More Related Content Similar to GDPR: Data Privacy in the New (20) GDPR: Data Privacy in the New1. Copyright © 2018 Accenture. All rights reserved. 1
GDPRDATA PRIVACY
IN THE NEW
2. Copyright © 2018 Accenture. All rights reserved. 2
GDPR harmonizes a
series of complex
European data protection
requirements and
codifies new privacy
rights and protections for
EU citizens.
GDPR’S INTENT: CODIFY RIGHTS AND GIVE PEOPLE
POWER OVER THEIR INFORMATION
Key GDPR Requirements
Data Subject Rights
Can you completely erase
personal data
when needed?
Privacy by Design
Are your products and
services privacy friendly?
Accountability
Are you confident the
third parties you use
will be compliant?
Consent
Have you collected and
documented consent for
every data use?
Breach
Notification
Can you quickly
recognize and report
a data breach?
3. GENERAL DATA PROTECTION REGULATION
SCOPE WIDENED STRONGER ENFORCEMENT &
ACCOUNTABILITY
INDIVIDUAL’S RIGHTS INCREASEDHARMONIZATION ACROSS EU
Protect personally identifiable data of EU citizens, wherever it is possible
New: Significant amendments and new obligations. Individuals have new rights to object to
profiling, to be forgotten and for data portability.
GDPR has come
into effect
The final text of the
GDPR was published
The EU Parliament approved the
final text in its plenary session
TIMELINE
Right to be forgotten, to erasure, to data
portability, to rectification, to restriction of
processing, of access by the data subject, to
object
Notification obligation for data breaches
Unambiguous consent required for data
usage
2015 2019
Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2
15.12.2015 25.05.201814.04.2016
IMPACT/CHANGES
Fines for violations can be 4% of global
turnover (revenue), or €20 million
(whichever is higher)
Data protection officer to be appointed
Privacy by Design
Data Protection Authority assessment &
approval
Culture of internal monitoring & reviewing
Harmonized rules - unified legal
landscape
Overseen by a European Data Privacy
Board plus local regulators
Territorial scope in EU & EU data
subjects, regardless of where data
controller / processor located
Special rules for sensitive data such as
health, biometric, ethnic data, etc., and for
data concerning criminal convictions and
offenses
Data controller vs. processor:
accountability for 3rd party processors
DRIVERS
Data breaches: increasing amount led to concerns for customers and regulators
Regulatory changes: new rights for individuals - right to be forgotten, portability, breach
notification
Lack of harmonization of privacy regulation in EU: GDPR to harmonize privacy
legislation among EU member states
THEEUGENERALDATAPROTECTIONREGULATION
2016 2018
Ongoing compliance activities and
continuous improvement
Copyright © 2018 Accenture. All rights reserved.
Accenture analysis based upon publicly available documents.
4. WHAT CONCERNS DO ORGANIZATIONS HAVE?
46%
of companies surveyed are
concerned about FINES
33%
of companies surveyed are concerned about
the NEED TO INFORM CUSTOMERS
OF DATA BREACHES within 72hrs.
31%
of companies surveyed are concerned
about the VOLUME OF DATA STORE
they need to protect
Source: “EU General Data Protection Regulation Survey,” Boldonjames.com. Access at:
https://www.boldonjames.com/resources/eu-data-protection-regulation-survey-infographic/.
36%
of companies surveyed believe changing
processes around DATA PROTECTION and
MANAGEMENT is the biggest challenge
4
Copyright © 2018 Accenture. All rights reserved.
Accenture’s research into consumer
behavior suggests data privacy and
protection is not just about compliance
and should be at the core of wider
business strategy.
8out of 10
surveyed consumers say trust is a
key driver of brand loyalty†
Consumers surveyed would consider
asking their financial services provider
to delete personal data,
About 2
out of 3
††
4 out of 10
consumers surveyed, trust in a
company increases when breaches are
handled swiftly and correctly†
of UK consumers surveyed are willing to
share their personal information with their
bank in return for certain added benefits and
more personalized, relevant services
54%††
† A New Slice of PI, with a Side of Digital Trust, Accenture 2017.
† † UK Financial Services Customer Survey 2018, Accenture 2018.
5. Copyright © 2018 Accenture. All rights reserved. 5
REGULATORY CONTEXT AND INDUSTRY CHALLENGES
GDPR COMPLIANCE IS FAR FROM BEING A SINGLE ONE-OFF REMEDIATION EFFORT AND MOST
ORGANIZATIONS MAY NOT BE FULLY COMPLIANT BY 25TH MAY, 2018
2018
ACHIEVE “DEFENSIBLE”
COMPLIANCE POSITION
BASED ON RISK APPETITE
IMPLEMENT GDPR
MEASURES TO
MITIGATE “RESIDUAL
RISKS”
STATEGIC GDPR
DIFFERENTIATION
Implement data deletion and
security measures for
medium - low risk areas
Improve data governance
and data discovery
Improve third party due-
diligence / risk management
Increase customer trust by
improving privacy controls
and culture
Help reduce cost of data
operations
Leverage data as a
strategic differentiator
Reduce third-party supplier
risk
Implement new GDPR
Governance Model
Implement new subject rights
and consent framework
Implement data deletion and
security measures for high risk
areas
2019
MARKET INSIGHTS
MAY
High Impact: GDPR is a complex
game with high impact on Systems
Risk-Based Approach: Clients’
GDPR is too big to be totally
completed by 2018 – primary focus
should be on the highest risk areas
with an intent to cover in a second
step the remaining ones
Different actions according to
Maturity Level: The action plan is
linked to the maturity level / state of
art of the Privacy Framework /
existing solutions / projects
6. Users have the right to be
forgotten; data should be
erased on request
Organizations have to
notify authorities of data
breaches
Personal data is portable,
and can be transferred on
request
Organizations handling
personal data have to
assign a data protection
officer
A user should be able to easily
withdraw, and give informed
data collection consent
Security / Privacy by design; for
solutions and processes related to
handling / collecting of personal data,
privacy and security should be prioritized
Organizationscanbeauditedtoprovetheir
compliancewithGDPR
Organizations have to follow
the data minimization
principle; only collect data
which is directly relevant and
necessary to accomplish a
specified purpose
OPERATIONAL THEMES TO BECOME GDPR READY
All data should be adequately
protected and consent
secured
6Copyright © 2018 Accenture. All rights reserved.
7. Copyright © 2018 Accenture. All rights reserved. 7
OPPORTUNITIES AND CONSIDERATIONS FOR THE FUTURE
GDPR impacts
across businesses,
thus requires a
cross-functional
team
It is not just a Risk, IT,
Security or legal project –
business involvement is key
1
Ensure you
understand
accountability of
data controllers
This is more than just a name
in the frame, it is about where
it may be funded from and
who has influence to make
the change happen across
the organization
6
Customer journey
led discovery
Identify the top 5-10 customer
journeys, they may often
drive out the biggest risks like
data movement across Utility
entities and across systems
and prioritize remediation
accordingly
2
Embed the Data
Protection Officer
(DPO) in the
organization
Ensure that the DPO has the
right capabilities (skills, team,
authority) and is empowered
to highlight risks and make
changes happen
7
Prioritize on risks
and demonstrate
change
In many ways GDPR might
be too big to be totally
completed by 2018 – focus
on the highest risks first with
an intent to cover all areas
3
Alliance and
partners are your
responsibility
You are now accountable for
your alliance / partners being
Data Processors and these
are often obscure e.g. cloud
providers
4
Assess existing
projects to scale
Data privacy should be a part
of all data-related projects,
not just a one-time dedicated
program
5
Different parts of
the organization
can be different in
maturity
It’s natural for some areas to
be further ahead, use the
wins of leading parts of the
organization and make sure
all areas are coordinated
8
Tools and
organizational
experience are
critical
There is no silver bullet to
GDPR compliance. There
should be no substitute for
engaging stakeholders
around the enterprise to
understand the hidden
nuances in getting to a
compliant position
9
From burden to
opportunity
GDPR investment can be
leveraged to drive business
value and opportunities e.g.
establishing simpler data
operations and potentially
reduce the cost and data
noise
10
8. FROM BURDEN TO OPPORTUNITY
A defined customer data strategy may help companies to turn regulatory burden and
challenges into a competitive advantage.
Stricter consent
Detailed records on data use
New categories of personal data
Stricter governance
Data privacy by design
Accountability for 3rd party
sharing
Minimization of customer data
Right to be forgotten
Improve marketing opt-in
More efficient data operations
More comprehensive profiles
Value-based data investments
Improved ROI of new initiatives
More value from data sharing
Potential reduction of cost and
data noise
Improved marketing spend
Enhance consent model /Value exchange
Enterprise-wide customer data mapping
Treat digital shadow as customer data
Put customer data into business ownership
Business cases with value / risk of customer data
Define 3rd party data sharing strategy
Cleanse data lakes from no-value records
Stop targeting customers that are not interested
From Burden... ...to Opportunity
8Copyright © 2018 Accenture. All rights reserved.
9. Copyright © 2018 Accenture. All rights reserved. 9
PRIVACY ACT – WHAT’S THE BILL GOING TO DO?
Personal Info Collected
Personal Information Sold
Right to Say No
The California Consumer Privacy Act of 2018 is going to put safeguards in place to further project consumers privacy. If enacted the bill will govern the
way a consumer’s personal information is being received, held and shared with businesses. The bill has severe implications to businesses that handle or
share consumer(s) information. The 8 sections outlined below are components of the bill and will cover how Personal Information (PI) should be handled.
2
3
Equal Service and Price
Disclosure Requirements
Notice Requirements
5
6
4
Clarifying Definitions
Exemptions
7
1
8
Biometric
data Personal
identifiers like
real name,
alias, account
name, etc.
Audio,
electronic,
visual, thermal
Inferences to
any PI info
Any PI related
to children of
consumer
Internet or
network
activity info
Psychometric
Info
Geolocation
data
Records of
property, products
or services
provided
Professional or
employment-
related info
Examples of
Personal
Information
Accenture analysis based upon publicly available documents.
10. Copyright © 2018 Accenture. All rights reserved. 10
ACCENTURE CONTACT INFORMATION
Lisa Bloomberg
Principal Director
Financial Services
Regulatory & Compliance
New York
Lisa.Bloomberg@Accenture.com
Tel: +1 917-452-6247
Chris Beck
Senior Manager
Financial Services
Regulatory & Compliance
Chicago
Christoper.t.beck@Accenture.com
Tel: +1 312-693-6246
Samantha Regan
Managing Director
Financial Services Regulatory &
Compliance Management Lead
for North America
samantha.regan@accenture.com
Tel: +1 404-790-7378
Ben Shorten
Senior Manager
Financial Services
Regulatory & Compliance
New York
benjamin.j.shorten@accenture.com
Tel: +1 (512) 739 4080
Daniel J. Maloney
Senior Manager
Regulatory & Compliance
Charlotte
Daniel.Maloney@Accenture.com
Tel: +1 908-489-4602
11. Copyright © 2018 Accenture. All rights reserved. 11
GDPR
DATA PRIVACY IN THE NEW
About Accenture
Accenture is a leading global professional services
company, providing a broad range of services and
solutions in strategy, consulting, digital, technology and
operations. Combining unmatched experience and
specialized skills across more than 40 industries and all
business functions—underpinned by the world’s largest
delivery network—Accenture works at the intersection of
business and technology to help clients improve their
performance and create sustainable value for their
stakeholders. With more than 442,000 people serving
clients in more than 120 countries, Accenture drives
innovation to improve the way the world works and lives.
Visit us at www.accenture.com
Accenture, its logo, and High Performance Delivered are
trademarks of Accenture.
Disclaimer
This presentation is intended for general informational
purposes only and does not take into account the
reader’s specific circumstances, and may not reflect the
most current developments. Accenture disclaims, to the
fullest extent permitted by applicable law, any and all
liability for the accuracy and completeness of the
information in this presentation and for any acts or
omissions made based on such information. Accenture
does not provide legal, regulatory, audit, or tax
advice. Readers are responsible for obtaining such
advice from their own legal counsel or other licensed
professionals.