Deloitte Finance Forum

May, 2018

GDPR Update

2

Content

Where is the rush? 3

What’s the risk? 4

Main Changes 5

Observations at our clients 6

Holistic approach 9

Turning privacy into an opportunity 10

State of the union 11

3

Where is the rush ?

Timeline of GDPR definition and enforcement

• In 1995, the European Union released the European directive 95/46/CE relative to personal data protection

• The European Commission proposed to reform the current fragmented legal framework to deal with the new challenges for the protection of personal data and to make the EU member states fit for the digital age.

2012 2018

• The GDPR will be enforced as from 25 May 2018 directly across all 28 EU Member States after a two years implementation period.

• Do note that several members states have/are already planning to adapt their laws sooner

1995 2016

• On 4 May 2016, the EU Regulation on Data Protection (GDPR) has been published in the Official Journal of the European Union. The GDPR has entered into force on 24 May 2016 and will replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe.

4

What’s the risk

Key changes & risk implications

Key changes for business and risk implications

Significantly higher fines €20 million or 4% of annual global turnover

Broader scope and global impact The regulation applies to any organisation in the world that receives data from EU citizens, even if thecompany is based outside of the EU.

Unified and expended definition of personal data

Unified interpretation of what constitutes personal data. New definition of data such as location and onlineidentifier may result in additional compliance obligations (e.g. cookies now constitute an online identifier)

More rights for data subjects The strengthened rights for data subjects makes it more difficult for businesses to process personal datalawfully, which implies additional compliance challenges

Data breach notification Significant changes to reporting mechanism to meet the requirement

5

Main changes

Scope of the General Data Protection Regulation (GDPR)

Broader territorial scope

Enforcement

Accountability

Expanded definitions

Data subjects rights

Consent

Data breach notification

One-stop shop

International data transfers

General

Data

Protection

Regulation

Applies to players not established in the EU but whose activities consist of targeting data subjects in the EU

Data Protection Authorities will be entitled to impose fines ranging between 2 to 4% of annual turnover and increased powers

Explicit obligation on controller AND processor to demonstrate their GDPR compliance (eg data protection officer, privacy impact assessments (PIA))Personal data now explicitly includes location data, IP addresses, online and technology identifiers;

Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling, data portablity

Spelled out more clearly and focus on ability of individuals to distinguish a consent. Need for affirmative action

Report a personal data breach to the Data Protection Authority within 72h…

Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU

Binding Corporate Rules as tools for data transfers outside the EU and EEA are now embedded in law

What will change against the former 1995 EU Data Protection Directive ?

6

Observations

Facts & figures

7

Observations

Protect yourself from common pitfalls

Legal & Policies

Information Classification

Access Controls

Database security

Secure SDLC

Information Tagging

Data Protection Principles

No process documentation Unlimited data retentionSecondary use of data

Forced consentNo access control

Data Subject Rights

Inadequate, incomplete or defensive standard responses

Legalese privacy notices

Governance

DPO lacking resourcesTraining but no awarenessMissing privacy clauses in

contracts“Invisible” international transfers

Technology

Discrepancies in securityHeterogeneous approachLack of coordination and

oversight

Strategy & processes

Limited or no formal accountability

Considered “pure” compliance issuePrivacy by Design

merely tick-the-box

8

Holistic approach

GDPR related challenges in your landscape

Legacy data in

storage

Authentication

bypass

Publication

without purpose

Outdated

data

inventory

Unclear

privacy

statement

Logical

application

errors

Right to be

forgotten

Data

exfiltration

Unclassified

information

GDPR is not only about legal aspects of data protection

GDPR is not only about technical aspects of data protectionGDPR calls for a combined approach

GDPR Journey

Processes & Organisation

Data & Technology

Legal & Compliance

9

Turning privacy into an opportunity

Review business processes which handle personal data:

• HR processes including recruiting

• 1st line helpdesk processes

• Registration & reception of visitors

• Direct marketing

• Invoicing

• Customer loyalty management

• …

Ensure adequate technology & IT/cyber governance measures:

• Access controls to personal data

• Install breach detection and cyber incident management processes

• Install and enforce secure software development processes

• Specific training & awareness for IT staff on GDPR matters

GDPR related controls as part of unified Risk management

• Appoint DPO when necessary

• Embed controls on data privacy as part of enterprise risk management to ensure alignment across regulations and compliance needs

• Organise internal audit for GDPR related audits

Implement specific controls for personal data:

• Encryption of data at rest

• Monitor data leaving the organization

• Handling of test data

• Make staff aware of rules of theroad

Processes & Organisation

Legal & Compliance

Cyber security & IT

Data Management

GDPR Journey

Combining forces

10

Compliance waves

Gradually increasing maturity

Wave 1: Getting compliant

• Engagements driven by legal and compliance or CFO

• Focus on “checking the box”

Wave 2: Sustainable compliance

• True impact of GDPR and cost of compliance become clear

• “GDPR cases” get media attention

• Driven by Chief Risk/Data/Compliance Officer

Wave 3: Non-negotiable privacy

• Customers expect transparency and privacy on services they buy

• Privacy truly embedded in day-to-day business

May, 25th

201820192020

11

Impact on organisations

What is your role you can play within GDPR?

Key considerations at this moment:

Evaluate organization’s awareness of GDPR, including first and second line

Assess organization’s current privacy governance model

Evaluate organization’s compliance program against GDPR requirements

Assess organization’s ability to timely report data breaches and respond to data subjects’ requests

Incorporate privacy compliance in the audit framework

Potential GDPR compliance gaps within the organization

Lack of knowledge and awareness of GDPR requirements

Lack of record keeping mechanism on how data is being collected, processed, transferred and retained

Lack of data privacy governance body, DPO and accountability framework

Lack of a Privacy Impact Assessment that identifies and mitigate privacy risks

Existing processes, policies and procedures and contracts do not incorporate GDPR requirements

Lack of responsive breach reporting mechanism

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, tax and legal, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

© 2018 Deloitte Belgium