CMCP Diversity Matters - May/June 2018
California Minority Counsel Program Diversity Matters - May/June 2018
California Minority Counsel Program Diversity Matters - May/June 2018
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
In addition to the above, if an<br />
organization directly obtains the<br />
data subject’s personal data with<br />
their consent through electronic<br />
processing, it must also afford<br />
the data subject the ability to<br />
port it to another platform in<br />
a machine-readable format.<br />
This requirement fundamentally<br />
changes how companies need<br />
to think about their customers’<br />
personal data moving forward.<br />
Personal data belongs to<br />
the data subject, not to the<br />
aggregator, and organizations will<br />
be forced to facilitate transfers to<br />
their competitor’s products and<br />
services at the direction of the<br />
data subject.<br />
Additional aspects of GDPR<br />
include specific requirements for<br />
limiting the purposes for personal<br />
data processing, maintaining<br />
data quality and accuracy, limiting<br />
retention periods, ensuring the<br />
integrity and confidentiality of<br />
personal data through technical<br />
and organization measures,<br />
accountability for compliance with<br />
applicable EU laws and breach<br />
notification responses.<br />
In many cases, however, US<br />
organizations receiving data from<br />
EU data controllers may be able<br />
to comply with the GDPR through<br />
self-certification under the EU-US<br />
Privacy Shield.<br />
The EU-US Privacy Shield requires<br />
participants to provide adequate<br />
protections for EU data subjects’<br />
personal data under the following<br />
guiding principles:<br />
• Notice Requirement<br />
• Choice Requirement<br />
• Accountability For Onward<br />
Transfers and Vendor<br />
Agreements<br />
• Security<br />
• Data Integrity and Purpose<br />
Limitation<br />
• Access<br />
• Recourse, Enforcement and<br />
Liability<br />
• Appropriate Safeguards<br />
The EU-US Privacy Shield notably<br />
provides EU data subjects with<br />
the opportunity to object to the<br />
processing of their personal<br />
data and seek redress with<br />
their own local data protection<br />
authority, the Federal Trade<br />
Commission, or the Department<br />
of Commerce. They can also<br />
force US companies into binding<br />
arbitration within the data<br />
subject’s own local jurisdiction.<br />
The costs of such enforcement<br />
mechanisms will be borne by the<br />
organization processing the data.<br />
While this article is merely<br />
intended to highlight some of<br />
the aspects of the GDPR, it<br />
simply could never adequately<br />
address the complexities<br />
of the Regulation’s detailed<br />
requirements, nuances and<br />
exceptions. Practitioners<br />
should be aware that GDPR<br />
not only poses implications for<br />
human resources, operational<br />
compliance and the IT functions<br />
of an organization, but also<br />
requires risk assessment for<br />
M&A transactions, insurance<br />
underwriting, cross-border<br />
commercial transactions and<br />
new business initiative designs.<br />
As such, GDPR should not be<br />
regarded as just an EU issue,<br />
but rather, a global concern that<br />
reaches within our own borders.<br />
David Michail is CIPP-E Certified Data<br />
Privacy Expert by the International<br />
Association of Privacy Professionals and<br />
offers regulatory compliance and data<br />
privacy officer services for US-based and<br />
multi-jurisdictional entities. For more<br />
information visit www.metlawgroup.com.<br />
<strong>May</strong>/<strong>June</strong> <strong>2018</strong> | 17