Deloitte Finance Forum
May, 2018
GDPR Update
2
Content
Where is the rush? 3
What’s the risk? 4
Main Changes 5
Observations at our clients 6
Holistic approach 9
Turning privacy into an opportunity 10
State of the union 11
3
Where is the rush ?
Timeline of GDPR definition and enforcement
• In 1995, the European Union released the European directive 95/46/CE relative to personal data protection
• The European Commission proposed to reform the current fragmented legal framework to deal with the new challenges for the protection of personal data and to make the EU member states fit for the digital age.
2012 2018
• The GDPR will be enforced as from 25 May 2018 directly across all 28 EU Member States after a two years implementation period.
• Do note that several members states have/are already planning to adapt their laws sooner
1995 2016
• On 4 May 2016, the EU Regulation on Data Protection (GDPR) has been published in the Official Journal of the European Union. The GDPR has entered into force on 24 May 2016 and will replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe.
4
What’s the risk
Key changes & risk implications
Key changes for business and risk implications
Significantly higher fines €20 million or 4% of annual global turnover
Broader scope and global impact The regulation applies to any organisation in the world that receives data from EU citizens, even if thecompany is based outside of the EU.
Unified and expended definition of personal data
Unified interpretation of what constitutes personal data. New definition of data such as location and onlineidentifier may result in additional compliance obligations (e.g. cookies now constitute an online identifier)
More rights for data subjects The strengthened rights for data subjects makes it more difficult for businesses to process personal datalawfully, which implies additional compliance challenges
Data breach notification Significant changes to reporting mechanism to meet the requirement
5
Main changes
Scope of the General Data Protection Regulation (GDPR)
Broader territorial scope
Enforcement
Accountability
Expanded definitions
Data subjects rights
Consent
Data breach notification
One-stop shop
International data transfers
General
Data
Protection
Regulation
Applies to players not established in the EU but whose activities consist of targeting data subjects in the EU
Data Protection Authorities will be entitled to impose fines ranging between 2 to 4% of annual turnover and increased powers
Explicit obligation on controller AND processor to demonstrate their GDPR compliance (eg data protection officer, privacy impact assessments (PIA))Personal data now explicitly includes location data, IP addresses, online and technology identifiers;
Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling, data portablity
Spelled out more clearly and focus on ability of individuals to distinguish a consent. Need for affirmative action
Report a personal data breach to the Data Protection Authority within 72h…
Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU
Binding Corporate Rules as tools for data transfers outside the EU and EEA are now embedded in law
What will change against the former 1995 EU Data Protection Directive ?
6
Observations
Facts & figures
7
Observations
Protect yourself from common pitfalls
Legal & Policies
Information Classification
Access Controls
Database security
Secure SDLC
Information Tagging
Data Protection Principles
No process documentation Unlimited data retentionSecondary use of data
Forced consentNo access control
Data Subject Rights
Inadequate, incomplete or defensive standard responses
Legalese privacy notices
Governance
DPO lacking resourcesTraining but no awarenessMissing privacy clauses in
contracts“Invisible” international transfers
Technology
Discrepancies in securityHeterogeneous approachLack of coordination and
oversight
Strategy & processes
Limited or no formal accountability
Considered “pure” compliance issuePrivacy by Design
merely tick-the-box
8
Holistic approach
GDPR related challenges in your landscape
Legacy data in
storage
Authentication
bypass
Publication
without purpose
Outdated
data
inventory
Unclear
privacy
statement
Logical
application
errors
Right to be
forgotten
Data
exfiltration
Unclassified
information
GDPR is not only about legal aspects of data protection
GDPR is not only about technical aspects of data protectionGDPR calls for a combined approach
GDPR Journey
Processes & Organisation
Data & Technology
Legal & Compliance
9
Turning privacy into an opportunity
Review business processes which handle personal data:
• HR processes including recruiting
• 1st line helpdesk processes
• Registration & reception of visitors
• Direct marketing
• Invoicing
• Customer loyalty management
• …
Ensure adequate technology & IT/cyber governance measures:
• Access controls to personal data
• Install breach detection and cyber incident management processes
• Install and enforce secure software development processes
• Specific training & awareness for IT staff on GDPR matters
GDPR related controls as part of unified Risk management
• Appoint DPO when necessary
• Embed controls on data privacy as part of enterprise risk management to ensure alignment across regulations and compliance needs
• Organise internal audit for GDPR related audits
Implement specific controls for personal data:
• Encryption of data at rest
• Monitor data leaving the organization
• Handling of test data
• Make staff aware of rules of theroad
Processes & Organisation
Legal & Compliance
Cyber security & IT
Data Management
GDPR Journey
Combining forces
10
Compliance waves
Gradually increasing maturity
Wave 1: Getting compliant
• Engagements driven by legal and compliance or CFO
• Focus on “checking the box”
Wave 2: Sustainable compliance
• True impact of GDPR and cost of compliance become clear
• “GDPR cases” get media attention
• Driven by Chief Risk/Data/Compliance Officer
Wave 3: Non-negotiable privacy
• Customers expect transparency and privacy on services they buy
• Privacy truly embedded in day-to-day business
May, 25th
201820192020
11
Impact on organisations
What is your role you can play within GDPR?
Key considerations at this moment:
Evaluate organization’s awareness of GDPR, including first and second line
Assess organization’s current privacy governance model
Evaluate organization’s compliance program against GDPR requirements
Assess organization’s ability to timely report data breaches and respond to data subjects’ requests
Incorporate privacy compliance in the audit framework
Potential GDPR compliance gaps within the organization
Lack of knowledge and awareness of GDPR requirements
Lack of record keeping mechanism on how data is being collected, processed, transferred and retained
Lack of data privacy governance body, DPO and accountability framework
Lack of a Privacy Impact Assessment that identifies and mitigate privacy risks
Existing processes, policies and procedures and contracts do not incorporate GDPR requirements
Lack of responsive breach reporting mechanism
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, tax and legal, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
© 2018 Deloitte Belgium