Webinar report: EACCNY – Data Protection – 24 March 2020
TABS Webinar Report
EACCNY – Data Protection
24 March 2020
California’s CCPA and the EU’s GDPR: What U.S. and European Companies Need to Know, Especially as Companies and Their Staff Go “Virtual” for an Indefinite Amount of Time
- Kate Black | Shareholder | Greenberg Traurig (Miami)
- Brian Kint | Partner | Cozen O’Connor (Philadelphia)
- Cécile Martin | Managing Partner | Ogletree Deakins International (Paris)
Covid-19 and Collecting Data from Employees
In Europe the recommendation is that companies must always refrain from collecting sensitive data such as body temperature or if employees have been possibly exposed to coronavirus, but it is possible to find exceptions during this pandemic. In the US it is important to protect both the employees’ privacy as health and safety, so if someone in the company has tested positive or are showing symptoms, the person’s name must not be disclosed, but other employees must be notified about it.
Remote Work and Data Protection
Companies need to ask their employees to be extra vigilant especially if they are working with personal devices, make sure you have a policy in place and employees are following it. It is important to be careful not to use a personal email or hardware that might be infected with malware. Have all necessary security processes in place.
Companies located in more than one location will need to navigate through different laws to make sure they are compliant with the local laws, especially if they need to move data in between countries.
It is important to have contingency plans as well, such as disaster plans, make sure you document the thought process, it will be important to show everything that was taken in to account in case there are any claims against the company.
Organization will be the most challenging until people get used to work in a non-face-to-face environment, a good way to mitigate this is to have daily or weekly team calls if possible. Having the most resources possible to ensure employees are able to follow all internal processes when not working from the office.
Regulatory Enforcement During the Pandemic
Companies must be aware some regulators may still conduct audits virtually, even though it has naturally slowed down during this period they don’t need to be physically in the Companies’ precinct, so it’s important to keep in mind it might still happen. Right now, the priorities have obviously changed, but in the future once the situation has gone back to normal, the regulator may also look back to see how companies performed, it’s likely regulators will be more sympathetic now, but companies must not see this as a free pass.
The Attorney General posted an updated draft that is now open for comments, these will be considered and a new draft will be posted after that. With everything that is happening at the moment we believe there will be a push for everything to be done before June 1st. As of now the data deletion section is broad and doesn’t clarify what the exceptions are.
GDPR and Brexit
GDPR still applies to the UK until the end of the current year, after January 1st it will only apply for companies that target European residents, the same way that is valid for companies in the US.
For companies that are already GDPR compliant will be easier to accommodate and adapt to CCPA, but they will still need to train their employees who will be monitoring requests related to personal data.
Key Topics to Prepare for CCPA
Have a policy in place for data request and ensure that you are able to follow it.
When reviewing or writing your new policy it is best for your company protection that you mention the CCPA specifically and not only write a general or broad policy.