GDPR: what you need to know

Transcription

1 GDPR: what you need to know Getting to grips with the EU General Data Protection Regulation (GDPR) Introduction In May 2018, the European Union s (EU) GDPR ushers in unprecedented data protection for EU residents, backed by fines of up to 20 million or 4% of global revenue, whichever is higher. The GDPR is a global game changer, the importance of which no organization can afford to underestimate. However, while working toward compliance, companies can also use it to gain a competitive advantage. The first step is to understand its impacts on citizens and companies.

2 Journey to compliance and competitive advantage 2016 Timeline 2018 Business case development GAP analysis Align business Design Implement Monitor What the GDPR means for citizens The main changes that the GDPR introduces for private individuals include: When an individual no longer wants their data to be processed, the data must be deleted (the right to be forgotten ). Individuals have the right to more information on how their data is processed, available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers. An individual has the right to know when their data has been breached. The aims of GDPR are to reinforce data protection rights of individuals, facilitate the free flow of personal data in the digital single market and reduce the administrative burden. The GDPR replaces the 1995 General Data Protection Directive and applies directly to each of the 28 EU Member States. What the GDPR means for companies and other organizations The GDPR distinguishes between data controllers and data processors, imposing a different set of obligations and liabilities on both. Companies need to clearly establish their identity as controller or processor to determine their responsibilities under the GDPR. If an organization decides on the purposes and means of data processing activities, alone or jointly with others, they are considered a data controller under the GDPR and need to comply with wider legal requirements. The main changes that the GDPR introduces for organizations include: Companies and organizations must notify their national supervisory authority within 72 hours of data breaches that put individuals at risk and communicate all high-risk breaches as soon as possible to the data subject. Data protection safeguards must be built into products and services (data protection by design and by default) from the earliest stage of development. Privacy-friendly default settings will be the norm, for example, on social networks and mobile apps. The GDPR introduces a statutory role of data protection officer (DPO), who will have a key role in ensuring compliance with the GDPR. For companies, which do not comply with EU rules, data protection authorities will be able to issue fines of up to 4% of global annual turnover or 20 million, whichever is greater. As part of the reform, companies based outside Europe will have to apply the same rules when they offer goods or services within the EU market. One pan European law for data protection replaces the current inconsistent patchwork of national laws, meaning that companies will now deal with one law, not 28. Companies will also have to deal with only one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU. The regulation, being technologically neutral, enables innovation to continue to thrive. Appointing a DPO For many organizations, one of the GDPR s biggest impacts is the need to appoint a DPO to take responsibility for GDPR compliance, organizational awareness, advice and decisionmaking with respect to data processing. Since this is a new role, organizations often struggle to incorporate the DPO into their existing organizational structures. EY can help your business navigate this change by supporting you in designing and implementing the new governance structures, as well as training or advising your newly appointed DPO to set them up for success in their new role. 2 GDPR: what you need to know

3 EY s GDPR-related services These include our personal data life cycle management service and privacy transformation program, both outlined below. EY can also provide a wide range of other services to help with the GDPR programs, such as: Privacy impact assessments (PIA) Personal information and inventory data flow Privacy assurance and certification Outsourced DPO Personal data life cycle management This service helps organizations gain a better understanding of the privacy, risk and compliance implications of the way personal data flows throughout their business. 5 Review of privacy expectations 1 Appropriate collection of data 4 Appropriate retention and disposal Personal data life cycle management 2 Relevant use of data 3 Managed disclosure GDPR: what you need to know 3

4 EY privacy transformation program An EY data protection and privacy transformation program supports you to understand and manage the impact of the GDPR throughout your organization, using our proven privacy transformation program methodology. 1. Understand 2. Assess 3. Define 4. Recommend 5. Run Why EY EY has a team of certified information privacy professionals (CIPPs) and privacy lawyers, who help organizations better understand their risks related to data privacy and compliance with GDPR. We draw on this global privacy team to deliver insights into legislations and regulations across the world. For over a decade, EY has assisted international organizations in understanding privacy and data protection risks, compliance and regulations, helping them manage the use of personal information effectively within their operations. We can help you provide and run privacy improvement programs by leveraging our senior stakeholder management knowledge, privacy framework, mature tools, methodologies and flexible resourcing models. 4 GDPR: what you need to know

5 EY contacts To find out more about any of our privacy-related services and how EY can help you use GDPR as a catalyst for change, beyond compliance, please contact: Erol Mustafa EMEIA Financial Services IT Risk & Assurance Leader Telephone: Mobile: emustafa@uk.ey.com Philippe Zimmermann EMEIA Financial Services Legal Leader Telephone: Mobile: philippe.zimmermann@ch.ey.com Tony De Bos EMEIA Financial Services Data Protection & Privacy Leader Telephone: Mobile: tony.de.bos@nl.ey.com Konrad Meier EMEIA Financial Services Data Privacy Professional Telephone: Mobile: konrad.meier@ch.ey.com GDPR: what you need to know 5

6 6

7 GDPR: what you need to know 7

8 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved. EYG no GBL EY indd (UK) 11/17. Artwork by Creative Services Group London. ED None In line with EY s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com