Photo of Ann Killilea

 

Ann Killilea focuses her practice on privacy and data protection, and corporate commercial matters, including dispute resolution. Ann has advised multinational clients on enterprise-level privacy assessments, policy development, cloud computing from the provider's and the customer's perspective, data-related vendor management, international data transfer compliance and online privacy policy concerns. Read Ann Killilea's full bio.

Enforceable in all EU member states on 25 May 2018, the General Data Privacy Regulation will require action by organisations both inside and outside the European Union to ensure compliance with this far-reaching privacy legal framework. Compliance is even more urgent given that the GDPR provides for large penalties in cases of infringement. As some entities are not yet aware of the extent to which GDPR may be applicable to them, the GDPR expressly applies to organisations established outside the European Union that offer paid or free goods or services to EU data subjects or monitor EU data subjects’ behaviour.

Within this article, we review steps for a risk based, prioritization approach to GDPR compliance and how companies can adjust their policies and practices on a pragmatic basis to help ensure compliance.

Continue reading.

The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.

Continue Reading

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.

On May 1, 2014, the White House released two reports addressing the public policy implications of the proliferation of big data. Rather than trying to slow the accumulation of data or place barriers on its use in analytic endeavors, the reports assert that big data is the “new normal” and encourages the development of policy initiatives and legal frameworks that foster innovation, promote the exchange of information and support public policy goals, while at the same time limiting harm to individuals and society. This Special Report provides an overview of the two reports, puts into context their conclusions and recommendations, and extracts key takeaways for businesses grappling with understanding what these reports—and this “new normal”—mean for them.

Read the full article.