The General Data Protection Regulation (GDPR)

Similar documents
General Data Protection Regulation (GDPR) Meeting the new requirements

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

EU General Data Protection Regulation (GDPR)

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

A guide to GDPR the effect on all UK organisations

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

Privacy governance survey. The state of privacy management in Belgian organisations

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

The GDPR Are you ready?

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

Getting ready for GDPR. A guide to General Data Protection Regulations

PERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract

The General Data Protection Regulation: What does it mean for you?

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

Consulting Champions

The Sage quick start guide for businesses

Protecting Your Personal Data Globally

New EU-GDPR: Challenges for Universities and Research Organisations

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

GDPR AND OUTSOURCING - BUSTING THE MYTHS

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

New General Data Protection Regulation - an introduction

Guidance on the General Data Protection Regulation: (1) Getting started

Data protection in light of the GDPR

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

GDPR Service Information Sheet

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

The General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2017

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

GDPR Factsheet - Key Provisions and steps for Compliance

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Data Flow Mapping and the EU GDPR

Getting Ready for the GDPR

12 STEPS TO PREPARE FOR THE GDPR

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

EU General Data Protection Regulation, a new era in data protection

2018 GLOBANET GDPR REPORT

GDPR factsheet Key provisions and steps for compliance

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

EU General Data Protection Regulation (GDPR) A Point of View. For private circulation only. Risk Advisory

Preparing for the General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) Frequently Asked Questions

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

General Data Protection Regulation (GDPR) A brief guide

General Data Privacy Regulation: It s Coming Are You Ready?

The GDPR: What does it mean for executive search?

Achieving GDPR Compliance with Avature

EU GENERAL DATA PROTECTION REGULATION

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

GDPR. Guidance on Employee Personal Data

General Data Protection Regulation (GDPR) Readiness

GDPR Compliance Checklist

A questionnaire for senior management

Preparing Your Vendor Agreements for the General Data Protection Regulation

What is GDPR and Should You Care?

Rexel Shredding. Why a paper security policy is integral to GDPR compliance.

IMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

EU data protection reform

Foundation trust membership and GDPR

Organisational Readiness for the European Union General Data Protection Regulation (GDPR)

Vendor Agreements and the New EU GDPR Steps to Take Now

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

GDPR A Catalyst to Drive Real Action around Privacy and Security

General Personal Data Protection Policy

How employers should comply with GDPR

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

General Data Protection Regulation and Episerver Learn how to leverage your organization s data to support GDPR compliance.

Anti Money Laundering (AML) Advisory Services Effective solutions for complex issues Deloitte Malta, 2017

EU General Data Protection Regulation

Working toward GDPR compliance. Insights from a SAS survey and an end-to-end approach

The New EU General Data Protection Regulation 1

THE DIGIDAY GUIDE TO GDPR

The (Scheme) Actuary as a Data Controller

WORLD MEDIA GROUP THE IMPLICATIONS OF GDPR FOR THE ADVERTISING INDUSTRY

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Find out about the General Data Protection Regulation (GDPR) and what your club will need to do to comply with the Law.

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Mind the Gap: GDPR Ahead. Rakesh Sancheti. Author. July Vice President and Business Head - Analytics, Europe and Nordic

ECDPO 1: Preparing for the EU General Data Protection Regulation

UK Research and Innovation (UKRI) Data Protection Policy

WSGR Getting Ready for the GDPR Series

What you need to know. about GDPR. as a Financial Broker. Sponsored by

ARTICLE 29 DATA PROTECTION WORKING PARTY

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

The General Data Protection Regulation and associated legislation. Part 1: Guidance for Community Pharmacy. Version 1: 25th March 2018

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

General Data Protection Regulation Guide

Effective Data Governance & GDPR Compliance for the Nonprofit CFP

The implications of the EU General Data Protection Regulation 2016 for ICT Disposal

ARTICLE 29 Data Protection Working Party

Tourettes Action Data Protection Policy

Transcription:

Risk Regulation The General Data Protection Regulation (GDPR) Cyber security Preparing your business for the GDPR September 2017

Contents What is the GDPR and what does it change? Section Page What is the GDPR and what does it change? 01 Understanding the core changes 02 How to prepare your business 04 The General Data Protection Regulation (GDPR) is the European Union s (EU) new data protection law that comes into effect on 25 May 2018. Implemented throughout the EU including Malta, it will govern all businesses operating within the union and embed a more consistent approach to data protection. Companies that trade with EU-based businesses will also be impacted and will need to know what s changing and how to comply. Penalties for noncompliance can now be up to 20 million or 4% of annual global turnover whichever is greater. So why is data protection legislation transforming? Since 1995, the Data Protection Directive (Directive 95/46/EC) has determined how individuals personal data is protected within the EU. However, since its inception there have been vast developments in the sophistication and scale of data creation and gathering for example through the emergence of social media, cloud computing and geolocation services. As the directive predates these developments, it s no longer suitable to govern the current data landscape; it needs to be refreshed to address modern privacy concerns and facilitate consistency across the EU. This is what the GDPR will do. The new regulation introduces a huge range of changes. Underlying this shift is the EU s ongoing agenda to safeguard its citizens and their private information. The GDPR will establish new rights for individuals and strengthen current protections by applying stricter requirements to the way businesses use personal data. If they fail to comply, the sanctions will be significantly larger. What this means for your business The GDPR is a valuable opportunity to understand your business s data and use it more effectively. However, it requires strict adherence to the new regulation and a clear understanding of the changes in order to avoid large penalties. First, it s critical to be aware that the GDPR supersedes all existing data protection acts, and that it increases businesses obligations around data protection and their accountability for failure. It also applies across the full spectrum of data engagement from the collection of personal data through to its use and disposal. Your organisation will need to embed policies and procedures to ensure that it monitors its GDPR controls and documents its compliance. The new rules apply to organisations of any size that process personal data. Whatever the nature of your organisation, the GDPR will have a substantial impact. As its implementation date is getting closer, early preparation is key. All global organisations, both those in the EU and those that trade with EU companies, will be required to comply with the GDPR from May 2018. The General Data Protection Regulation (GDPR) 1

Understanding the core changes The GDPR will introduce wide-ranging changes that require thorough understanding, internal stakeholder acceptance, appropriate preparation and implementation across the whole business. To provide an overview, we ve addressed some of the key changes here. Better rights for data subjects The largest shift is that individuals will benefit from greatly enhanced rights, for example, the right to object to certain types of profiling and automated decision-making. Consent requirements will also be more stringent. Consent must be explicit and affirmative, it must be given for a specific purpose and it must be easy to retract. Individuals can also request that personal data is deleted or removed if there isn t a persuasive reason for its continued processing. Increased accountability Organisations will have far more responsibility and obligation. They will need to publish more detailed fair processing notices informing individuals of their data protection rights, explaining how their information is being used and specifying for how long. The new regulation also embeds the concept of privacy by design, meaning organisations must design data protection into new business processes and systems. Reporting data breaches As part of the drive for greater accountability, data breach reporting is becoming stricter. If a significant data breach occurs, it must be reported to the Data Protection Commissioner within 72 hours and, in some cases, to the individual affected without undue delay. Significant sanctions Penalties for non-compliance with the GDPR will rise considerably, up to 10 million or 2% of annual global turnover (whichever is greater) for minor or technical breaches, and 20 million or 4% of turnover for more serious operational failures. Data processing requirements The regulation also imposes new requirements on data processors, and includes elements that should be addressed contractually between data processors and data controllers. Key features of the GDPR: Enhanced rights for data subjects the right to object to certain types of profiling and automated decision-making, and to request that unnecessary personal data is deleted. Enhanced obligations for organisations such as publishing detailed fair processing notices to inform individuals of their data protection rights, the way their information is used and for how long. Stringent consent requirements consent must be explicit, freely given for a specific purpose and easy to retract. Privacy by design organisations must design data protection into new and existing business processes and systems. Increased record keeping organisations must maintain registers of the processing activities they carry out, with mandatory DPIAs for high-risk data processing. Significant penalties the potential size of fines for non-compliance will be considerable, reaching 20million or up to 4% of turnover, whichever is greater. Formal risk management processes Organisations must formally identify emerging privacy risks, particularly those associated with new projects, or where there are significant data processing activities. They must also maintain registers of their processing activities and create internal inventories. For high-risk data processing activities, Data Protection Impact Assessments (DPIAs) will be mandatory. It will also be compulsory to appoint a Data Protection Officer (DPO). Stricter breach reporting significant data breaches must be reported to regulators within 72 hours and sometimes the individual, too. Increased privacy impact assessments organisations must formally identify emerging privacy risks, particularly for new projects. Appointing DPOs appointing a data protection officer will be mandatory for many organisations. Wider regulatory scope the new regulation will apply to both the data controller and the processor. 2 The General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) 3

How to prepare your business The legal landscape of data protection is evolving rapidly, and presenting challenges for businesses, government and public authorities. If your organisation is consumer-facing, online, in the financial services sector or in possession of sensitive personal data it may be particularly affected. With the deadline growing closer, you ll need to scrutinise the regulatory changes and understand how they will affect your business operations. Bear in mind that the impact of GDPR isn t confined to a specific area of your business it will require business-wide adoption of a more processorientated approach. It s likely you ll need to amend your business practices to become compliant with this new regulation, and implement new controls. So where should you start? We ve created a simple visual, below, to help structure your approach to achieve compliance. GDPR Data protection quick check Audit results and analysis Implementation roadmap Implementation Measure data protection effectiveness Continuous improvement Understand the key changes this legislation will bring Assess your organisation s current data architecture, processes, and risk and compliance controls Identify the current data risks in your business Review how ready your business is for the GDPR Develop an implementation roadmap that embeds suitable regulatory and compliance architecture Ensure the plan is realistic and achievable for your organisation Appoint a trusted advisor to: identify and document data processing activities carry out data impact assessments develop a data breach response action plan implement ongoing data protection processes. Write a detailed data protection policy and define a standard that ensures your business will meet the GDPR Where necessary, appoint a data protection officer and/or a data protection management system for ongoing control Undertake a GDPR FIT/ GAP analysis or ISO 27001 FIT/GAP analysis this is an assessment of the effectiveness of your GDPR efforts Hold regular GDPR audits and Data Privacy Impact Assessments Ensure data risk management is integrated into your overall risk management structure Regularly review your organisation s data protection training needs 4 The General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) 5

Contact us To discuss how we can help your business understand its GDPR requirements and become compliant with the new regulation, get in touch with one of our regional specialists. Wayne Pisani Partner, Tax & Regulatory wayne.pisani@mt.gt.com Joe Pullicino Partner, IT, Business Risk & Outsourcing joe.pullicino@mt.gt.com grantthornton.com.mt 2017 Grant Thornton Ltd (Malta). All rights reserved. Grant Thornton refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton International Ltd (GTIL) and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another s acts or omissions. EPI.172

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback