Personal data protection

Wondering whether your organization should appoint a Data Protection Officer (DPO)? Planning to open a new company in the European Union or to start offering a new type of services for your customers? Want to confirm what are the current requirements under GDPR and if you are GDPR compliant?

EY can help you assess whether you need a Data Protection Officer and will help choose the right person, appoint him/her and notify him/her to the supervisory authority. If you do not wish to hire the DPO on your own, EY Law can act as an external DPO and help you with your data protection challenges every day.

For years, our team has been supporting international companies and Data Protection Officers in different EU locations in meeting regulatory obligations to protect user, employee and contractor data at the highest level of quality and to most efficiently comply with GDPR and local authorities’ requirements.

Our support includes:

• Conducting DPO assessments to determine if the company is obliged to appoint a DPO.
• Dedicating an expert lawyer for the ongoing support inside your organization ­– at your request this option may include sending our expert to your company’s headquarters to allow us to thoroughly comprehend your organization’s procedures and stakeholders’ expectations to be able to adjust the data protection procedures and match them with an existing company structure and data flow (secondment service).
• Flexible packages of hours of support from our lawyers whenever needed, including support in implementation of new technologies and data-based solutions in your company, as well as crisis management support.
• Hotline with our legal team experts designed for businesses which need quick and efficient data protection legal support and incidents response.
• Professional support with appointing procedures in the country of destination, communication with local authorities and verification of specific local requirements for a DPO.

Wondering how to become a more trusted business partner and prove reliability in the privacy field?

Our team of experts in cooperation with EY Cybersecurity Compliance Team offers services related to International Standard on Assurance Engagements (ISAE) certifications, specifically focusing on data protection and information security. ISAE 3000 Assurance Engagement is designed to provide independent assurance to clients and stakeholders that their data protection practices and information security controls meet established standards.

We conduct independent assessments of a company's data protection and information security controls, policies, and practices to assess compliance with relevant standards and regulations. We provide a comprehensive report on the effectiveness of these controls over a specified period and issue a certificate that may be used to prove the company’s reliability in front of its clients.

A report responds to the needs of the supplier - it can relate to the evaluation of the effectiveness of mechanisms to ensure the quality of data in the system. The scope of such a report can be defined according to the client's wishes and address exactly their specific needs. The ISAE 3000 report often covers issues related to ensuring the proper operation of the internal control environment in relation to the requirements of the GDPR.

The benefits of certification for your business include:

• ISAE 3000 Report is an independent third party certification, recognized worldwide as a proof of efficient privacy policies in your company.
• The certificate may serve as proof in case of privacy-related claims,
• Some enterprise clients may require this type of certification in security classification procedures.
• It is an additional sign for your existing and new clients how much your organization cares about compliant processing of their confidential information and sensitive data.

Do your company’s services involve the processing, storage, or transmission of sensitive customer data? Do your clients often request information about your internal controls, security practices, and compliance? Are you looking to gain a competitive advantage by demonstrating a strong commitment to data security and compliance? Have you identified potential risks or vulnerabilities in your systems that could impact the security of client data?

We offer attestation services to increase the credibility of your business and gain the trust of your customers.

SOC 2 (Service Organization Control 2) is a widely recognized auditing standard developed by the American Institute of CPAs (AICPA) to assess and report on the controls and processes related to security, availability, processing integrity, confidentiality, and privacy of data within service organizations. It focuses on the controls that a service organization has in place to ensure the security and privacy of customer data and other sensitive information.

SOC 2 reports are often requested by clients, partners, and stakeholders as a way to assess the security and data protection practices of a service organization before engaging in business with them. These reports provide assurance that the service organization's systems, processes, and procedures meet industry best practices and comply with relevant regulatory requirements.

What are the benefits of SOC for your organization?

The SOC report:

• confirms the implementation and operational effectiveness of your organization's controls,
• reduces the number and scope of audits to be conducted by client auditors,
• enables you to use the knowledge of professionals to evaluate the processes in place and identify areas for improvement,
• helps meet customer expectations regarding the quality of services provided, confirmed by a report issued by an independent auditor.

What are the advantages of SOC certification for your clients?

The certification:

• enables a reduction in the cost of service provider audits,
• provides an independent opinion on the effectiveness of the service provider organization's internal control system,
• enables monitoring of risks and provides assurance of the appropriate level of control over services provided and technology delivered,
• helps meet the requirements set by regulators.

Does your company transfer personal data to countries outside the European Economic Area (EEA)? Do you use tools of global Tech Giants? Wondering about technical and organizational measures to have in place to ensure the security and confidentiality of transferred data? Have you considered using GDPR-approved safeguards for these transfers, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)?

According to the Schrems II ruling, for the effectiveness of all safeguards for data transfers outside the EEA to countries that do not have an adequacy decision issued by the European Commission - it is necessary to conduct a study of the transfer's effects on data protection.

A Transfer Impact Assessment (TIA) is a process that evaluates the potential impact of transferring personal data from one jurisdiction to another. This assessment helps organizations ensure compliance with data protection laws and safeguard the rights and privacy of individuals whose data is being transferred.

Our team has proven experience in assisting organizations with transfer impact assessment. Here are some of the key services we provide:

• Legal Review and Analysis: We review the data transfer arrangement and assess its legal implications under relevant data protection regulations, such as the GDPR (General Data Protection Regulation) or other applicable laws and assess the legal landscape in the recipient country to establish the level of risk.
• Cross-Jurisdictional Compliance: We ensure that the data transfer complies with both the source and destination jurisdictions' data protection laws, including evaluating the legal bases for transfer and the adequacy of protection and application of proper security measures to ensure the transfer is secure for EU originating data.
• Assessment of Data Transfer Mechanisms: We advise on the most suitable data transfer mechanisms, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and other – we help you choose and draft the needed documents as well as ensuring their effectivness.

As a knowledgeable and experienced advisor in Privacy by Design for Artificial Intelligence, our team of experts helps businesses navigate the complex intersection of AI and data protection regulations while fostering trust and compliance. Our solutions are in line with the newly adopted AI Act in European Union, as well as AI-related data protection recommendations in the EU.

Privacy by Design is a concept that emphasizes integrating data protection considerations into the design and development of technologies, including AI systems. It is indispensable in any case where the AI will be used in connection with personal data. EY is well equipped and willing to help you reach the necessary compliance.

Here are the legal services we offer in this area:

• Privacy Impact Assessments (PIAs) for AI Systems. We conduct privacy assessments of AI systems to identify potential privacy risks and recommend measures to embed privacy protections into the design and operation of these systems.
• Drafting Privacy Policies and Notices. We create privacy policies and notices specifically tailored to AI applications, ensuring transparency in data processing practices and explaining how AI technologies handle personal data. We also help in strategizing the provision of notices in due course and proper way to the data subjects.
• GDPR Compliance for AI. We advise on how AI systems can comply with the General Data Protection Regulation (GDPR) requirements, including lawful processing, data subject rights, and cross-border data transfers.
• Data Minimization and Purpose Limitation Strategies. We assist in designing AI systems that collect and process only the necessary data, limiting the scope of data collection to minimize privacy risks.
• Consent Mechanisms for AI. We develop consent mechanisms for AI applications, ensuring that users provide informed and explicit consent for data processing activities, where it is needed.
• Anonymization and Pseudonymization Techniques. We advise on techniques to anonymize or pseudonymize data used in AI systems to protect individual privacy while maintaining data utility.
• Data Protection Agreements and Contracts. We draft data protection agreements and contracts for AI-related data sharing, collaborations, or partnerships to ensure compliance with privacy requirements.
• Cross-Border Data Transfer Solutions. We provide guidance on transferring AI-generated or processed data across borders while adhering to data protection regulations and international data transfer mechanisms.
• AI Ethics and Fairness. We address ethical considerations and fairness concerns in AI design, ensuring that AI systems do not result in biased or discriminatory outcomes.
• Regulatory Compliance Monitoring. We monitor developments in AI and data protection regulations to ensure ongoing compliance and recommend necessary adjustments to AI systems.
• Incident Response Planning for AI. We assist in developing incident response plans specifically tailored to AI-related privacy breaches or security incidents.

Has your company been following the developments around the Data Governance Act? Are you considering its potential impact on your data governance and sharing practices? Wondering how your organization could benefit from this EU framework for trusted data sharing across borders?

The Data Governance Act (DGA) is a crucial pillar of the European Union’s strategy for data as it seeks to accelerate data sharing, strengthen processes for data availability and enable private and public entities to reuse data without technical obstacles. The regulation has entered into force on 23 June 2022, and it aims to support the set-up and development of common EU data spaces in strategic areas.

Our team of experts helps to identify potential domains in which your organization could benefit from the Data Governance Act and provides comprehensive support in implementation of data-driven projects, in compliance with GDPR and Data Governance Act. We are able to help with data management and data sharing, among others, in the following areas:

• Cross-Border Data Sharing. The primary focus of the DGA is to create a framework for secure and standardized cross-border data sharing. If your business relies on sharing data with partners, customers, or service providers across EU member states we can help you benefit from more streamlined and harmonized processes.
• Research and Innovation. Organizations engaged in research, development, and innovation often require access to diverse datasets for analysis and insights. The DGA could provide a more accessible and standardized way to collaborate and share data across borders, promoting innovation, and our team can advise how to do it!
• Data-Driven Decision-Making. Companies that heavily rely on data for decision-making could benefit from improved access to quality data from various sources. The DGA could encourage better data sharing practices, leading to more accurate and informed decisions. We can help you in finding ways to obtain and use data in line with EU and local law.
• Digital Services and Platforms. Businesses that provide digital services or operate platforms that involve data sharing among users could find the DGA beneficial. The regulation could help establish clear rules for data sharing and data access mechanisms. We can help you identify and squeeze this legal opportunity.
• Supply Chain Management. Companies with complex supply chains that span across different EU countries may find it easier to share supply chain-related data, such as inventory levels, logistics, and production data, in compliance with the DGA. We can help you strategize, design and implement the data sharing flows for your supply chains.
• Smart Cities and IoT. Businesses involved in creating smart city solutions, IoT devices, and connected infrastructure could benefit from standardized data sharing practices that enhance interoperability and data security. We can help you establish data sharing mechanisms that are compliant with EU and local law.
• Data Monetization and Commercialization. Businesses that seek to commercialize or monetize their data assets may find the DGA beneficial in terms of standardized agreements, liability frameworks, and data usage permissions. We can help you draft those documents.
• Startups and SMEs. The DGA's provisions could particularly benefit startups and small to medium-sized enterprises (SMEs) by reducing barriers to data sharing and enabling them to access data resources from larger partners. We may help you find and squeeze the new opportunities.
• Environmental data. The available public data may help your business to develop or implement solutions regarding carbon footprint, eco-friendly lifestyle, fighting climate change, monitoring natural disasters. EY can help you legally obtain and use the data and implement specific green solutions.
• Mobility data. Your innovative products and services may be related to public transport and real-time navigation. We help in proper obtaining and use of data.
• Health data. Your organization may provide data-driven innovations aimed at improving healthcare, providing better tailored private treatments. EY can help prepare a legal framework to conduct such activities in line with EU and local laws.

Data protection in the context of health equipment involves ensuring that the collection, processing, storage, and sharing of personal and sensitive health-related data comply with applicable data protection laws and regulations. Here are some key legal aspects to consider in the realm of data protection for health equipment ­– which our data privacy lawyers can help you navigate:

• Data Protection Regulations. It is crucial to understand and comply with relevant data protection laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the Health Insurance Portability and Accountability Act (HIPAA) in the United States, depending on the jurisdiction.
• Sensitive Health Data. Health equipment may involve the collection and processing of sensitive health-related data, which requires heightened protection. Ensure compliance with legal requirements for processing sensitive data, such as obtaining explicit consent or fulfilling legitimate processing criteria.
• Lawful Basis for Processing. It may be important to identify and establish a lawful basis for processing health data, such as the necessity of processing for medical diagnosis, treatment, or the management of health care services.
• Informed Consent. Companies may in some cases need to obtain clear and informed consent from individuals before collecting and processing their health data, providing them with transparent information about how their data will be used.
• Purpose Limitation. Organizations can process health data only for specific and legitimate purposes related to the provision of health care services or the functioning of health equipment.
• Data Minimization. Entities may collect and process only the minimum amount of health data necessary to achieve the intended purpose, reducing the risk of excessive data collection. At the same time, effective and holistic diagnosis is a must.
• Security Measures. It’s important to implement robust security measures to protect health data from unauthorized access, breaches, and cyberattacks, ensuring the confidentiality and integrity of the data.

Given the sensitive nature of health data and the evolving legal landscape, it's essential for your organization to work closely with legal experts who specialize in data protection and health care regulations to ensure comprehensive compliance and data protection in the use of health equipment, and our team can assist you in those operations.

Our experts provide a range of valuable services when it comes to cross-jurisdictional analysis of data protection regulations. This involves helping businesses navigate the complex landscape of data protection laws and regulations in different countries or regions, ensuring compliance, minimizing legal risks, and facilitating the smooth flow of data across borders. Our help includes:

• Regulatory Mapping and Gap Analysis. We can help you identify and map the data protection laws and regulations applicable to specific business operations across multiple jurisdictions. We conduct gap analysis to assess the business's current practices against the legal requirements in each jurisdiction.
• Compliance Assessments. We evaluate the business's data processing activities, policies, and practices to ensure compliance with the data protection laws in different jurisdictions. As a result, we provide recommendations for necessary adjustments to achieve compliance.
• Data Transfer Mechanisms. We advise on the legal mechanisms and safeguards required for cross-border data transfers, such as standard contractual clauses, Binding Corporate Rules (BCR) and adequacy decisions.
• Data Storage Multi-Jurisdictional Strategies. Having access to knowledge and expertise of legal experts across the Globe, we are able to collect information on retention requirements in the jurisdiction our Clients are active in and help choose a compliant yet uniform approach to data retention for the entire organization.
• Cross-Border Data Flow Strategies. We develop strategies for managing and transferring personal data across jurisdictions while minimizing legal and compliance risks. We prepare transfer impact assessment templates, conduct those assessments, prepare and notify Binding Corporate Rules and prepare necessary agreements, including those on Standard Contractual Clauses.
• Localization of Policies and Notices. We draft or review privacy policies, terms of use, and data processing notices tailored to meet the requirements of different jurisdictions. We also provide practical strategies for one-solution-meet-all documents for all-EU or global legal compliance.
• Consent Mechanisms. We develop and implement consent mechanisms that comply with various jurisdictions' requirements, ensuring proper and valid consent is obtained from data subjects.
• Regulatory Liaison. We interface with relevant data protection authorities in different jurisdictions, respond to inquiries, and manage regulatory interactions.
• Cross-Border Mergers and Acquisitions. We provide legal guidance on data protection considerations during cross-border mergers, acquisitions, or business transactions as well as while merging and transferring databases.
• Monitoring and Updates. We keep clients informed about changes in data protection laws and regulations in various jurisdictions that could impact their operations.

The Data Protection Officer is a key figure responsible for ensuring compliance with data protection laws, mainly the General Data Protection Regulation (GDPR) in the European Union. Our experts can help with the audit of the DPO role in your organization.

Our team of lawyers specializing in data protection have a deep understanding of the legal requirements surrounding the DPO role, including local authorities guidelines. We can provide guidance on the specific duties and responsibilities of the DPO as outlined in relevant regulations.

We may also assist you in planning the audit process for the DPO role. This includes identifying the scope of the audit, determining the relevant legal and regulatory requirements, and developing a comprehensive audit plan. As a final stage, we can review the documentation and activities of the DPO to assess compliance with legal requirements. This includes reviewing data protection policies, procedures, records of processing activities, data breach management processes, and any other relevant documentation.

Our team offers a comprehensive assessment of independence of the DPO. GDPR  requires the DPO to operates independently and without any conflicts of interest. Our team can assess whether the DPO maintains an independent position within the organization and does not face undue influence, and whether they possess the desired level of professional knowledge and skills.