-
GDPR: what you need to knowGetting to grips with the EU General
Data Protection Regulation (GDPR)
IntroductionIn May 2018, the European Union’s (EU) GDPR ushers
in unprecedented data protection for EU residents, backed by fines
of up to €20 million or 4% of global revenue, whichever is
higher.
The GDPR is a global game changer, the importance of which no
organization can afford to underestimate.
However, while working toward compliance, companies can also use
it to gain a competitive advantage. The first step is to understand
its impacts on citizens and companies.
-
2 | GDPR: what you need to know
The aims of GDPR are to reinforce data protection rights of
individuals, facilitate the free flow of personal data in the
digital single market and reduce the administrative burden. The
GDPR replaces the 1995 General Data Protection Directive and
applies directly to each of the 28 EU Member States.
Appointing a DPOFor many organizations, one of the GDPR’s
biggest impacts is the need to appoint a DPO to take responsibility
for GDPR compliance, organizational awareness, advice and
decision-making with respect to data processing. Since this is a
new role, organizations often struggle to incorporate the DPO into
their existing organizational structures. EY can help your business
navigate this change by supporting you in designing and
implementing the new governance structures, as well as training or
advising your newly appointed DPO to set them up for success in
their new role.
Business case development
GAP analysis Align business
2016 2018
Design Implement Monitor
Journey to compliance and competitive advantage
Timeline
What the GDPR means for citizensThe main changes that the GDPR
introduces for private individuals include:
► When an individual no longer wants their data to be processed,
the data must be deleted (the “right to be forgotten”).
► Individuals have the right to more information on how their
data is processed, available in a clear and understandable way.
► A right to data portability will make it easier for
individuals to transmit personal data between service
providers.
► An individual has the right to know when their data has been
breached.
The main changes that the GDPR introduces for organizations
include:
► Companies and organizations must notify their national
supervisory authority within 72 hours of data breaches that put
individuals at risk and communicate all high-risk breaches as soon
as possible to the data subject.
► Data protection safeguards must be built into products and
services (data protection by design and by default) from the
earliest stage of development. Privacy-friendly default settings
will be the norm, for example, on social networks and mobile
apps.
► The GDPR introduces a statutory role of data protection
officer (DPO), who will have a key role in ensuring compliance with
the GDPR.
► For companies, which do not comply with EU rules, data
protection authorities will be able to issue fines of up to 4% of
global annual turnover or €20 million, whichever is greater.
► As part of the reform, companies based outside Europe will
have to apply the same rules when they offer goods or services
within the EU market.
► One pan–European law for data protection replaces the current
inconsistent patchwork of national laws, meaning that companies
will now deal with one law, not 28.
► Companies will also have to deal with only one single
supervisory authority, not 28, making it simpler and cheaper for
companies to do business in the EU.
► The regulation, being technologically neutral, enables
innovation to continue to thrive.
What the GDPR means for companies and other organizationsThe
GDPR distinguishes between data controllers and data processors,
imposing a different set of obligations and liabilities on both.
Companies need to clearly establish their identity as controller or
processor to determine their responsibilities under the GDPR.
If an organization decides on the purposes and means of data
processing activities, alone or jointly with others, they are
considered a data controller under the GDPR and need to comply with
wider legal requirements.
-
3GDPR: what you need to know |
EY’s GDPR-related services These include our personal data life
cycle management service and privacy transformation program, both
outlined below. EY can also provide a wide range of other services
to help with the GDPR programs, such as:
► Privacy impact assessments (PIA)
► Personal information and inventory data flow
► Privacy assurance and certification
► Outsourced DPO
Personal data life cycle managementThis service helps
organizations gain a better understanding of the privacy, risk and
compliance implications of the way personal data flows throughout
their business.
Personal data life cycle
management
Appropriate collection of data
Relevant use of data
Managed disclosure
Appropriate retention and disposal
Review of privacy expectations
1
2
3
4
5
-
Why EYEY has a team of certified information privacy
professionals (CIPPs) and privacy lawyers, who help organizations
better understand their risks related to data privacy and
compliance with GDPR. We draw on this global privacy team to
deliver insights into legislations and regulations across the
world.
For over a decade, EY has assisted international organizations
in understanding privacy and data protection risks, compliance and
regulations, helping them manage the use of personal information
effectively within their operations. We can help you provide and
run privacy improvement programs by leveraging our senior
stakeholder management knowledge, privacy framework, mature tools,
methodologies and flexible resourcing models.
4 | GDPR: what you need to know
EY privacy transformation programAn EY data protection and
privacy transformation program supports you to understand and
manage the impact of the GDPR throughout your organization, using
our proven privacy transformation program methodology.
1. Understand 2. Assess 3. Define
5. Run4. Recommend
-
Philippe ZimmermannEMEIA Financial Services Legal Leader
Telephone: +41 58 286 3219Mobile: +41 79 341 4571Email:
[email protected]
Tony De BosEMEIA Financial Services Data Protection &
Privacy Leader
Telephone: +31 88 407 2079Mobile: +31 62908 4182Email:
[email protected]
5GDPR: what you need to know |
EY contactsTo find out more about any of our privacy-related
services and how EY can help you use GDPR as a catalyst for change,
beyond compliance, please contact:
Erol MustafaEMEIA Financial Services IT Risk & Assurance
Leader
Telephone: +44 20 7951 0700Mobile: +44 7979 923 611Email:
[email protected]
Konrad MeierEMEIA Financial Services Data Privacy
Professional
Telephone: +41 58 286 4327Mobile: +41 79 227 2367Email:
[email protected]
-
6
-
7GDPR: what you need to know |
-
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we deliver
help build trust and confidence in the capital markets and in
economies the world over. We develop outstanding leaders who team
to deliver on our promises to all of our stakeholders. In so doing,
we play a critical role in building a better working world for our
people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or
more, of the member firms of Ernst & Young Global Limited, each
of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not provide
services to clients. For more information about our organization,
please visit ey.com.
© 2017 EYGM Limited. All Rights Reserved.
EYG no. 06244-174GBL
EY-000044638 .indd (UK) 11/17. Artwork by Creative Services
Group London.
ED None
In line with EY’s commitment to minimize its impact on the
environment, this document has been printed on paper with a high
recycled content.
This material has been prepared for general informational
purposes only and is not intended to be relied upon as accounting,
tax or other professional advice. Please refer to your advisors for
specific advice.
ey.com
