Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How will your business be affected and what you can do to stay ahead of the new and wide-ranging GDPR (General Data Protection Regulation)?

264 views

Published on

Topics covered include:

Key highlights of the new GDPR (General Data Protection Regulation)
Who is affected
‘Privacy Shield’ proposals versus US-EU Safe Harbour framework
Timeline for implementation and enforcement of GDPR
What should you be doing to prepare for the new legislation
Speaker line up

Martin Hoskins, Associate Director at Grant Thornton UK LLP

Matthew McGrory, Managing Director at Carrenza Ltd

A business that is not GDPR compliant by May 2018 may face a fine of 4% of its annual turnover

Reasons to attend

This session delivered in partnership with Grant Thornton will give you the knowledge on how to ensure compliance with GDPR and avoid penalties and highlight what companies can do now in light of the new legislation; what types of cascade effects there will be on operations and businesses; the impact of the privacy shield; and further discussion on what Brexit means for the GDPR.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How will your business be affected and what you can do to stay ahead of the new and wide-ranging GDPR (General Data Protection Regulation)?

  1. 1. © 2017 Grant Thornton UK LLP. All rights reserved | Public How will the GDPR affect your business? Hosted by Carrenza, in partnership with Grant Thornton Speakers: Matt McGrory, Managing Director, Carrenza Martin Hoskins, Associate Director, Grant Thornton
  2. 2. Data Protection
  3. 3. © 2017 Grant Thornton UK LLP. All rights reserved | Public© 2017 Grant Thornton UK LLP. All rights reserved | Public 3 Introduction
  4. 4. © 2017 Grant Thornton UK LLP. All rights reserved | Public 4 Mobile Phone Technology in 1995 Mobile Phones
  5. 5. © 2017 Grant Thornton UK LLP. All rights reserved | Public 5 Cyberspace in 1995
  6. 6. © 2017 Grant Thornton UK LLP. All rights reserved | Public 6 And Now …
  7. 7. © 2017 Grant Thornton UK LLP. All rights reserved | Public 7 The News in 1995  DVD Media format introduced  OJ Simpson innocent of double murder of Nicole Simpson & Ron Goodman  Rosemary West guilty of murdering 10 women and girls  CEJ Bosman ruling – affecting international football transfers  Disability Discrimination Act
  8. 8. © 2017 Grant Thornton UK LLP. All rights reserved | Public 8  The General Data Protection Regulation (GDPR) will come into force on 25 May 2018  For the most serious violations, privacy regulators will be able to impose penalties of up to €20 million or 4% of global revenue (whichever is higher)  This is a critical change compared to current UK fines, which are capped at £500,000  Organisations will be under greater obligations to provide assurance to their boards, customers and regulators that their data protection processes and procedures are fit for purpose The General Data Protection Regulation What You Need To Know Key Features Of The Regulation Accountability Data Mapping Data Protection Officers Fair Processing Notices New Rights for Individuals Wider Scope Data Processors Breach Reporting Privacy Impact Assessments We can help by providing this assurance and also explaining what good data protection practices look like
  9. 9. © 2017 Grant Thornton UK LLP. All rights reserved | Public 9 Key Changes Introduced By The GDPR Restrictions On Profiling / Big Data Enhanced Role For DPOs Notify Breaches In 72 Hours 1 EU Law Transfers Outside The EU Enhanced Rights Of Data Subjects Fines 4% Annual Turnover Processor Liability Detailed Privacy Notices
  10. 10. © 2017 Grant Thornton UK LLP. All rights reserved | Public Audit Requirements Within The GDPR 10 Each controller or processor shall maintain a record of processing activities under its responsibility The Record Shall:  contain a general description of the technical and organisational security measures  include a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing  be in writing, including in electronic form The controller or the processor shall make the record available to the supervisory authority on request GPDR Articles 30(1)(g), 30(2)(d) & 32(1)(g)
  11. 11. © 2017 Grant Thornton UK LLP. All rights reserved | Public 11 "My attitude towards oversight and enforcement is you start from a place where you educate, you give guidance, you do audits and it is when things go very wrong and when a company doesn’t have the right attitude towards redress, that enforcement action and fines should come in." ICO Audits Elizabeth Denham, the Information Commissioner, stressed the importance of carrying out data protection audits when appearing before the Parliament's Culture, Media & Sport Committee on 27 April 2016:
  12. 12. © 2017 Grant Thornton UK LLP. All rights reserved | Public 12 "The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation." What The Information Commissioner Expects Elizabeth Denham, the Information Commissioner, stressed the importance of cultural change when speaking at the annual conference of the Direct Marketing Association on 24 February 2017:
  13. 13. © 2017 Grant Thornton UK LLP. All rights reserved | Public 13  Audits can cover a number of key scope areas  They give an assurance level of the overall performance in each scope area  Each scope area contains within it a number of specific controls  Each control is individually scored to provide an overall assurance rating for the scope area being assessed  Where information risks are identified within a scope area, it will make recommendations to increase assurance ratings against specific controls What Does Good Data Protection Look Like? Audit Areas When conducting an audit, the ICO will assess the arrangements an organisation has in place for complying with the General Data Protection Regulation and the extent to which they are being adhered to Relating to their roles and responsibilities Managing electronic and manual records Technical and organisational measures Procedures in place Design and operation of appropriate controls Training and Awareness Records Management Security Requests For Personal Data Data Sharing Accountability DP governance, arrangements and controls in place to ensure compliance AuditAreas
  14. 14. © 2017 Grant Thornton UK LLP. All rights reserved | Public© 2017 Grant Thornton UK LLP. All rights reserved | Public 14 ICO Guidance
  15. 15. © 2017 Grant Thornton UK LLP. All rights reserved | Public ICO Guidance 15
  16. 16. © 2017 Grant Thornton UK LLP. All rights reserved | Public ICO Guidance 16
  17. 17. © 2017 Grant Thornton UK LLP. All rights reserved | Public© 2017 Grant Thornton UK LLP. All rights reserved | Public 17 Brexit
  18. 18. © 2017 Grant Thornton UK LLP. All rights reserved | Public Brexit: GDPR Implications 18 “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.” ICO Statement 24 June 2016 The ICO’s Position
  19. 19. © 2017 Grant Thornton UK LLP. All rights reserved | Public Brexit: GDPR Implications 19 “As we leave the EU, the Government is committed to making the UK the best place in the world to do business. This will mean fostering a high quality, stable and predictable regulatory environment, whilst also actively taking opportunities to reduce the cost of unnecessary regulation and to support innovative business models. The stability of data transfer is important for many sectors – from financial services, to tech, to energy companies. EU rules support data flows amongst Member States. For example, the EU data protection framework outlines the rights of EU citizens, as well as the obligations to which companies must adhere when processing and transferring this data. There is also an ongoing consultation regarding the free flow of data, including considering whether legislation is necessary to limit Member States’ requirements for data to be stored nationally. The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.” The United Kingdom’s exit from and new partnership with the European Union February 2017, CM 9417 The Government’s Position
  20. 20. © 2017 Grant Thornton UK LLP. All rights reserved | Public 20 What might a ‘GDPR-light’ approach look like?  Allow data controllers to charge token fees for subject access requests [A15]  Drop the requirement for data controllers to pass an individual’s personal data directly to another data controller, if so requested [A20]  Drop the requirement to appoint Data Protection Officers with specified responsibilities [A37]  Reduce the maximum level of fines for non-compliance [A83]  Revise the rules on transborder data flows and data processing contracts, introducing a more pragmatic approach  Simplify individual’s rights, which are overly complicated as they depend, to some extent, on the legal grounds that data controllers rely on for processing personal data [Ch3]  Reduce the (expanded) scope of fair processing notices – and drop the requirement for data controllers to explain what their “legitimate interests” are when they use this legal condition to process data [A13 -14]  Require data controllers to document fewer of their processes in order to demonstrate accountability [A30] … but Data Protection audits / reviews are likely to remain
  21. 21. © 2017 Grant Thornton UK LLP. All rights reserved | Public© 2017 Grant Thornton UK LLP. All rights reserved | Public 21 Our Clients
  22. 22. © 2017 Grant Thornton UK LLP. All rights reserved | Public 22 What Should Be Done By May 2018?  Clients should be able to provide evidence of completion of work:  to internal stakeholders  to internal audit  to regulator(s)  Clarity on whether any new risks have been accepted  Policies and procedures fully signed off and operational  Processes and controls embedded  Governance documentation being produced and stored  Champagne on ice
  23. 23. © 2017 Grant Thornton UK LLP. All rights reserved | Public© 2017 Grant Thornton UK LLP. All rights reserved | Public 23 Our Capabilities
  24. 24. © 2017 Grant Thornton UK LLP. All rights reserved | Public 24  carrying out a gap analysis to identify the processes and policies that need to be introduced or upgraded  recommending an appropriate risk and control framework  drafting appropriate policies and procedures that are compliant with the new requirements Helping Our Clients We Are Helping Our Clients By: We understand the Regulation! Should unfortunate incidents occur, our cyber risk resilience team is always on hand to provide breach management advice and assistance
  25. 25. © 2017 Grant Thornton UK LLP. All rights reserved | Public© 2017 Grant Thornton UK LLP. All rights reserved | Public 25 Contact Us
  26. 26. © 2017 Grant Thornton UK LLP. All rights reserved | Public 26 Contact Details Grant Thornton provides business, information technology and organisational resilience solutions to help improve your organisation's resilience capabilities. Our team consists of industry experts with skills covering all aspects of risk and resilience management. We work with clients from all parts of the business services sector and with the relevant regulators that oversee it. We would be happy to discuss your organisation's needs and demonstrate how we can help you prepare to implement the new standard Manu Sharma Head of Cyber Security and Privacy Services Grant Thornton UK LLP E. manu.sharma@uk.gt.com T. +44 (0)20 7865 2406 M. +44 (0)7966 623 524
  27. 27. ‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL).GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. grantthornton.co.uk © 2017 Grant Thornton UK LLP. All rights reserved | Public

×