General Data Protection Regulation (GDPR) – Point of View
Data privacy and protection is key to gaining clients trust
European General Data Protection Regulation (GDPR), which will be enforced from mid-2018, presents a significant challenge, requiring organisations to interpret and comply with complex and diverse international laws and regulations on how they handle personal data.
Privacy and data protection rules are changing
Within the EU, the European Data Protection Directive 95/46/EC (DP Directive) currently regulates how personal data can be processed. The DP Directive is based around eight core principles covering the security, accuracy, storage, retention and destruction of personal data as well as notifying users of the use of their data, restrictions on direct marketing and requirements concerning international transfers. These rules have recently changed with the introduction of the GDPR, which features enhanced restrictions on the processing of personal data, and increased fines for non-compliance. There has never been a more important time for organisations to get privacy right.
Privacy: Refers to the right of individuals to have a certain degree of control over the collection of their personal data, the ways in which this data is used, who it is shared with and how long it is retained
Personal Data: Is defined as information relating to an identified or identifiable living individual
Processing: Is defined very broadly, encompassing any operation or action carried out on information or data
What is GDPR?
GDPR requirements concentrate on improving consumer protection and harmonising existing EU privacy laws, but also introduce extra burdens and restrictions for all organisations that collect, store or use personal data relating to EU citizens.
Due Date: On 14 April 2016, the EU Parliament approved the final text of the GDPR; enforcement will begin on 25 May 2018
Enhanced Enforcement: Gross non-compliance could result in fines of up to 4% of annual global turnover. The regulatory reach extends to organisations outside the EU that process EU citizen data, even if they have no legal presence in the EU
Accountability & Burden of Proof: In lieu of the requirement to make annual processing notifications, the GDPR introduces significant new requirements around maintenance of audit trails and data journeys and that business bears the burden of proof if challenged
Data Protection Officers: Those organisations processing personal data on a large scale will now be required to appoint an independent, adequately qualified Data Protection Officer
Privacy Notices and Consent: Organisations will now have to take account of GDPR in the way they construct their public-facing privacy policies
Additional impacts of GDPR could onerous
Organisations use of technology to enable information security and other compliance initiatives will need to be reconsidered, in line with new requirements introduced by the GDPR.
Privacy-by-Design and by default: Organisations will need to change the way they design, build, and deploy technology, to ensure that privacy controls are built into them
Online: Strict new requirements on online profiling and tracking are being introduced, significantly impacting direct to consumer businesses, including a requirement that this activity only be carried out where consumers have provided their consent
Incident Management: The GDPR will require systems to be tested to protect against incidents. Significant breaches will have to be reported to regulators and in certain cases also to consumers within fixed time periods
Encryption: The GDPR formally recognises the privacy benefits of tools such as encryption
Data Inventories: Organisations will have to take proactive steps to demonstrate they know what data they hold, where it is stored, and who it is shared with, by creating and maintaining an inventory of data processing activities, and this includes pseudonymous data
Right to Data Portability: A new right to ‘data portability’ means that individuals are entitled to request copies of their data in a readable and standardised format
Right to be Forgotten: An even stronger ‘right to be forgotten’ is further evidence of the consumer being in the driving seat when it comes to use of their data
How we can help?
Our Digital and Change Consulting team consist of highly specialised financial services IT professionals with extensive experience in key areas. We can conduct our GDPR Readiness Assessment across key areas of your business to gauge how current practices match up to the requirements of the GDPR. Our GDPR readiness assessment includes the following, with provision of recommendations for remediation where applicable:
- Identification of the location of your main establishment, to confirm which Data Protection Authority will act as lead supervisor
- Completion of a single training session to raise awareness of the forthcoming changes under the GDPR amongst key stakeholders and decision makers
- A review of current privacy governance structures and operating models, verifying that accountability for privacy is appropriately assigned and that Data Protection Officers (DPO’s) are designated, where required
- A review of current procedures to create and maintain internal inventories of IT systems (inclusive of third party systems providers), websites, mobile applications and other repositories of personal information
- A review of current privacy risk management policies and procedures to ensure data protection impact assessments (DPIA’s) form part on ongoing governance
- A review of incident management procedures to address breach notification requirements in compliance with GDPR
- A review of existing privacy notices to assess if they reflect enhanced transparency requirements
- A review of the limitations of relevant IT systems and technology, with respect to processing data portability and erasure requests
- Point-In-Time advisory on the EU-US Safe Harbour & EU-US ‘Privacy Shield’ frameworks