Introduction to EU General Data Protection Regulation: Planning, Implementing, and Compliance (Series: Cybersecurity & Data Privacy)

Copyright © 2019 by DailyDAC, LLC d/b/a Financial Poise Webinars™
Receive our free weekly newsletter at www.financialpoise.com/subscribe
1

Practical and entertaining education for
attorneys, accountants, business owners
and executives, and investors.
2

DISCLAIMER
The material in this webinar is for informational purposes only. It should not be
considered legal, financial or other professional advice. You should consult with an
attorney or other appropriate professional to determine what may be best for your
individual needs. While Financial Poise™ takes reasonable steps to ensure the information
it publishes is accurate, Financial Poise™ makes no guaranty in this regard.
About this PowerPoint: if you are looking at this PowerPoint without the benefit of
listening to the conversation that surrounded it then you are doing yourself a disservice.
This PowerPoint was prepared in contemplation of being viewed in conjunction with
listening to a one hour webinar on the topic
3

MEET THE FACULTY
Moderator:
Lisa Vandesteeg – Sugar Felsenthal Grais & Helsinger LLP
Panelists:
Michael Riela– Tannenbaum Helpern Syracuse & Hirschtritt LLP
Daniel Farris – K&L Gates LLP
Alison Schaffer Bloom – Jump Trading LLC
Alexander Bilus – Saul Ewing Arnstein & Lehr, LLP
4

ABOUT THIS WEBINAR: Introduction to
EU General Data Protection Regulation:
Planning, Implementation, and Compliance
The GDPR is a game-changer for anyone doing business or employing individuals in the
EU. GDPR is a broad regulation that requires business to protect the personal data and
privacy of EU citizens for transactions that occur within EU member states. Countries that
collect data on EU citizens will need to comply with strict new rules for protection of
customer data by May 25, 2018. After that date, non-compliant organizations that collect
data on EU citizens will face heavy fines. Learn more about the GDPR requirements and
how your organization may meet those standards in this webinar.
5

ABOUT THIS SERIES:
Cybersecurity & Data Privacy 2019
Data security, data privacy, and cybersecurity are critical issues for your company to
consider in today’s business landscape. Data breaches from high profile companies,
including law firms, generate worldwide headlines and can severely damage your
business’s reputation. In certain industries, a patchwork of state and federal laws and
regulations may cover your business, leading to compliance headaches.
This series explores the various laws and regulations which govern businesses both in the
US and abroad, as well as how to implement and enforce an information security policy to
protect your company and limit any damage from a data breach.
6

EPISODES IN THIS SERIES
9/24/19 Episode #1: Introduction to US Privacy and Data Security:
Regulations and Requirements
10/22/19 Episode #2: Introduction to EU General Data Protection
Regulation: Planning, Implementation, and Compliance
11/19/19 Episode #3: How to Build and Implement your Company's
Information Security Program
12/17/19 Episode #4: Data Breach Response: Before and After the Breach
7
Dates shown are premiere dates.
All webinars will be available
On Demand approximately 4 weeks
after they premiere.

Episode #2:
Introduction to EU General Data
Protection Regulation: Planning,
Implementation, and Compliance
8

INTRODUCTION
• Simply put, General Data Protection Regulation (GDPR) is law that
regulates data protection for individuals in the European Union
o Passed by the EU Parliament in April 2016
o Enacted into law on May 25, 2018
o Most impactful data privacy legislation in 20 years
9

INTRODUCTION (cont’d)
• Aims to protect EU citizens against privacy and data breaches; and
• Simplify regulations for international business by unifying data protection
regulation in the EU into one law
• Enacted in response to a growing wave of global cyberattacks, data leaks,
identity thefts
• Introduced to replace outdated data protection laws enacted during the infancy
of the internet
10

EU DATA PRIVACY REGULATION
HISTORY – THE “DIRECTIVE”
• 1995 – EU adopts the European Data Protection Directive (95/46/EC)
o regulated both automated and manual processing of personal data
o adopted in response to European Convention of Human Rights
(ECHR) Article 8 - which stresses that all humans have a right to
privacy in their home and correspondence
11

EU DATA PRIVACY REGULATION
HISTORY – THE “DIRECTIVE” (cont’d_
• The Directive required data processing companies to comply with 3
principals when processing personal data -
1. transparency
2. legitimate purpose
3. proportionality
12

THE ROAD TO GDPR
• No quantitative data pre-2005 because very little data breach cases were reported
• 2005 (“Big Boom”) – consumers start sharing personal information resulting in major
data breaches, i.e. -
o CardSystems Solutions Inc. (MasterCard, Visa, American Express)
o DSW
o Bank of America
• 2016 – Present
o 1,579 - total number of publicly disclosed data breaches in 2017
 44.7% higher than the 1,091 disclosed in 2016
o 1,946,181,599 - total number of records and other sensitive data compromised
between Jan. 1 2017, and March 20, 2018
o In a recent survey of 1,200 U.S. companies, 71% reported being affected by a data
breach in some way over the past few years.
13

THE ROAD TO GDPR (cont’d)
• Recent Breaches
o Yahoo – over 3 billion user accounts breached
o Facebook – over 50 million users hacked
o eBay – 145 million users impacted
o Equifax – personal information of over 143 million consumers was
compromised
o Google – 500,000 Google + users exposed to data breach
14

GDPR EXPLAINED
• Gives consumers more control over how their data is collected and used
• Forces companies to justify what they do with personal information they collect,
defined as any information that is identifiable (i.e.) -
o name
o phone number
o username
o health data
o political opinions
o IP address
o location data
• Generally imposes responsibility and accountability on data collection and processing
companies
15

GDPR KEY PLAYERS
• Data subject: individual whose data is being processed
o All natural persons who can be distinguished as persons with rights in regards to
the processing of personal data
• Controller: person/entity in charge of data processing
o Natural person
o Public authority or agency
o Corporate entity
• Data Processors: processes data on behalf of controller
o Natural person
o Public authority or agency
o Corporate entity
 i.e. IT company
• Data Protection Officer (DPO): compliance officer
16

GDPR REQUIREMENTS
• Increased Territorial Scope
• Consent
• Right to Access
• Right to be Forgotten
• Privacy-by-design
• Data Protection Officers (DPOs)
• Breach notification
• Data Portability
• Penalties
17

INCREASED TERRITORIAL SCOPE
• GDPR abandons previous ambiguous language and replaces it with “clear
guidelines”
o Applies to the processing of personal data by controllers and processors in
the EU- regardless of where the processing takes place; and
o Data processing where the activities relate to offering goods or services to
data subjects and the monitoring of behavior that takes place within the EU
 Non-EU businesses engaged in processing the data of EU citizens must
appoint a representative in the EU
18

CONSENT
• Requires companies to request and obtain consent from data
subjects by clear and plain language (“opt-in consent”)
o All requests must be given and written in an intelligible and easily
accessible form and distinguishable from all other matters
• It must be just as easy to withdraw consent as it is to give it
19

RIGHT TO ACCESS
• Data subjects have right to obtain confirmation from controller as to
whether or not their personal data is being processed, where, and for
what purpose
o If a request is made, the controller must give data subject a free
electronic copy of her information
20

RIGHT TO BE FORGOTTEN
• Data subjects may request to have controller –
o erase personal data
o cease further circulation of the data; and
o potentially have third parties stop processing of the data
• Conditions for data erasure are either (a) data is no longer relevant to
original purpose or processing, (b) or data subject is withdrawing consent
• Erasure requests are weighed against the public interest in the availability
of the data
21

PRIVACY-BY-DESIGN
• Data protection is at forefront of any controller or processor system design -
not an additional option
• Requires controllers hold and process only data absolutely necessary for
completion of their duties and limit access to personal data
22

DATA PROTECTION OFFICER (DPOs)
• DPO appointment is mandatory only to companies (controllers)
whose core activities consist of processing sensitive personal data on
a large scale or a form of data processing which is particularly far
reaching for the rights of the data subjects
o Companies may name an employee as an internal DPO; or
o appoint an external DPO.
• Public bodies must always appoint DPO
23

DATA PROTECTION OFFICER (DPOs)
(cont’d)
• DPA duties include:
o complying with all relevant data protection laws
o monitoring specific processes, such as data protection impact
assessments
o increasing employee awareness for data protection and training them
accordingly, and
o collaborating with the supervisory authorities
24

BREACH NOTIFICATION
• Breach notifications are mandatory in all member states where data
breach is likely to “result in a risk for the rights and freedoms of
individuals”
o too ambiguous and confusing
• Businesses must notify authorities about any data security breach within
72 hours of discovering it
• Businesses must also notify data subjects without undue delay after first
becoming aware of a data breach
o “undue delay” is too ambiguous, as well
25

DATA PORTABILITY
Data subject has right to receive their personal data and may transmit such data to
another controller as they please
Link: http://www.simontbraun.eu/en/news/news-general/2082-the-right-to-data-portability-and-bank-account-
information
26

PENALTIES
• Organizations that fail to comply with GDPR may be fined up to the greater amount of
4% of annual global revenue or €20 million (approx. $23 Million)
• Tiered approach to fines -
o Most serious infractions: For example, not having sufficient customer consent or
violating core Privacy-by-Design concepts
 up to 4% of annual global revenue or €20 million, whichever is greater
o Lesser infractions: For example, not having records in order, not notifying authority
and data subjects about breach, or not conducting privacy impact assessment (PIA)
 up to 2% of annual global revenue or €10 million, whichever is greater
• Breach alone is not enough to merit a fine
27

COMPLIANCE
• All personal data processors and controllers of data subjects -
regardless of their location - must comply with GDPR
o Broad interpretation - companies may not have any direct
relationship with Europe and still be subject to GDPR (indirect
contact is sufficient)
• EU Parliament gave a two-year “grace period” prior to compliance
enforcement to allow member states to prepare for GDPR (2016 –
2018)
28

COMPLIANCE PRACTICES
• All organizations holding and processing data subject personal data
must comply with requirements by engaging in practices, such as -
o Document all data processing activities that involve the
collection, treatment, and safeguarding of personal data
o Audit data they hold and develop a risk assessment
o Ensure they have a DPO
29

COMPLIANCE PRACTICES (cont’d)
• Build and improve processes and features to ensure all requests are quickly and
effectively addressed when data subjects seek to exercise their rights
• If controller, re-evaluate all sub-processors to ensure they have adequate
security measures in place for safeguarding of personal data
• Create a data breach reporting plan
30

COMPLIANCE CHALLENGES
• GDPR imposes responsibilities and duties not previously imposed under the Directive
o Companies must vastly amend internal business organization process for
compliance
• Intensive record keeping - Controllers and processers are required to keep internal
records of their data protection activities
• Major fines & sanctions for failure to comply
• Ambiguous language – courts or regulators must define “consent,” “undue delay” and
“likelihood of high risk to rights and freedom”
• Heavy cost – legal and compliance fees
31

COMPLIANCE CHALLENGES – COST
Link: https://www.forbes.com/sites/oliversmith/2018/05/02/the-gdpr-racket-whos-making-money-from-this-9bn-
business-shakedown/#1c4d480d34a2
32

POTENTIAL SOLUTIONS TO
COMPLIANCE CHALLENGES
• “Dump the data” – organizations are deleting customer data rather
than paying cost of compliance
o 70% of U.S. businesses are disposing of data
• In-house counsel
o Some companies are establishing in-house counsel departments
because they lack data privacy law knowledge
33

GDPR v. THE “DIRECTIVE”
Link: https://www.knowyourcompliance.com/category/general/
34

US v. EU DATA PRIVACY LAWS
35

INDUSTRIES MOST AFFECTED BY
GDPR
• Social media companies;
o Facebook
o Instagram
o Twitter
• Online retailers, political organizations, energy companies;
• Accessible banking
36

EFFECT ON US BUSINESSES
• GDPR affects all foreign companies that do business in the EU
o U.S. companies that have employees, customers, or call centers in
Europe are subject to GDPR
• U.S. businesses such as Yahoo, Google, and Facebook are already
under the microscope and in danger of receiving hefty fines
37

EU REGULATORS OPEN GDPR
INVESTIGATION ON FACEBOOK
• Facebook faces a potential $1.63 billion fine (4% of global revenue) for data
breach that affected more than 50 million users
• The breach - discovered by Facebook on September 24, 2017 - gave hackers
ability to control users’ accounts
• Decision on whether to implement fine will hinge on whether regulators find
that Facebook implemented appropriate technical and organizational measures
to ensure security and safeguarding of personal data, and invested enough in
security to avert a breach
38

RECENTLY DISCLOSED GOOGLE+ BREACH
• October 8, 2018 - Google announces private data of at least 500,000
Google+ users may have been compromised in breach
• Breach discovered by Google in March 2018, but hackers may have
breached Google+ as early as 2015
• Google said breach was not initially disclosed to the public because it did
not rise to a level required to disclose a breach
o Google has internal factors it considers for determining when to
disclose a breach to the public
39

RECENTLY DISCLOSED GOOGLE+
BREACH (cont’d)
• As a result, two U.S states and two-member states of the European Union are
investigating the Google+ breach, including New York & Germany
o These investigations are crucial because under old data protection laws,
Google might incur a fine of $345,000. Under GDPR, Google could be fined
up to 4% of its annual global revenue – a figure that could balloon into the
billions of dollars.
• Since breach, Google announced that it’s shutting down the consumer version of
Google+
40

UK’S DATA PROTECTION ACT (DPA)
• Enacted by UK Parliament to ensure Britain is compliant with the Directive;
o Directive adopted by UK Parliament to become law
o Repeal of Directive does not alter DPA unless Parliament repeals DPA to deal with
GDPR or “Brexit”
• Establishes minimum baseline to ensure companies processing and holding customers’
personal data information make effort to protect it
• Classified information into two parts -
o Personal Data (PD) - i.e. name, date of birth, e-mail, telephone number, etc.
o Sensitive Personal Data (SPD) - i.e. racial or ethnic origin, medical records, political
or religious beliefs, financial details, etc.
41

HOT NEWS – DPA FALLOUT
• Yahoo - personal data of 500 million users stolen;
o Information Commissioner’s Office (ICO) - UK watchdog - issued
$334K penalty to Yahoo for DPA violations
• Facebook - potentially 50 millions users at risk after breach
o Notified Data Protection Commission Ireland of breach
 ICO finds Facebook’s report inadequate and asks for details about
breach
42

GDPR EFFECT ON UK COMPANIES
AFTER BREXIT
• If UK company processes data about individuals by selling goods or services to
EU citizens, then company must comply with the GDPR - regardless of Brexit
• If UK company’s activities are limited to UK, then the position is much less clear
• As a result of the previous support of GDPR from the UK government - it is
expected that the UK will implement an equivalent data protection legal
mechanism to GDPR
43

FIVE “EASY” STEPS TO BE GDPR COMPLIANT
• Appoint GDPR leader/team within your business to handle data handling
procedures
• Actions to take when collecting data –
o Clear consent warning
o Cookie consent notice
• Actively manage exists contacts and leads
o For example, send another “opt-in” e-mail to data subjects
• Update data privacy regularly and notify immediately
• Develop a data breach plan
44

GDPR: First Year Anniversary
What do we know?
• GDPR awareness
o Influx in data breaches and complaints
o Increase in customers and service users exercising their information rights
o Organizations increasingly appointing DPOs
• Breaches
• Enforcement
o Low enforcement to complaints/data breach ratio
o Not just about the fines – increase in warnings and reprimands
45

What do we know? (cont’d)
• GDPR guidance
o Lack of clarity (e.g. controller v. processor)
o Two-Year Work Program
o ICO - Statutory codes for data-sharing, direct marketing, age-appropriate design
and data protection and journalism
• Consent
o Miscommunications led to individuals erroneously believing that consent is
required for all data processing
o Companies continue to track users without valid consent
o Parental consent requirements are a concern
46

• “One size fits all” and “All or Nothing”
o Small businesses having trouble with compliance
o Same rules apply to public and private companies – big and small
o Lack of data focus – no tiers of compliance based on types of data
47

• Generally, companies and regulators have worked hard to prepare for and then implement
GDPR requirements
o EU DPAs saw increase in staff and resources and influx of complaints, data
breach notifications, and data protection officer registrations
• In the first year of GDPR:
o 281,088 “cases” were reported by DPAs in 27 EEA countries in the first year of the GDPR
 144,376 were “complaints”
– Major complaint themes – right to access data, prevent processing of data, and
concerns regarding disclosures and unauthorized processing
 89,271 were “data breach notifications”
48

GDPR Awareness
• Generally, individuals across the EU have become increasingly cognizant of
their data protection rights
o Likely attributed to DPA involvement in public campaigns
• Improved overall data management and sharing and informing of business
decisions
o GDPR  saturating organizational structure from top to bottom
 Strengthens visibility and positively impacts business culture
49

Breaches
• European Data Protection Board (EDPB) has not yet developed any official
standards to clarify how independent EU DPAs will publicly report specific
statistics/numbers about GDPR, but European DPAs have confirmed new
regulation has led to a significant rise in reported data breaches – indicating
impact GDPR has had on raising awareness with the general public and
organizations regarding their rights and obligations under EU data protection
law
• From 5/25/18 to 01/28/2019 - more than 59,000 personal data breaches
notified to regulators
50

Breaches (cont’d)
• Countries with most data breaches –
o Netherlands – 15,400
o Germany – 12,600
o UK – 10,600
• Countries with fewest breaches –
o Liechtenstein - 15
o Iceland – 25
o Cyprus – 35
51

Enforcement
• In GDPR’s first year, we’ve seen large number of complaints and data breach
notifications to regulators, but comparatively few enforcement actions and fines, why?
o DPAs are behind – many of the fines imposed over the last year have been under
the pre-GDPR regimes, which typically permitted regulators to impose fines only at
much lower amounts.
o DPAs likely facing resources challenge
o DPAs may be delaying enforcement to allow organizations more be allowing
organizations more time for GDPR compliance
52

Enforcement (cont’d)
• IAPP estimates that approximately 500,000 organizations have registered
DPOs
• Challenges facing DPAs include development of guidelines on -
o Video surveillance
o Potential projects related to blockchain
o The use of new technologies (e.g. artificial intelligence and connected
assistants)
53

• EDPB’s February 2019 report shows, European Parliament indicated 11 countries had
imposed GDPR fines totaling approximately €56 million
o After the report, Poland initiated its first enforcement action and imposed €220,000 fine
• Details regarding the total number or scope of enforcement actions across the EU were
elusive
o Some DPAs publicize actions to share lessons learned or as part of the punitive measure –
others do not
o Characterization of investigations and how they relate to complaints differs across EU
54

• As of April 2019, 5 hefty fines have been issued under GDPR:
1. German social networking company was fined €20,000 for failing to secure users’
data
2. An Austrian sports betting cafe was fined €5,280 for unlawful video surveillance
3. Google was fined €50,000,000 in France for lack of consent on ads (largest one)
4. Polish data protection regulator levied a €220,000 fine on a Warsaw-based data
analytics company for scraping the internet for data and not making the proper
disclosures
5. After a random audit, a taxi company in Denmark was fined DKK 1.2 million for
failing to delete customer information
55

GDPR: First Year Anniversary Enforcement (cont’d)
• Austrian DPA
o First to issue fine under GDPR
 €7,000 = proportional to size of corporation
o Each of 1,600 complaints received by the DPA led to an investigation
o Investigative priorities are guided by incoming complaints
• France’s CNIL
o 310 investigations in 2018
 214 were onsite investigations
o In 2019, CNIL planned to focus on complaints and 3 main themes:
 the exercise of rights, sharing of responsibilities between processors
and subcontractors, and children’s data
56

• Ireland’s DPC
o launched 52 formal statutory inquiries under the GDPR – either based on complaints
or of its own volition
 Moving forward, ad tech sector will continue to be a focus for DPC due to concerns
regarding profiling, particularly using sensitive data, the use of location data, and
lack of lawful bases for or individual awareness of processing.
 Facebook’s international headquarters located in Dublin, Ireland
• UK ICO
o Hardly any enforcement actions under GDPR – vast majority of enforcement actions are
pre-GDPR
57

GDPR Guidance
• Confusion with respect to controller/processor relationship
o Scope of what is a “controller” is unclear
o Renegotiating controller/processor contracts can be expensive
 Some organizations have adopted standard contractual clauses of minimum
requirements for data processing contracts, while others believe its
unnecessary
• EDPB is aware of lack of clarity
o 2019/2020 – EDPB plans to release “Two-Year Work Program”
 Outlines guidelines on interpretation of GDPR provisions
 Goal: consistent application of data protection rules across the EU
58

GDPR: GDPR Guidance (cont’d)
• “Two-Year Work Program” (cont’d)
o EDPB thought to provide instruction on GDPR after –
 EDPB endorsed guidelines adopted by WP29 (independent European working
party that dealt with issues relating to protection of privacy and personal
data)
 Issued guidelines on the interpretation of the new provisions introduced by
the GDPR
o EDPB aims to focus on “specific items or technologies”
 International transfers
 ePrivacy and Online services
 Individual rights
 Enforcement
 Financial data and regulation
59

• International transfers
o Finalize guidelines on territorial scope of GDPR
o Guidance on certifications and codes of conducts for tools of transfers
o Continue to provide opinions or decisions on:
 Standard contractual clauses for international transfers under Article 46(2)
GDPR
 Standard contractual clauses for processors under Article 28(8) GDPR
 Ad hoc contractual clauses for international transfers under Article 46(3)
GDPR
o Potential guidance on interaction between regulation on free flow of nonpersonal
data and cross-border requests for e-evidence
60

• ePrivacy and Online Services
o Consistent opinion on chemistry between GDPR and ePrivacy
o Primarily targeting social media users and video surveillances
o Contractual necessity as legal basis for processing in online services space
o Blockchain and new technologies (e.g. AI, such as Alexa and Siri)
• Individual Rights
o Initial focus on rights of access, objections, restrictions, limitations, and erasure
o Children’s data
o Delisting
61

• Enforcement
o EDPB plans to release an official enforcement strategy
o Mutual cooperation tools to enforce GDPR outside EU
o Enforcement against controllers in third countries
• Financial Data and Regulation
o Revisit Revised Directive of Payment Services (PSD2) and interplay with GDPR
o Credit cards (especially post-transaction retainment of card numbers)
o e-Invoices
o Creation of centralized databases
62

• England’s ICO on guidance
o Published four (4) statutory codes of practice in July 2019
o Aims to provide practical guidance on how to share personal data between
controllers (i.e. separate/joint controllers) in compliance with data protection law +
good practice recommendations
o Answers whether data sharing agreements are required under GDPR
 “Good practice” to have in place
 No format for data sharing agreement (although final codes of practice will
have a template and check list)
o Provides specific data sharing cases (e.g. M&A)
o Final considerations before sharing data
 Overall compliance with data protection legislation
o Non-compliance with the code = non-compliance with data protection laws
63

GDPR Guidance (cont’d)
• England’s ICO on guidance (cont’d)
o Provides specific data sharing cases (e.g. M&A)
o Final considerations before sharing data
 Overall compliance with data protection legislation
o Non-compliance with the code is likely non-compliance with data
protection laws
64

GDPR: GDPR Consent
• Not all consents obtained in online environments fulfil GDPR’s requirements
• Parental consent is major concern
o Some organizations allow children to consent or rely on different legal basis for
processing
 Risk is that it sidesteps GDPR requirements regarding children’s consent
• Finance/insurance industry difficulty with express consent for processing health-related
data in insurance contracts
o Different approaches by different EU countries
• Forced consent or contractual bundling poses as an issue in tech industry
• Small businesses are not fully aware of need for consent or consequences for failing to get it
65

GDPR: Not “One Size fits All”
• Small businesses are struggling to be GDPR compliant
o Small business with >250 employees = required to be GDPR compliant and
appoint DPO
o Small business with <250 employees = GDPR compliant if processing personal or
sensitive data
• More than half of small businesses are not GDPR compliant
o Fail to describe data processing activities in clear, plain language to customers
o Fail to identify lawful basis for collecting and using data
• Small businesses are uneducated about encryption technology
• Invested heavily to comply with GDPR
66

GDPR: Not “One Size fits All” (cont’d)
• Every controller has same obligation – GDPR fails to consider context
o Essentially anyone who earns money with data is treated in the same way as
someone who only keeps an address book
o Same rules that apply to Google or Amazon apply to “mom and pop” shops
o Data processor for scientific purpose must comply with same rules as data
processor for financial purpose
 E.g. Blogger vs. Amazon
o Regulations that are necessary between big business and customer relationship
may not be the same as regulations between small business and customer
67

“All or Nothing”
• GDPR is data focused
o As soon as data qualifies as “personal”, all rules of data protection law apply
 Does not take into account processing context
 If personal data is publicly available, it’s being treated with same protection degree
as data that may reveal intimate details
o Fails to consider individual data protection needs, except for children and other special
data categories
 E.g. having a cold is protected health-related data, whereas credit card data is not
protected
68

Conclusion
• Pros
o Increased awareness regarding data protection rights
 More complaints and data breaches reported
o Encourages innovation
 Helps businesses work through how to use data in projects to ensure GDPR
compliance
o Grows accountability and risk-based approaches
 Forced businesses to upgrade IT and data management systems and augment
employee training
69

GDPR: Conclusion (cont’d)
• Cons
o Confusion
 Lack of clarity on controller/processor relationship
 Guidelines
 Consent
 Forced some EU member countries to enact legislation relating to GDPR
o Low enforcement
 Some enforcement but not many - some countries are behind
 Need increase in human resources
– Extremely difficult to find experienced DPOs
o Small businesses are struggling to comply
 Easier for bigger companies who can afford to higher correct personnel for compliance
 Too expensive to comply
70

GDPR: What should businesses do in
light of GDPR regulatory trend?
• Continue to conduct general risk assessments
• Prioritize compliance with core GDPR principals
o E.g. Notice, consent, accountability, and transparency
• Keep up to date on regulatory developments specific to each EU member country
• Consider participating in “sandboxes”
• Continue to foster culture of privacy and information data security in your business
71

SOURCES
• https://money.cnn.com/2018/04/12/technology/data-protection-europe-gdpr-facebook-
tech/index.html?iid=EL
• https://money.cnn.com/2018/05/21/technology/gdpr-explained-europe-privacy/index.html
• https://eugdpr.org/the-regulation/
• https://gdpr-info.eu/issues/data-protection-officer/
• https://techbeacon.com/30-cybersecurity-stats-matter-most
• https://www.forbes.com/sites/bernardmarr/2018/06/11/gdpr-the-biggest-data-breaches-and-
the-shocking-fines-that-would-have-been/#5373b48a6c10
• https://www.cnbc.com/2018/10/04/facebook-data-breach-top-eu-regulator-officially-opens-
investigation.html
72

SOURCES (cont’d)
• https://www.wsj.com/articles/facebook-faces-potential-1-63-billion-fine-in-europe-over-data-
breach-1538330906
• https://www.theguardian.com/technology/2018/oct/03/facebook-data-breach-latest-fine-
investigation
• https://www.campaignmonitor.com/trust/gdpr-compliance/
• https://www.compliancejunction.com/gdpr-best-practices/
• https://www.stibbe.com/en/expertise/practiceareas/data-protection/general-data-protection-
regulation/what-are-the-challenges
• https://www.computerweekly.com/news/450429701/GDPR-fines-may-affect-almost-80-of-US-
firms-poll-shows
73

SOURCES (cont’d)
• https://www.zdnet.com/article/the-five-step-gdpr-preparation-checklist-for-marketing-organizations/
• https://www.martechadvisor.com/articles/gdpr/the-industries-that-will-be-most-affected-by-gdpr/
• https://techcrunch.com/2018/06/12/uk-watchdog-issues-330k-fine-for-yahoos-2014-data-breach/
• https://www.bankinfosecurity.com/facebook-submits-gdpr-breach-notification-to-irish-watchdog-a-11573
• https://blog.alertlogic.com/state-of-gdpr-compliance-and-cybersecurity-after-first-year/
• https://www.dlapiper.com/en/uk/insights/publications/2019/01/gdpr-data-breach-survey/
• https://iapp.org/media/pdf/resource_center/The_GDPR_The_Emperors_New_Clothes.pdf
• http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-
25/9_EDPB_report_EN.pdf
74

SOURCES (cont’d)
• https://www.ropesgray.com/en/newsroom/alerts/2019/07/GDPR-One-Year-On
• https://www.bakermckenzie.com/en/insight/publications/2019/06/gdpr-one-year-on
• https://ico.org.uk/media/about-the-ico/documents/2614992/gdpr-one-year-on-
20190530.pdf
• https://www.lexology.com/library/detail.aspx?g=cb15f0a6-ff55-4aa8-9c56-
511216c672b9
• https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12plen-
2.1edpb_work_program_en.pdf
• https://edpb.europa.eu/our-work-tools/article-29-working-party_en
• https://www.forbes.com/sites/theyec/2019/03/04/gdpr-what-small-businesses-need-
to-know/#6fc50d393197
• https://gdpr.eu/wp-content/uploads/2019/05/2019-GDPR.EU-Small-Business-
Survey.pdf
75

ABOUT THE FACULTY
76

Lisa Vandesteeg – evandesteeg@sfgh.com
Elizabeth (“Lisa”) B. Vandesteeg, partner at Sugar Felsenthal Grais & Helsinger, is a legal team leader and tactical
advisor for businesses. Coming from a commercial litigation background, her practice is focused on risk identification
and mitigation for her clients, primarily in the areas of business continuity and business tort, data security and privacy,
and bankruptcy and restructuring. Lisa counsels businesses in a wide variety of industries on issues that arise on a day-
to-day basis, such as contracting with third parties or partnership/ownership disputes. She often adds value by acting
in an external general counsel role. And as a business litigator, she represents clients on both offense and defense, in
state, federal, and bankruptcy courts, in municipal and administrative proceedings, and using alternative dispute
resolution processes. She also has experience in nearly every facet of commercial bankruptcy and restructuring, having
represented debtors, secured creditors, unsecured creditors, and unsecured creditors’ committees. Within the
bankruptcy arena, she has prosecuted complex adversary and contested litigation matters including, among others,
actions to pierce the corporate veil, to undo fraudulent transfers, and to avoid liens.When it comes to data security and
privacy issues, Lisa assists clients in the development of reasonable and appropriate data security and privacy
programs, appropriate for their specific business needs and legal requirements. This includes the drafting and
implementation of a company’s broad information security program, and related policies related to use of technology,
mobile devices, or document retention. To read more, go to:
https://www.financialpoise.com/financialpoisewebinars/faculty/elizabeth-b-vandesteeg/
77

Michael Riela – Riela@thsh.com
Mike Riela is a partner in Tannenbaum Helpern’s Creditors’ Rights and Business Reorganization practice. With more
than 15 years of experience, Mike advises companies on complex restructuring, distressed M&A, loan transactions and
bankruptcy related litigation matters. Mike has in-depth experience in advising clients on corporate and real estate
bankruptcies, workouts, Chapter 11 and Chapter 7 bankruptcy cases, debtor-in-possession (DIP) and bankruptcy exit
loan facilities, secondary market trading of distressed debt and trade claims, Section 363 sales and bankruptcy
retention and fee agreements and disputes. His clients include banks, administrative agents, indenture trustees, hedge
funds, private equity firms, professional services firms, trade creditors, contract counterparties, shareholders, debtors
and investors. Mike has represented buyers of assets in Section 363 and out-of-court sales. Mike also works with
clients on cybersecurity and data privacy issues, including the assessment and investigation of information security
and data breach incidents. Before any data breaches occur, Mike prepares and helps clients implement written
information security programs, systems access policies, and incident response plans. After clients suffer a breach, Mike
assists with their response and advises on their legal duties, including clients’ duties under various security breach
notification laws. Prior to joining Tannenbaum Helpern, Mike was a shareholder at Vedder Price and was a counsel at
Latham & Watkins. He has been recently selected to serve on the 2016 Bankruptcy editorial advisory board for
the Law360 publication. Mike can be reached at riela@thsh.com or at 212.508.6773 or connect with him on LinkedIn:
https://www.linkedin.com/in/michael-riela-9644658
78

Daniel Farris – Daniel.Farris@KLGates.com
Daniel is Chair of the firm’s Technology Group, and focuses his practice on technology, privacy, data security, and
infrastructure matters. Daniel understands how technology enables a company’s operations and creates competitive
advantage, and he appreciates the central role data plays in driving strategic decision-making. His practice is founded
upon understanding how technology can strengthen and expand upon the core missions of his clients’ businesses.
Daniel is a trusted adviser to technology and telecommunication companies, healthcare providers, financial
institutions, national retail and apparel companies, and manufacturing clients, as well as startup, embryonic and
emerging growth companies. As a former software engineer and network administrator, Daniel brings real-world
experience to bear in counseling on a wide range of issues, including fiber optic networking, cloud computing, mobile
app development, information management, privacy, and data security. He also regularly advises and represents
clients on “traditional” intellectual property matters, including patent protection and enforcement, inbound/outbound
licensing, trademark prosecution, brand extension, digital rights management, and large transactions, such as mergers
and acquisitions. Daniel has experience in four primary areas: Technology Transactions, Privacy & Data Security, Data
Center & Infrastructure, and Intellectual Property and Corporate. Before joining Fox Rothschild, Daniel was a
shareholder at an Am Law 100 firm, where he co-chaired the Data Center & Infrastructure and Data Privacy & Security
teams and served on the Startup Ventures team. Daniel previously worked as an associate in the Chicago offices of two
international law firms. Daniel is a former software engineer and network administrator in telecommunications.
79

Alison Schaffer Bloom – aschaffer@jumptrading.com
Alison Schaffer Bloom is Legal and Regulatory Counsel at the Jump Trading Group in
Chicago. Alison works extensively in the areas of trading, technology, human resources,
venture capital, and data protection and privacy. Specifically, Alison leads GDPR
implementation and data protection and privacy application for all of the Jump Trading
Group’s business lines. Alison graduated from Northwestern University with Honors in
Legal Studies and Communication Studies and a Certificate in Service Learning and
attained a Masters in Education while a Teach For America corps member in New
York. Alison obtained her Juris Doctor from Chicago-Kent College of Law, where she was
an avid member of the Trial Team. She is a member of the International Association of
Privacy Professionals and looks forward to completing her CIPP-E certification.
80

Alexander Bilus – alexander.bilus@saul.com
Alexander (Sandy) R. Bilus assists clients who are facing complex commercial litigation or who need legal advice
on issues involving cybersecurity and data privacy, particularly in the higher education and financial services
industries. Sandy’s litigation experience includes arguing cases before the U.S. Court of Appeals for the Third
Circuit and assisting with cases before the U.S. Supreme Court and the Supreme Court of Pennsylvania. His
cybersecurity and data privacy experience includes responding to potential data breaches and providing advice
on compliance with the European Union’s General Data Protection Regulation (GDPR). The International
Association of Privacy Professionals recognizes Sandy as a Certified Information Privacy Professional
(CIPP/US). Sandy’s work for institutions of higher education includes providing advice and conducting internal
investigations connected to their compliance concerns, as well as responding to private lawsuits and government
enforcement activity. He also counsels colleges and universities on cybersecurity and data privacy matters.
Because of the depth of his experience representing higher education institutions, he understands the unique
challenges that this industry faces in planning for cyber-attacks and data breaches, to managing these crises, to
proceeding after one or both occur. Sandy also advises clients on First Amendment and defamation matters.
Through his work with the American Civil Liberties Union of Pennsylvania, Sandy has represented clients
bringing First Amendment and other constitutional claims. He also represented on a pro bono basis a group of
same-sex couples who brought a constitutional challenge to Pennsylvania’s ban on same-sex marriage. Before
joining Saul Ewing Arnstein & Lehr, he practiced for six years at an international law firm in Philadelphia and
worked as a law clerk for two federal judges.
81

QUESTIONS OR COMMENTS?
If you have any questions about this webinar that you did not get to ask during
the live premiere, or if you are watching this webinar On Demand, please do
not hesitate to email us at info@financialpoise.com with any questions or
comments you may have. Please include the name of the webinar in your email
and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes only. It has been prepared primarily
for attorneys and accountants for use in the pursuit of their continuing legal education and continuing professional education.
82

ABOUT FINANCIAL POISE
DailyDAC LLC, d/b/a Financial Poise™ provides
continuing education to attorneys, accountants,
business owners and executives, and investors. Its
websites, webinars, and books provide Plain
English, entertaining, explanations about legal,
financial, and other subjects of interest to these
audiences.
Visit us at www.financialpoise.com.
83
Our free weekly newsletter, Financial Poise
Weekly, educates readers about business,
business law, finance, and investing. To receive
it simply add yourself by going to:
https://www.financialpoise.com/newsletter/
Email addresses are never sold to or shared
with third parties.

Introduction to EU General Data Protection Regulation: Planning, Implementing, and Compliance (Series: Cybersecurity & Data Privacy)

Recommended

Recommended

More Related Content

More from Financial Poise

More from Financial Poise (20)

Recently uploaded

Recently uploaded (20)

Introduction to EU General Data Protection Regulation: Planning, Implementing, and Compliance (Series: Cybersecurity & Data Privacy)