EU General Data Protection Regulation (GDPR) A Point of View. For private circulation only. Risk Advisory

Similar documents
EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

Risk Management For and By the BOT. Secured BOT Series

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

EU GENERAL DATA PROTECTION REGULATION

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR)

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

Next Generation Controls(NGC) Moving towards a Robust Control Framework. August Risk

What is GDPR and Should You Care?

EU data protection reform

The General Data Protection Regulation: What does it mean for you?

The EU General Data Protection Regulation

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

WSGR Getting Ready for the GDPR Series

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

ARTICLE 29 DATA PROTECTION WORKING PARTY

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

GDPR. Guidance on Employee Personal Data

Preparing for GDPR 27th September, Reykjavik

Data Flow Mapping and the EU GDPR

Parliament of Romania Chamber of Deputies Committee for information technologies and communications

Getting Ready for the GDPR

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

The Sage quick start guide for businesses

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

The (Scheme) Actuary as a Data Controller

Co/outsourcing and/or supporting of your customs and global trade management

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

Guidance on the General Data Protection Regulation: (1) Getting started

Blockchain: A revolutionary change or not?

How employers should comply with GDPR

General Personal Data Protection Policy

Simplification of work: Knowledge management as a solution within the European Institutions

Data protection in light of the GDPR

Preparing for the GDPR: Attaining and Demonstrating Compliance

General Data Protection Regulation (GDPR) Meeting the new requirements

Anti Money Laundering (AML) Advisory Services Effective solutions for complex issues Deloitte Malta, 2017

Privacy governance survey. The state of privacy management in Belgian organisations

Compliance digitalization The impact on the Compliance function. Deloitte Risk Services April 2016

Infrastructure and Capital Projects

Discussion Paper on innovative uses of consumer data by financial institutions

Sustainability reporting using the GRI Taxonomy

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

The General Data Protection Legislation: a challenge for the Internal Auditor

Are you ready for Industry 4.0? FY2017 Stakeholder engagement summary

The One Stop Shop Working in Practice

New EU-GDPR: Challenges for Universities and Research Organisations

General Data Privacy Regulation: It s Coming Are You Ready?

Mind the Gap: GDPR Ahead. Rakesh Sancheti. Author. July Vice President and Business Head - Analytics, Europe and Nordic

2017 IBM Corporation. IBM s Journey to GDPR Readiness

Sustainability Reporting using the GRI Taxonomy Paul Hulst, Deloitte

UK Research and Innovation (UKRI) Data Protection Policy

New General Data Protection Regulation - an introduction

Risk Based Approach and Enterprise Wide Risk Assessment Edwin Somers / Inneke Geyskens-Borgions 26 September 2017

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

The people dimension of amalgamations. Machinery of government The people dimension of amalgamations. Three part series

GDPR A Catalyst to Drive Real Action around Privacy and Security

The 2016 Deloitte Millennial Survey. Switzerland - Country Report 17 January 2016

Beyond ITSM: Moving Up the Value Chain through Service Management

The Top 10 Operational Impacts of the EU s General Data Protection Regulation

Distributed ledger technologies services. Distributed ledger technologies services Using the power of blockchain

Achieving GDPR Compliance with Avature

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

Contents. Introduction 1. Territorial scope 3. Supervisory authority 4. Data governance and accountability 5. Export of personal data 14

ARTICLE 29 Data Protection Working Party

Audit Committee and other Board Committees Roles and responsibilities under the Companies Act, 2013

Global Luxury Market The evolving consumer. Vladimir Biryukov, Partner 22 September 2015

CANDIDATE DATA PROTECTION STANDARDS

ECDPO 1: Preparing for the EU General Data Protection Regulation

Preparing for the General Data Protection Regulation (GDPR)

Internal Business Review The Deloitte methodology. Deloitte Malta Risk Advisory - Banking

Securing tomorrow today Improving the process of VAT compliance and return preparation

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

Document Management for Global Trade Deloitte Academy DMS for GTS Working Slides

Global trends for community services in Western Australia

2 nd Quarter, 2017 Q Zachodniopomorskie Province

Data protection (GDPR) policy

The Report of the Audit Committee Analysing the trends in South Africa

Regulatory News Alert ECB Guide to fit and proper assessments

A Parish Guide to the General Data Protection Regulation (GDPR)

RegTech, the future of banking beyond IT. In collaboration with

Guidelines on the protection of personal data in IT governance and IT management of EU institutions

QuickLaunch University Webinar Series Data Privacy and GDPR Is Your Startup Ready?

New model of governance and accountability of data protection by Union institutions and bodies

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

Getting Ready for the. General Data Protection Regulation GDPR. A Guide by Mason Hayes & Curran. Dublin, London, New York & San Francisco. MHC.

Placing the right individuals at the top Private company governance

Enterprise. Service. Transformation. Deloitte driving your digital service excellence with ServiceNow

Accelerating the Path to GDPR Compliance: Are you ready to go "live"? Seminar

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

EMEA TMC client conference Developing a tax technology architecture. The Crystal, London 9-10 June 2015

The General Data Protection Regulation An Overview

SREP Transformation The Deloitte approach. Deloitte Malta Risk Advisory - Banking

New market mechanisms for renewables in Poland. Opportunity or threat?

The direct approach Finding new value with direct procurement

Transcription:

EU General Data Protection Regulation (GDPR) A Point of View For private circulation only Risk Advisory

Preface Does the EU GDPR impact organisations in India? Yes! This new law will have a profound impact on the operational and control environment of the organisations, not only within EU but also within the organisations based outside the EU having: Operations within the EU Third parties operating in the EU Serving the EU customers This is a border less and sector neutral legislation. It goes beyond EU to organisations offering goods or services to customers in EU, organisations that monitor the (online) behavior of the EU customers and during these services such organisations access/process/host/ store personal data of EU customers. With enforcement date approaching fast (25 May 2018), organisations are recommended to quickly assess GDPR s applicability and initiate readiness journey at the earliest. Note: Map on this slide is only for the representation purposes. 3

Content Understanding this new regulation 6 Are you prepared? 12 How can we help? 13 Key contacts 14 4 5

Understanding this new regulation How it applies to Indian organisations? The General Data Protection Regulation (GDPR) is a law or a regulation which was adopted by the European Commission on 27 April 2016. It is scheduled to go into enforcement effective 25 May 2018 and is expected to impact organisations across the globe that do business in Europe. A core feature of the GDPR is that as a regulation, rather than a directive, it does not require enabling legislation in each member state, something that historically led to inconsistencies. Is it a must to comply? Yes, if your organisation is subject to this regulation. Any impact of its non-compliance? Key impact Penalty of maximum 4% of annual worldwide turnover or 20 million (greater of the two)!!! As per the Article 2 Material Scope, this regulation applies to the processing of personal data wholly or partly by automated means. Applicability (as per the Article 3 Territorial effect ) of GDPR is linked to the processing of the personal data In the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. Of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services, to such data subjects in the EU; or the monitoring of their behaviour as long as their behaviour takes place within the EU. By a controller not established in the EU, but in a place where member state law applies by virtue of public international law. 6 7

How it evolved? What has changed? What has changed from the former 1995 EU Data Protection Directive? 1995 In 1995, the European Union released the European directive 95/46/CE relative to personal data protection. General Data Protection Regulation Broader territorial scope Applies to players not established in the EU but whose activities consist of targeting data subjects in the EU. 2012 The European Commission proposed to reform the current fragmented legal framework to deal with the new challenges for the protection of personal data and to make the EU member states fit for the digital age. Enforcement Accountability Data Protection Authorities (DPA) will be entitled to impose fines ranging between 2% to 4% of annual turnover or 10 20 million EUR, whichever is higher. Explicit obligation to the controller as well as the processor to be able to demonstrate their compliance to the GDPR. Expanded definitions Personal data now explicitly includes location data, IP addresses, online and technology identifiers. 2016 On 4 May 2016, the EU Regulation on Data Protection (GDPR) has been published in the Official Journal of the European Union. The GDPR has entered into force on 24 May 2016 and will replace the former 1995 EU Data Protection Directive and create a harmonised data protection law across Europe. Data Subject s rights Consent Reinforced rights: Access, rectification, restriction, erasure, objection to processing, no automated processing, and profiling. Spelled out more clearly and focus on ability of individuals to distinguish a consent. Data breach notification Report a personal data breach to the DPA within 72 hours. 2018 The GDPR will be enforced as of 25 May 2018 directly across all 28 EU Member States after a two years implementation period. One-stop shop International data transfers Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU. Binding Corporate Rules ("BCR") as tools for data transfers outside the EU and EEA are now embedded in the law. Data Protection Directive 95/EC/46 + National Laws General Data Protection Regulation (GRPR) Now First harmonisation, but fragmentation per country Transposed in natural laws Enforcement by national Data Protection Authorities (DPAs) Future Full harmonisation Directly applicable Enforcement by national DPAs + Consistency Mechanism + European Data Protection Board (EDPB) Low penalties High penalties 8 9

Understanding GDPR in numbers 4% Potential fines as a percentage global turnover as it applies to cross border organisations which have access to EU data. 7 Core individual rights afforded under the GDPR. 72 Hours given to report a data breach. 250m Cost of 4% fine for a typical FTSE 100 company. 28,000 Estimated number of new Mandatory Data Protection Officers required in Europe (IAPP study 2016). 190+ Countries potentially in scope of the regulation. 80+ New requirements in the GDPR. 88 Pages 11 Chapters 99 Articles 10 11

Are you prepared? How can we help? Our service offerings* Are you prepared? Deloitte has a dedicated team of specialists with a deep expertise in privacy data protection programs across large scale and complex organizations, embedding change and offering a full spectrum of GDPR related services: Respond Assess GDPR readiness assessment Change programme design and delivery Third party management Do you have a process to enable data subjects rights such as request for access/ portability or erasure? Is there adequate processes in place to respond and notify data breaches? What types of data do you collect, and where does the data originate? Are adequate controls in place for use, processing, storage, transfer and destruction? Are Privacy Impact Assessments conducted as required? GDPR compliance roadmap Incident Management Framework GDPR program monitoring and rollout strategy Governance Are roles and responsibilities defined? Are internal and independent reviews conducted on a periodic basis? Global privacy compliance assessment Data discovery, mapping, and inventories Governance and compliance review Has an assessment of the organizations risk exposure from EU GDPR been conducted? GDPR technology impact assessment Privacy by design advice and application Privacy risk and compliance training Do you have oversight of the data lifecycle from the point of origin to destruction? Is there a process for identifying and responding to local regulatory requirements in addition to GDPR? Privacy programme development Data leakage protection Monitor Protect Are compliance metrics identified and measured? Are processes, systems, and networks monitored to identify data access, use, change and breaches? Do you have a process to perform a risk analysis or new or changing business processes? Is Privacy by Design and Privacy by Default incorporated within the processes? Privacy strategy and roadmap development Privacy impact assessment and health check Will you able to erase data when requested? Are technological safeguards in place to protect sensitive data? *Deloitte Touche Tohmatsu India LLP offers advisory services on aspects related to Governance, People, Technology and Processes to help address the requirements under GDPR. Kindly note that Deloitte Touche Tohmatsu India LLP does not provide any legal advice, including any legal advice relating to privacy or data protection laws. 12 13

Key contacts National Amry Junaideen President - Risk Advisory amjunaideen@deloitte.com Shree Parthasarathy Leader - Cyber Risk sparthasarathy@deloitte.com Regional Mumbai A.K. Viswanathan akviswanathan@deloitte.com Vishal Jain jainvishal@deloitte.com Abhijit Katkar akatkar@deloitte.com Priti Ray pritiray@deloitte.com Munjal Kamdar mkamdar@deloitte.com Bengaluru Maninder Bharadwaj manbharadwaj@deloitte.com Gaurav Shukla shuklagaurav@deloitte.com Praveen Sasidharan psasidharan@deloitte.com Delhi Hyderabad Pune Gautam Kapoor gkapoor@deloitte.com Ramu Narsapuram ramun@deloitte.com Ashish Sharma sashish@deloitte.com Headline Open Sans Bold Subheading Open Sans Light up to two lines of text 14 Subtitle or date subtitle, date or author second line

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use. 2017 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback