Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A13_General Data Protection Regulation (GDPR) H...

JPAAWG
November 15, 2019
220

A13_General Data Protection Regulation (GDPR) How does it impact Asia?

JPAAWG

November 15, 2019
Tweet

Transcript

  1. General Data Protection Regulation (GDPR) How does it impact Asia?

    Dennis Dayman - CIPP/US, CIPP/E, CIPT, FIP Industry Data Protection Officer M3AAWG Public Policy M3AAWG Program Committee and Growth and Development Chair Tokyo, Japan JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  2. Legal warning • This presentation is being provided for informational

    purposes only. Nothing in this presentation shall be construed as creating a representation, legal advice, warranty or commitment, contractual or otherwise, by M3AAWG or myself, and others or any affiliates to you or any other person or entity. • It also does not guarantee that your email and/or any other aspect of your business is in compliance with state, federal, or International laws. • M3AAWG, and others makes no representation, warranty or commitment that any message you send to end users will be delivered or that your programs have the proper privacy processes. • This presentation is not a substitute for, should not be used in place of, and should not be considered, legal advice. It is recommended that you contact your general or legal counsel. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  3. Why the GDPR is relevant to you in the APAC

    region • As you're no doubt aware, the EU General Data Protection Regulation or "GDPR" came into force on Friday 25 May 2018. • No doubt I received lots of emails running up to GDPR coming into force explaining how businesses I interacted with wished to use my data and asking me for consent to continue to use my data and or market to me. • However, many business and consumers in the APAC region are not aware of why the GDPR may be relevant to them or the wide- ranging impact of the GDPR on businesses outside the EU. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  4. What is the GDPR • GDPR is a new data

    privacy law which is intended to update exiting law(s), harmonize, and enhance data protection laws across the EU and considered new or future technologies/processes. • It builds upon the existing EU data protection regime established under the EU’s 1995 Data Protection Directive giving individuals significantly enhanced rights in relation to the use of their personal data and imposes significant new obligations on organizations processing personal data. • The concepts it introduces such as the – ‘right to be forgotten’ – data portability – data breach notification – Accountability – And much more… JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  5. GDPR Impacts • GDPR will undoubtedly have a huge impact

    on any business concerned with data, regardless of its location. • GDPR was the biggest shift in data protection and privacy legislation in Europe for a generation, with extraterritorial effect, so an Asia Pacific-based company may have to comply even though it is not based in Europe. • Failure to comply means heavy financial penalties – up to 4% of annual worldwide revenues, or up to ¥ 2.4 Billion, whichever is the greater. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  6. Math Time • Google reported worldwide revenues of $136.22 billion/¥14.8Trillion

    in 2018 • 4% fine is ¥592 Billion • Google in Jan 2019 was fined $57/¥6.2 Billion by the French • British Airways fine of $205 Million/¥22 Billion for last year's breach of its security systems. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  7. Fines Issued for GDPR Violations • Italy: Fine against a

    data processor for insufficient IT security, ¥6 Million • Portugal: Fine against hospital for insufficient profile management for hospital IT system, ¥48 Million • Poland: Fine against information service for failing to notify data subject of the use of their data, ¥26.6 Million • Norway: Fine of ¥20.5 Million because of insufficient security for local municipality IT system • Germany: Fined real estate company last week ¥1.8 Billion for storing personal data without a legal basis and for not implementing the GDPR principle of privacy by design JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  8. Reputational Impacts: A powerful business asset • China and Japan

    are beginning to realize that even if there isn’t a lot of enforcement activity right away in APAC, it could catch up to the and that would be bad for with respect to reputation. • Under its own law, direct enforcement by Japanese Commission: – Imprisonment for up to 1 year or a fine of up to ¥500,000 for data theft or for providing the data for illicit gain (wrongful) under the Japanese Act on the Protection of Personal Information (APPI) • If the disclosing party is a legal entity, the relevant officers, representatives, or managers responsible for the disclosure are subject to the penalty, and the legal entity is subject to a fine. – Could be bad for customers perception of your business, press, etc. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  9. GDPR readiness among APAC organizations • A survey found 93%

    of APAC companies don’t have a plan in place for GDPR. • Only 32% of Japanese respondents indicated that they were fully compliant with the GDPR. – That was more than 10% lower than Western counterparts. • Preparing for GDPR is a huge undertaking. – Comes at a time when data volumes are at unprecedented levels – 2.5 quintillion bytes of data are created every single day – 44 zettabytes of data will be created annually by 2020 • Demand for next-generation technology is showing similarly dramatic growth (APAC spending on robotics will more than double by 2020, to more than $133 billion). • Together these all mean that when it comes to GDPR, APAC has no choice but to act now. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  10. Extraterritorial Effects • If an organization processes any personal data

    from European citizens or residents, relating to selling goods/services, the GDPR applies. – No matter where it’s based. ‘Personal data’ is defined as any information ‘that can be used to directly or indirectly identify the person’. – Asia Pacific-based companies with no presence in the EU will be caught by the GDPR if they either target offers of goods or services to, or monitor the behaviour of, individuals in the EU. • What’s more, the conditions for getting consent to process data will also change. – Piles of dense legal terms and conditions text will no longer suffice. – Instead, requests will need to be ‘given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous’. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  11. Extraterritorial Effect Actions • Assess whether your online activities result

    in you processing EU personal data for the purposes of the GDPR. • This could include situations where your websites and apps directly offer goods or services to individuals within the EU, or where cookies and tracking activities on your websites and apps monitor the behaviour of individuals within the EU. • Also, decide what the lawful basis are for your processing – Which basis is most appropriate to use will depend on your purpose and relationship with the individual. – Most lawful bases require that processing is 'necessary' for a specific purpose. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  12. What are the lawful bases for processing? 1. Consent: the

    individual has given clear consent for you to process their personal data for a specific purpose. 2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract for paid services. – Credit Card processing – Services rendered 3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). – Employee information (salary, etc.) – Court orders – Criminal or accident related things JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  13. What are the lawful bases for processing? 4. Vital interests:

    the processing is necessary to protect someone’s life. – Hospitals – Monitoring infectious diseases 5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. – University research – Public authorities – Utility companies 6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests – Fraud protection – Ensuring network and information security JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  14. When is processing 'necessary'? • Many of the lawful bases

    for processing depend on the processing being “necessary”. • This does not mean that processing has to be absolutely essential. • It must be more than just useful, and more than just standard practice. • It must be a targeted and proportionate way of achieving a specific purpose. • It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. – The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  15. How organizations must act • Data infrastructure – Organizations will

    need to set up a data governance system that demonstrates the necessary levels of auditing, sharing and control. • Data specialists – Organizations will be required to appoint a Data Protection Officer if they ‘engage in large scale systemic monitoring’ or ‘large scale processing of sensitive personal data’. • Data portability – Organizations will need to make it easy for people to transfer their own data, if the data can identify them. The data will also need to be structured and presented in the Open Standard format. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  16. How organizations must act • Data breaches – Once an

    organization is aware of a breach the relevant supervisory authority must be notified within 72 hours. This will require setting up a formal data breach reporting process. • Data access – Employees working with data will be expected to have the necessary permission levels to access what they need… but nothing more. • Data deletion – GDPR builds on the ‘right to be forgotten’, which has long been the subject of court-based challenges between Google and France. Organizations will need to prepare robust and compliant procedures for deleting data if requested to by the user. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  17. Accountability and governance • You must be able to demonstrate

    compliance with the GDPR. – Establishing a governance structure with roles and responsibilities. – Keeping a detailed record of all data processing operations. – Documenting data protection policies and procedures. – Carrying out DPIAs (data protection impact assessments) for high-risk processing operations. – Implementing appropriate measures to secure personal data. – Conducting staff awareness training. – Where required, appointing a data protection officer JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  18. Data protection by design and by default • Data controllers

    and processors must implement technical and organizational measures that are designed to implement the data processing principles effectively. – Appropriate safeguards should be integrated into the processing. – Data protection must be considered at the design stage of any new process, system or technology. – Privacy by design process should be used • This means controllers must integrate or 'bake in' data protection into processing activities and business practices from the design stage and throughout the lifecycle – A DPIA (data protection impact assessment) is an integral part of privacy by design JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  19. Transparency and privacy notices • Organizations must be clear and

    transparent about how personal data is going to be processed, by whom and why. – When personal data is collected directly from data subjects, data controllers must provide a privacy notice at the time of collection. – For all processing activities, data controllers must decide how the data subjects will be informed and design privacy notices accordingly. Notices can be issued in stages. – Privacy notices must be provided to data subjects in a concise, transparent and easily accessible form, using clear and plain language. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  20. Data transfers outside the EU • GDPR restricts the transfer

    of personal data to countries outside the EEA, or international organizations. – These restrictions apply to all transfers, no matter the size of transfer or how often you carry them out • The transfer of personal data to international organizations and countries outside the EU is only allowed: – Consent from the data subject – Through Model Clauses and Binding Corporate Rules (BCRs) – Where the EU has recognized a country as providing an adequate level of data protection; • 11 countries or territories, including Argentina, Israel, New Zealand and most recently Japan, as providing fully adequate data protection. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  21. Data transfers outside the EU to Japan • On January

    23, 2019, the European Commission and Japan mutually recognized each other’s data protection laws as providing an adequate level of protection of personal data – Japan became the first country to earn an adequacy decision from the European Commission (EC) – Organizations in the EU can now share personal data with organizations in Japan, without needing to go through the Model Clauses and Binding Corporate Rules (BCRs) – The decision is one of mutual adequacy and creates the world’s largest area of safe data flows. – Japan’s recently amended their own Act on the Protection of Personal Information (APPI) required third-party countries to have a level of data protection equal to that of Japan for the free flow of data transfers without being subjected to additional safety checks. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  22. Data transfers outside the EU to Japan • The mutual

    adequacy finding will complement the existing trade benefits of the Japan-EU Economic Partnership Agreement and contribute to the Japan-EU strategic partnership by facilitating the data flow between them. • Companies are expected to benefit from unhindered, safe and free data transfers between the two economies that would remain restricted in the absence of the reciprocity recognition. • Japan agreed to put in place stricter guidelines for the re-transfer of personal data that originally was transferred from within the EU to a company in a third country and additional limitations on the use of sensitive data. • Japan also agreed to implement a new mechanism to allow EU residents to file complaints with Japan’s data protection authority if companies in Japan unlawfully access or use their data. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  23. How does the GDPR affect email? • While we may

    not think of email as subject to GDPR, a mailbox in fact contains a trove of personal data. – From names and email addresses to attachments and conversations about people, all could be covered by the GDPR’s strict new requirements on data protection. • While most of the focus regarding GDPR email requirements has centered around email marketing and spam, there are other aspects, such as email encryption and email safety, that are equally important for GDPR compliance JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  24. What the GDPR says: • The GDPR requires “data protection

    by design and by default,” meaning organizations must always consider the data protection implications of any new or existing products or services. – GDPR lists the principles of data protection you must adhere to, including the adoption of appropriate technical measures to secure data. – Encryption and pseudonymization are cited in the law as examples of technical measures you can use to minimize the potential damage in the event of a data breach. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  25. What it means for email • When it comes to

    email, encryption is the most feasible option. • As little as five years ago, that would not have been true. – Email encryption technology has developed rapidly, and several companies now offer end-to-end encrypted email service. – Cloud-based, secure email is now a convenient and practical option. • While encryption is not required, it is up to every organization to develop a rationale for developing the most appropriate data security practices. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  26. What the GDPR says: • There’s one more email aspect

    of the GDPR, and that’s email security. Article 5(f) says you must protect personal data “against accidental loss, destruction or damage, using appropriate technical or organizational measures JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  27. What it means for email • Email encryption is a

    technical measure under GDPR. • Organizational measures under GDPR have to do with internal policies, management, and training. • 91% of cyber attacks begin with a phishing email, in which hackers attempt to gain access to an account or device using deception or malware. – Links and attachments from unknown accounts should never be clicked or downloaded. – Once an attacker gains access to one account or device, it’s often easy to access others, meaning a mistake by one employee could compromise vast amounts of data. – If you cannot show regulators that you have implemented the proper technical and organizational measures, then you could be on the hook for huge EU fines and compensation to data subjects. • To avoid liability, it’s important to educate your team about email safety. – Basic steps like requiring two-factor authentication can go a long way toward protecting data and complying with the GDPR. – Regular phishing testing for staff JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  28. What the GDPR says: • Article 5 of the GDPR

    states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. • Article 17, which provides everyone with the ‘right to be forgotten’. – Organizations are storing and retaining more information each day, and as the digital age continues to evolve and data storage is cheaper, • It is easier for companies to capture increasing amounts of data that can help to drive business insight. • Organizations must therefore ensure personal data is securely disposed of when no longer needed. • There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes). JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  29. What it means for email • Many of us never

    delete emails. – There are plenty of good reasons: We may need to refer to them someday as a system of record of our activities. • The more data you keep, the greater your liability if there’s a data breach. • The erasure of unneeded personal data is now required under GDPR – You should periodically review your organization’s data retention policies with the goal of reducing the amount of data your employees or customers store in their mailboxes. – The regulation requires you to be able to show that you have a policy in place that balances your legitimate business interests against your data protection obligations under the GDPR. • From a technical standpoint, email data erasure can be quite simple and often it can be automated. – ProtonMail and some other email services have an expiring email option that allows you to set messages for deletion after a designated length of time. • Whatever email retention strategy your organization decides, it’s going to require some getting used to but will significantly lower your GDPR exposure. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  30. What it means for email • Organizations that have become

    used to keeping backups of everything forever will need to modify their practices and culture in order to comply with the 'what is necessary' and 'no longer than necessary' requirements – Rather than backing up everything in bulk as whole systems, organizations may find it easiest to separate systems backups and personal data backups so that systems backups can be kept for much longer retention periods than might be allowed/justifiable for the personal data. – Create higher capacity backups and tape systems with so that older backups are replaced by newer backups so that stale/outdated personal data is not retained for to long JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  31. HOWEVER! • The primary purpose of a backup is to

    recover data after its loss. This means having a backup is also a legitimate interest of a company. So you may not have to worry about this. – Only a Privacy Impact Assessment will help determine this. • Keeping the backup untouched, is a compelling legitimate ground. • In a case of a recovery of a backup, data will be restored which the individual requested to delete. This has to be avoided. – Need to store a list of all deletion requests which were received after the backup was created. – Whenever you need to restore the backup, you reprocess all deletion requests before using the data. That way, the data will not contain anything any more which was requested to delete by the individual. Of course, you also need a proper backup strategy of the deletion requests list. JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  32. GPDR after 1 year • Data protection authorities are overwhelmed

    with enquiries, complaints and caseloads. • 280,000 investigation/cases and 90,000 data breaches • More than half of EU countries have levied fines to date • Litigation has been slow to take off, but larger fines and formal orders that affect business models will lead to more litigation and are occurring. • Many of the cases will be litigated for many years (up to the CJEU) before final clarification is achieved. • Things like BREXIT will have a change on data flows • More countries like Japan will work to ensure free flow of data JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019
  33. What should organizations consider in these regulatory trends? • Continue

    embedding privacy and information security in your general risk assessments, consider a heightened enforcement risk over the coming months because of a more mature regulatory framework. • Prioritize compliance with the core GDPR principles (including accountability, transparency and lawfulness of data processing e.g., notice and consent). • Watch out for regulatory developments in Japan (or countries) including guidelines on specific thematic or industry areas. • Make the most of tools and resources which are made available by DPAs to facilitate compliance. – French DPA’s offer DPIA tools • Continue to foster a culture of privacy in the organization (including emphasis on training, data subject rights and requests, breach reporting, information security, and compliance documentation). JP-AAWG 2nd General Meeting | Tokyo, Japan | November 2019