EVERFI/Jackson Lewis: How to Comply with GDPR Requirements: What every U.S. Company needs to know
1. May 17, 2018
How to Comply with GDPR
Requirements: What every U.S.
Company needs to know
Preston Clark, J.D.
Joseph Lazzarotti,
Jason Gavejian &
Mary Costigan
2. Webinar Basics
1 Please ask questions
2 Full presentation will be sent out immediately following event
3 Webinar recording will be sent out next week
4 Post webinar communication plan
4. Your Presenters
President of EVERFI’s Conduct & Culture division that
powers online compliance training programs for over 1,500
organizations worldwide. Preston was formerly Assistant
General Counsel for the University of Miami.
Preston Clark, J.D.
President at EVERFI
As a Certified Information Privacy Professional (CIPP), Mr
Gavejian focuses on the matrix of laws governing privacy,
security, and management of data. He is co-author of, and
regular contributor to, the firm’s Privacy Blog.
Jason C. Gavejian
Principal, Jackson Lewis
Advises multinational, national and regional companies on
emerging privacy and cybersecurity issues, including best
practices and preventive safeguards. Is also a Certified
Information Privacy Professional (CIPP) with IAPP.
Mary T. Costigan
Associate, Jackson Lewis
Founder and co-lead of the firm’s Privacy, e-Communication and
Data Security Practice, edits the firm’s Privacy Blog, and is a
Certified Information Privacy Professional (CIPP) with
International Association of Privacy Professionals (IAPP).
Joseph J. Lazzarotti
Principal, Jackson Lewis
5. • Represents management exclusively in every aspect of employment,
benefits, labor, and immigration law and related litigation, as well as
government relations in NYS & NYC.
• Over 800 attorneys in 57 locations nationwide
• Current caseload of over 6,500 litigations, approximately 650 class
actions.
• Founding member of L&E Global.
• A leader in educating employers about the laws of equal opportunity,
Jackson Lewis understands the importance of having a workforce that
reflects the various Communities it serves
About Jackson Lewis P.C.
6. Lawyer’s Disclaimer
Jackson Lewis P.C. has prepared the materials
contained in this presentation for the participants’
reference and general information in connection with
education seminars presented by the firm and its
attorneys. Attendees should consult with counsel
before taking any actions that could affect their legal
rights and should not consider these materials or
discussions about these materials to be legal or other
advice regarding any specific matter.
8. • Adopted on April 14, 2016, by the EU Commission and
Parliament
• Replaces the 1995 Data Protection Directive (Directive
95/46/EC)
• Effective May 25, 2018
• Broader jurisdiction, greater harmonization, increased
penalties
The General Data Protection Regulation
(GDPR)
9. • Establishment
• Offering Goods and Services…Targeting
• Monitoring Behavior
• Resident v. Citizen
Jurisdiction, Territorial Scope
11. • Divergent historical context, purpose
• Personal data
• Very broad: Any information relating to an
identified or identifiable natural person
• Sensitive information
• Personal information
Personal Data v. Personal Information
13. • Processing Means:
• Any operation or set of operations that are:
• Performed on personal data or on sets of personal data
• Whether on not by automated means
• Includes:
• Collection, recording, organization, structuring, storage,
adaption or alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or
destruction
Processing
15. • Appoint if core activities are:
• regular and systematic monitoring of data subjects on
a large scale, or
• processing special categories of data or data relating
to criminal convictions/offenses on a large scale
• Union representative v. DPO
• More stringent laws in member states
Data Protection Officer
16. WHAT ARE OUR BASIC
RESPONSIBILITIES AND
OBLIGATIONS?
17. • Data controller v. data processor
• Privacy impact assessment
• Notice
• Privacy by design
• Individual’s rights
• Recording processing activities
Responsibilties and Obligations
19. • What is a breach
• When to report to Supervisory Authority
• When to report to affected individuals
• Risk of harm exception
• Interactions with U.S. breach notification
requirements
Data Breaches
22. WHAT DO WE NEED TO
DO ABOUT DATA
SECURITY? ARE THERE
ANY SPECIAL
REQUIREMENTS?
23. • No specific framework or technologies required.
• Pseudonymization and encryption
• Privacy by design
• Data processor agreements
• Breach detection
Data Security
24. CAN OUR U.S. EMPLOYEES
ACCESS PERSONAL DATA
OF DATA SUBJECT IN THE
EU?
25. • Lawful basis
• “Adequate safeguards”
• Privacy Shield
• Model contracts
• Binding corporate rules
Accessing EU Data
27. • Investigatory authority
• “Effective, proportionate and dissuasive”
• Level 1 fines - up to greater of 10,000,000 EUR or 2% of total worldwide
annual turnover.
• Level 2 fines - up to greater of 20,000,000 EUR or 4% of total worldwide
annual turnover.
• Judicial remedies
Enforcement
29. • Getting started
• Map your data
• Assess application and compliance
requirements
• Prepare employees (training)
• Coordinate with U.S. and other jurisdictions
• Document your steps
Take-Aways
31. Thank You!
President of EVERFI’s Conduct & Culture division that
powers online compliance training programs for over 1,500
organizations worldwide. Preston was formerly Assistant
General Counsel for the University of Miami.
Preston Clark, J.D.
President at EVERFI
As a Certified Information Privacy Professional (CIPP), Mr
Gavejian focuses on the matrix of laws governing privacy,
security, and management of data. He is co-author of, and
regular contributor to, the firm’s Privacy Blog.
Jason C. Gavejian
Principal, Jackson Lewis
Advises multinational, national and regional companies on
emerging privacy and cybersecurity issues, including best
practices and preventive safeguards. Is also a Certified
Information Privacy Professional (CIPP) with IAPP.
Mary T. Costigan
Associate, Jackson Lewis
Founder and co-lead of the firm’s Privacy, e-Communication and
Data Security Practice, edits the firm’s Privacy Blog, and is a
Certified Information Privacy Professional (CIPP) with
International Association of Privacy Professionals (IAPP).
Joseph J. Lazzarotti
Principal, Jackson Lewis
32. May 17, 2018
How to Comply with GDPR
Requirements: What every U.S.
Company needs to know
Preston Clark, J.D.
Joseph Lazzarotti,
Jason Gavejian, &
Mary Costigan