU data controllers may be able to comply with the GDPR through self-certification under the EU-US Privacy Shield. The EU-US Privacy Shield requires participants to provide adequate protections for EU data subjects’ personal data under the following guiding principles: • Notice Requirement • Choice Requirement • Accountability For Onward Transfers and Vendor Agreements • Security • Data Integrity and Purpose Limitation • Access • Recourse, Enforcement and Liability • Appropriate Safeguards The EU-US Privacy Shield notably provides EU data subjects with the opportunity to object to the processing of their personal data and seek redress with their own local data protection authority, the Federal Trade Commission, or the Department of Commerce. They can also force US companies into binding arbitration within the data subject’s own local jurisdiction. The costs of such enforcement mechanisms will be borne by the organization processing the data. While this article is merely intended to highlight some of the aspects of the GDPR, it simply could never adequately address the complexities of the Regulation’s detailed requirements, nuances and exceptions. Practitioners should be aware that GDPR not only poses implications for human resources, operational compliance and the IT functions of an organization, but also requires risk assessment for M&A transactions, insurance underwriting, cross-border commercial transactions and new business initiative designs. As such, GDPR should not be regarded as just an EU issue, but rather, a global concern that reaches within our own borders. David Michail is CIPP-E Certified Data Privacy Expert by the International Association of Privacy Professionals and offers regulatory compliance and data privacy officer services for US-based and multi-jurisdictional entities. For more information visit www.metlawgroup.com. May/June 2018 | 17
Page 2 and 3: New Minority Partners at CMCP Membe
Page 4 and 5: Letter from the Executive Director
Page 6 and 7: practical tools and concrete takeaw
Page 8 and 9: 6 | California Minority Counsel Pro
Page 10 and 11: direct patient contact. For example
Page 12 and 13: - which affect 17 different types o
Page 14 and 15: DEVELOPMENT OF WORKPLACE VIOLENCE P
Page 16 and 17: GDPR: THE TOOTHPASTE IS OUT OF THE
Page 20 and 21: NEW MINORITY PARTNERS AT CMCP MEMBE
Page 22 and 23: 20 | California Minority Counsel Pr
Page 24 and 25: FMLA; in fact, the CFRA regulations
Page 26 and 27: California’s PDL statute, however
Page 28 and 29: CMCP Event Highlights Kaiser CLE Ma
Page 30 and 31: Leaders Create More Leaders - Leadi
Page 32 and 33: SCOTUS Erosion of Precedent re Stat
Page 34 and 35: Diversity Calendar The CMCP Diversi
Page 36 and 37: NEWSLETTER COMMITTEE Thank you to o
Page 38 and 39: SWETA H. PATEL Partner Klein, Hocke
Page 40 and 41: JONATHAN M. TURNER Partner Mitchell

CMCP Diversity Matters - May/June 2018

Create successful ePaper yourself

Delete template?

Save as template?