The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards. To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/

2. 2
Practical and entertaining education for
attorneys, accountants, business owners and
executives, and investors.

3. Disclaimer
The material in this webinar is for informational purposes only. It should not be considered
legal, financial or other professional advice. You should consult with an attorney or other
appropriate professional to determine what may be best for your individual needs. While
Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate,
Financial Poise™ makes no guaranty in this regard.
3

5. Meet the Faculty
MODERATOR:
Kathryn Nadro – Sugar, Felsenthal, Grais & Helsinger LLP
PANELISTS:
Anna Mercado Clark – Phillips Lytle LLP
Alison Schaffer – Jump Trading Group
John Wilson – Haystack ID
5

6. About This Webinar-
Introduction to EU General Data Protection Regulation:
Planning, Implementation, and Compliance
The GDPR changed the way the world collects, stores, and sends personal data. The GDPR
is a broad EU regulation that requires businesses to protect the personal data of EU citizens,
whether the business itself is in the EU or elsewhere. Since its implementation in 2018,
companies that collect data on EU citizens must comply with strict rules for the protection of
personal data or face heavy fines for non-compliance. This webinar will provide an overview
of GDPR’s applicability and requirements, as well as how your organization may meet those
standards.
6

7. About This Series
Cyber Security & Data Privacy 2021
Cybersecurity and data privacy are critical topics of concern for every business in today’s
environment. Data breaches are a threat to every business and can cause both direct losses
from business interruption and loss of data to indirect losses from unwanted publicity and
damage to your business’s reputation. Compliance with a patchwork of potentially applicable
state and federal laws and regulations may cost your business in terms of money and time.
This series discusses the various laws and regulations that affect businesses in the United
States and in Europe, as well as the best practices to use in creating an information security
program and preparing for and responding to data breaches.
Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and
executives without much background in these areas, yet is of primary value to attorneys, accountants, and other
seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to
entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that
participants will enhance their knowledge of this area whether they attend one, some, or all episodes.
7

8. Episodes in this Series
#1 Introduction to US Privacy and Data Security: Regulations and Requirements
Premiere date: 08/04/21
#2: Introduction to EU General Data Protection Regulation: Planning, Implementation, and
Compliance
Premiere date: 9/01/21
#3: How to Build and Implement your Company's Information Security Program
Premiere date: 10/06/21
#4: Data Breach Response: Before and After the Breach
Premiere date: 11/03/21
8

9. Episode #2: Introduction to EU General Data
Protection Regulation: Planning, Implementation,
and Compliance
9

10. Introduction
•The General Data Protection Regulation (GDPR) is law that regulates data protection for
individuals in the European Union
✓ Passed by the EU Parliament in April 2016
✓ Enacted into law on May 25, 2018
✓ Most impactful data privacy legislation in 20 years
✓ Paved the way for similar legislation across the globe

11. Introduction (cont’d)
• Aims to protect EU citizens against privacy and data breaches; and
• Simplify regulations for international business by unifying data protection regulation in the
EU into one law
• Enacted in response to a growing wave of global cyberattacks, data leaks, identity thefts
• Introduced to replace outdated data protection laws enacted during the infancy of the
internet

12. New Data Protection Laws Around the World
following GDPR
• Brazil
• Australia
• Canada
• California Consumer Protection Act
• China
• Being compliant with GDPR does not mean you are compliant with all data
protection laws

13. EU Data Privacy Regulation History – The
“Directive”
• 1995 – EU adopts the European Data Protection Directive (95/46/EC)
✓ regulated both automated and manual processing of personal data
adopted in response to European Convention of Human Rights (ECHR) Article 8 -
✓ which stresses that all humans have a right to privacy in their home and
correspondence

14. EU Data Privacy Regulation History – The
“Directive”
• 1995 – EU adopts the European Data Protection Directive (95/46/EC)
✓ regulated both automated and manual processing of personal data
adopted in response to European Convention of Human Rights (ECHR) Article 8 -
✓ which stresses that all humans have a right to privacy in their home and
correspondence

15. EU Data Privacy Regulation History – The
“Directive” (cont’d)
• The Directive required data processing companies to comply with 3 principals when
processing personal data -
• transparency
• legitimate purpose
• proportionality

16. GDR Explained
• Gives consumers more control over how their data is collected and used
• Forces companies to justify what they do with personal information they collect,
defined as any information that is identifiable (i.e.) –
✓ name
✓ phone number
✓ username
✓ health data
✓ political opinions
✓ IP address
✓ location data
• Generally imposes responsibility and accountability on data collection and
processing companies

17. GDPR Key Players
• Data subject: individual whose data is being processed
✓ All natural persons who can be distinguished as persons with rights in regards to the
processing of personal data
• Controller: person/entity in charge of data processing
✓ Natural person
✓ Public authority or agency
✓ Corporate entity

18. GDPR Key Players (cont’d)
• Data Processors: processes data on behalf of controller
✓ Natural person
✓ Public authority or agency
✓ Corporate entity
❑ i.e. IT company
• Data Protection Officer (DPO): compliance officer

19. GDPR Requirements
• Increased Territorial Scope
• Consent
• Right to Access
• Right to be Forgotten
• Privacy-by-design
• Data Protection Officers (DPOs)
• Breach notification
• Data Portability
• Penalties

20. Increased Territorial Scope
• GDPR abandons previous ambiguous language and replaces it with “clear guidelines”
✓ Applies to the processing of personal data by controllers and processors in the EU-
regardless of where the processing takes place; and
✓ Data processing where the activities relate to offering goods or services to data
subjects and the monitoring of behavior that takes place within the EU
❑ Non-EU businesses engaged in processing the data of EU citizens must
appoint a representative in the EU

21. Consent
• Requires companies to request and obtain consent from data subjects by clear and plain
language (“opt-in consent”)
✓ All requests must be given and written in an intelligible and easily accessible form
and distinguishable from all other matters
• It must be just as easy to withdraw consent as it is to give it

22. Right to Access
• Data subjects have right to obtain confirmation from controller as to whether or not their
personal data is being processed, where, and for what purpose
✓ If a request is made, the controller must give data subject a free electronic copy of
her information

23. Right to be Forgotten
• Data subjects may request to have controller –
✓ erase personal data
✓ cease further circulation of the data; and
✓ potentially have third parties stop processing of the data
• Conditions for data erasure are either (a) data is no longer relevant to original
purpose or processing, (b) or data subject is withdrawing consent
• Erasure requests are weighed against the public interest in the availability of the
data

24. Privacy-by-Design
• Data protection is at forefront of any controller or processor system design - not an
additional option
• Requires controllers hold and process only data absolutely necessary for completion
of their duties and limit access to personal data

25. Data Protection Officer (DPOs)
• DPO appointment is mandatory only to companies (controllers) whose core activities
consist of processing sensitive personal data on a large scale or a form of data processing
which is particularly far reaching for the rights of the data subjects
✓ Companies may name an employee as an internal DPO; or
appoint an external DPO.
• Public bodies must always appoint DPO

26. Data Protection Officer (DPOs) (cont’d)
• DPO duties include:
✓ complying with all relevant data protection laws
✓ monitoring specific processes, such as data protection impact assessments
✓ increasing employee awareness for data protection and training them
accordingly, and
✓ collaborating with the supervisory authorities

27. Breach Notification
• Breach notifications are mandatory in all member states where data breach is likely to
“result in a risk for the rights and freedoms of individuals”
✓ too ambiguous and confusing
• Businesses must notify authorities about any data security breach within 72 hours of
discovering it
• Businesses must also notify data subjects without undue delay after first becoming aware
of a data breach
✓ “undue delay” is too ambiguous, as well

28. Data Portability
• Data subject has right to receive their personal data and may transmit such data to
another controller as they please
• The data subject must be able to use the data when given by the data controller – must be
given “in a structure, commonly used and machine-readable format”
Link: http://www.simontbraun.eu/en/news/news-general/2082-the-right-to-data-portability-
and-bank-account-information

29. Penalties
• Organizations that fail to comply with GDPR may be fined up to the greater amount of 4%
of annual global revenue or €20 million (approx. $23 Million)
• Tiered approach to fines –
✓ Most serious infractions: For example, not having sufficient customer consent or
violating core Privacy-by-Design concepts
▪ up to 4% of annual global revenue or €20 million, whichever is greater
✓ Lesser infractions: For example, not having records in order, not notifying authority and
data subjects about breach, or not conducting privacy impact assessment (PIA)
▪ up to 2% of annual global revenue or €10 million, whichever is greater
• Breach alone is not enough to merit a fine

30. Compliance
• All personal data processors and controllers of data subjects - regardless of their location -
must comply with GDPR
✓ Broad interpretation - companies may not have any direct relationship with Europe
and still be subject to GDPR (indirect contact is sufficient)
• EU Parliament gave a two-year “grace period” prior to compliance enforcement to allow
member states to prepare for GDPR (2016 – 2018)

31. Compliance Practices
• All organizations holding and processing data subject personal data must comply with
requirements by engaging in practices, such as -
✓ Document all data processing activities that involve the collection, treatment, and
safeguarding of personal data
✓ Audit data they hold and develop a risk assessment
✓ Ensure they have a DPO
• Build and improve processes and features to ensure all requests are quickly and
effectively addressed when data subjects seek to exercise their rights
• If controller, re-evaluate all sub-processors to ensure they have adequate security
measures in place for safeguarding of personal data
• Create a data breach reporting plan

32. Compliance Challenges
• GDPR imposes responsibilities and duties not previously imposed under the Directive
✓ Companies must vastly amend internal business organization process for
compliance
• Intensive record keeping - Controllers and processers are required to keep internal records
of their data protection activities
• Major fines & sanctions for failure to comply
• Ambiguous language – courts or regulators must define “consent,” “undue delay” and
“likelihood of high risk to rights and freedom”
• Heavy cost – legal and compliance fees

33. Potential Solutions to Compliance Challenges
• “Dump the data” – organizations are deleting customer data rather than paying cost of
compliance
✓ 70% of U.S. businesses are disposing of data
• In-house counsel
✓ Some companies are establishing in-house counsel departments because they lack
data privacy law knowledge

34. Schrems II
• July 2020 decision from the Court of Justice of the European Union
• Invalidated the US-EU Privacy Shield
✓ Closed off key mechanisms for transferring personal data from the EU to the US
✓ Schrems I invalidated European Commission adequacy decisions with respect to
EU-U.S. Safe Harbor
• CJEU was concerned with US government access to personal data for national security
purposes and the rights of EU citizens in the US to judicial review and redress
✓ CJEU found the U.S. was not according EU personal data the protection and rights
of redress available in the EU
• International data flows can continue to be based on EU Standard Contractual Clauses if
properly monitored

35. Standard Contractual Clauses
• Contract clauses promulgated by the European Commission to permit cross-border data
transfers
• Essentially, countries outside the GDPR’s reach voluntary contract to comply with GDPR
requirements to receive transfers including personal information from the EU
• The European Commission released new SCC’s following the Schrems II decision
• Organizations must stop using the old SCC’s in new contracts by September 27, 2021,
and all existing contracts must be transitioned to the new SCC’s by December 27, 2022

36. GDPR: Three Years In
• GDPR awareness
✓ Influx in data breaches and complaints
✓ Increase in customers and service users exercising their information rights
✓ Organizations increasingly appointing DPOs
✓ Data protection legislation on the rise globally
• Enforcement
✓ Low enforcement to complaints/data breach ratio
✓ Not just about the fines – increase in warnings and reprimands
✓ Huge fines to huge companies: a proposed $425 million against Amazon, €50 million
against Google, €35 million against H&M

37. Broad Definition of “Joint Controller”
• Two Facebook cases from the CJEU have led to a broad interpretation of when there are
“joint controllers”
• “Joint Controller” situation arises when two or more controllers both have responsibility for
meeting the terms of the GDPR
• Both controllers have full responsibility to ensure the entire process is compliant
• An individual can seek compensation from any joint controller (who may seek additional
compensation from the other joint controller)

38. Brexit and GDPR
• Since Brexit, Britain had been operating under GDPR standards, but now appears to want
to use different data protection laws to help the economy
• Following an adequacy decision with the EU, Britain wants to diverge from general GDPR
principles
• Post-Brexit, Britain will develop “data adequacy partnerships” to drive international trade
with other countries

39. COVID-19 and GDPR: Potential Reforms
• GDPR initially limits use of personal information for tracking and tracing infections
o In March 2020 the Italian Data Protection Authority issued a statement prohibiting
employers from collecting worker “information on the presence of any signs of
influenza in the worker and his or her closest contacts
o The French Data Protection Authority similarly noted the GDPR banned employers
from using thermal cameras to automatically check worker temperatures

40. COVID-19 and GDPR: Potential Reforms (cont’d)
• Invalidation of Privacy Shield in Schrems II limits use of personal information in vaccine
clinical trials with sites in both the US and EU
• In February 2021 Brussels public health officials noted problems with sharing of
vaccination information between local health officials and the federal health platform,
which led to healthcare workers missing their vaccine appointments
• Italy and Germany have updated their laws to provide specific frameworks for the
processing of personal data during a pandemic

41. Data Breaches Increase
• 7.9 billion data records exposed in 2019 – a 33% increase from the same time in 2018
(source: https://www.identityforce.com/blog/2020-data-breaches)
• In 2020, 26 billion data records were exposed – the worst year on record (source:
https://www.securitymagazine.com/articles/94076-the-top-10-data-breaches-of-2020)
• In 2021 so far, notable data breaches with Kaseya attack, Accellion breach (including 9
healthcare organizations such as Stanford Medicine and Kroger Pharmacy)

42. GDPR: What Should Businesses do in Light of
GDPR-Like Regulatory Trend?
• Continue to conduct general risk assessments
• Prioritize building programs with core fair information practices
✓ E.g. Notice, consent, accountability, and transparency
• Keep up to date on regulatory developments specific to each country
• Consider participating in “sandboxes”
• Continue to foster culture of privacy and information data security in your business

43. About the Faculty
43

44. About The Faculty
Kathryn Nadro - knadro@sfgh.com
Kathryn (“Katie”) Nadro leads Sugar Felsenthal Grais & Helsinger’s Data Security and Privacy practice.
Katie advises clients on a diverse array of business matters, including data security and privacy
compliance, commercial and business disputes, and employment issues. Katie works with individuals
and businesses of all sizes to craft successful resolutions tailored to each individual matter.
Katie is a Certified Information Privacy Professional (CIPP/US) and counsels clients on a variety of data
security and privacy issues, including policy drafting, program management, data collection, vendor
management, and compliance with ever-changing state, federal, and international privacy law. Katie
also has broad litigation experience representing companies and individuals in contract, non-
compete, discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal
court. With a background as both in-house and outside counsel, Katie understands that business
objectives, time, and resources play an important role in reaching a favorable outcome for each
client.
44

45. About The Faculty
Anna Mercado Clark - AClark@phillipslytle.com
As leader of Phillips Lytle’s Data Security & Privacy and E-Discovery & Digital Forensics Practice Teams, Ms. Clark
focuses on complex e-discovery and digital forensics, cybersecurity and data privacy, and complex commercial litigation.
As a former Assistant District Attorney, she also handles white collar criminal matters and investigations. Additionally,
Ms. Clark has been awarded the following ANSI-accredited credentials by the International Association of Privacy
Professionals (IAPP): Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy
Professional for the U.S. Private Sector (CIPP/US), preeminent certifications for advanced concentration in European
data protection laws and U.S. private-sector laws, standards and practices, respectively.
Ms. Clark routinely counsels sophisticated clients on data governance issues to address business needs while
minimizing risks and complying with a rapidly evolving regulatory landscape and other legal obligations. She has
extensive experience advising businesses in the technology, consumer, health care and financial industries regarding
information management and disposition policies, litigation readiness, data transfers, third-party/vendor negotiation and
management relative to data administration, and disaster recovery and avoidance.
45

46. About The Faculty
Alison Schaffer - aschaffer@jumptrading.com
Alison Schaffer Bloom is Legal and Regulatory Counsel at the Jump Trading Group in
Chicago. Alison works extensively in the areas of trading, technology, human resources,
venture capital, and data protection and privacy. Specifically, Alison leads data protection and
privacy application for all of the Jump Trading Group’s business lines globally. Alison
graduated from Northwestern University with Honors in Legal Studies and Communication
Studies and a Certificate in Service Learning and attained a Masters in Education while a
Teach For America corps member in New York. Alison obtained her Juris Doctor from
Chicago-Kent College of Law, where she was an avid member of the Trial Team. She is a
member of the International Association of Privacy Professionals and holds the Certified
Information Privacy Professional/Europe (CIPP/E), a preeminent certification for advanced
concentration in European data protection laws, standards and practices.
46

47. About The Faculty
John Wilson - jwilson@haystackid.com
Mr. Wilson is the founder of Discovery Squared. He is a certified forensic examiner, licensed private
investigator and an information technology veteran with over two decades of experience working
with the US Government, public and private companies. He serves clients in a variety of industries
and is an advisor to outside counsel, general counsel and in-house executives on best practices.
Mr. Wilson provides business and litigation consulting services to help companies address various
matters related to computer & device forensics, data retention, records management and electronic
discovery, including leading numerous investigations, ensuring proper preservation of evidence items
and chain of custody. In addition, he has extensive experience with international collections, large
scale collections distributed across diverse locations, Mac forensics, mobile forensics, social media
forensics and cloud forensics.
47

48. Questions or Comments?
If you have any questions about this webinar that you did not get to ask during the live
premiere, or if you are watching this webinar On Demand, please do not hesitate to email us
at info@financialpoise.com with any questions or comments you may have. Please include
the name of the webinar in your email and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes
only. It has been prepared primarily for attorneys and accountants for use in the pursuit of
their continuing legal education and continuing professional education.
48

49. About Financial Poise
49
DailyDAC LLC, d/b/a Financial Poise™ provides
continuing education to attorneys, accountants,
business owners and executives, and investors. It’s
websites, webinars, and books provide Plain English,
entertaining, explanations about legal, financial, and
other subjects of interest to these audiences.
Visit us at www.financialpoise.com
Our free weekly newsletter, Financial Poise
Weekly, updates you on new articles published
on our website and Upcoming Webinars you
may be interested in.
To join our email list, please visit:
https://www.financialpoise.com/subscribe/