Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

General Data Protection Regulation (GDPR) Compliance

2,936 views

Published on

Whether you are at the beginning of your journey, or are already mid-way through, this document presents the key GDPR themes, priority areas, and business opportunities, which we feel are important considerations for any GDPR programme.

Published in: Technology
  • Be the first to comment

General Data Protection Regulation (GDPR) Compliance

  1. 1. ARE YOU READY FOR THE FAST APPROACHING GENERAL DATA PROTECTION REGULATION COMPLIANCE DEADLINE? GDPR COMPLIANCE
  2. 2. Act now With the fast approaching General Data Protection Regulation (GDPR) enforcement deadline, organisations are encouraged to act now to prepare for the new data privacy requirements and be able to demonstrate compliance inline with the new accountability principle under this new regulation. THE GDPR DEADLINE IS FAST APPROACHING. BUT MANY COMPANIES HAVE NOT BEGUN IMPLEMENTATION. Key GDPR themes Whether you are at the beginning of your journey, or are already mid- way through, this document presents the key GDPR themes, priority areas, and business opportunities, which we feel are important considerations for any GDPR programme. Non-compliance The consequence of non- compliance will be severe as GDPR significantly strengthens data protection enforcement and accountability and authorises penalties for non-compliance of up to €20 million or 4% of global annual turnover, whichever is higher. However, there is also a business opportunity to establish a competitive edge by focusing on re- building digital trust with customers. Copyright © 2018 Accenture. All rights reserved. 2 1 Source for regulatory statements: General Data Protection Regulation 1Article 83 GDPR
  3. 3. 1. RECORDS AND CONDITIONS OF PROCESSING FIRMS ARE REQUIRED TO… • Locate where personal data is held across the organisation, maintain a data inventory and data processing record (particularly retention, archiving, disposal and audit trail of consent) and establish the lawful basis of processing, which will feed into the Article 30 report.2 • Consent requirements have been enhanced3,which require you to amend consent capture and management processes to enable transparent use of personal data e.g. consent opt-in, explicit consent for special categories of personal data, storing copies of privacy notices and associated audit trail etc. 3Source for regulatory statements: General Data Protection Regulation 2Article 30 GDPR; 3Article 7 GDPR RECOMMENDATIONS FOR ADOPTING A RISK-BASED APPROACH • Drive GDPR into your organisation through prioritised customer journeys and business processes, rather than just a technology or compliance approach. • Conduct risk-based assessments to determine the GDPR risk exposure, focusing initially on high risk processes. • Create conceptual consent subscription and withdrawal model and test it with focused user groups before a wider customer roll-out. Build trust amongst customers, employees and partners through fairness and transparency of data use. Use the consent change opportunity to increase customer buy- in by focusing on value exchange. Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017. Copyright © 2018 Accenture. All rights reserved.
  4. 4. 2. DATA SUBJECT RIGHTS FIRMS ARE REQUIRED TO PROVIDE THE FOLLOWING SEVEN FUNDAMENTAL RIGHTS TO BOTH EMPLOYEES AND CUSTOMERS4: 1. Data access 2. Data rectification 3. Right to be forgotten (new) 4. Right to restrict processing 5. Right to object 6. Data portability (new) 7. Right to object to automated decision- making (new) 4 RECOMMENDATIONS TO HELP DRIVE COMPLIANCE • Review the existing processes and implement enhancements to provision the data subject rights. • Deliver frontline staff training and communication to operationalise the new and/or enhanced processes. • Consider automating data subject rights beyond the immediate compliance deadline. Looking beyond compliance: Customer and staff rights have been strengthened, but this doesn’t have to be a burden—use this as an opportunity to establish your brand as a truly digital customer-centric business. Source for regulatory statements: General Data Protection Regulation 4Articles 12-23 Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017. Copyright © 2018 Accenture. All rights reserved.
  5. 5. 3. PRIVACY, SECURITY & BREACH MANAGEMENT FIRMS ARE REQUIRED TO… • Notify supervisory authority within 72 hours of discovering a data breach5 • Perform privacy impact assessment on business areas using personal data6 • Embed privacy by design and default into business processes and systems7 • Have in place appropriate organisational and technical security measures for the protection of personal data8 5 Embedding privacy and security requires both a cultural change and proactive process, which can reduce and mitigate risks. consumer’s (surveyed globally) trust in a company increases when breaches are handled swiftly and correctly† 4 out of 10 Source for regulatory statements: General Data Protection Regulation 5Article 33 GDPR; 6Article 35 GDPR; 7Article 25 GDPR; 8Article 32 GDPR Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017. Copyright © 2018 Accenture. All rights reserved. RECOMMENDATIONS ON TACKLING THE COMPLIANCE CHALLENGE • Take a risk-based approach by conducting Data Privacy Impact Assessments (DPIAs) on high risk business processes, applications and systems • Identify and document the organisational and security controls in place to mitigate the risks associated with personal data processing • Establish a long-term roadmap to deliver required enhancements to existing security controls
  6. 6. 4. DATA PROTECTION OFFICE & DATA GOVERNANCE FINANCIAL SERVICES FIRMS ARE REQUIRED TO… • Appoint a Data Protection Officer (DPO) to act as a first point of contact for supervisory authorities9. The DPO is to monitor compliance, advise on data protection impact assessments, and inform the board members and employees about their obligations to comply with the GDPR. • The DPO will require a dedicated team to execute its roles and responsibilities and in many organisations will be a new second line of defence function. 6Source for regulatory statements: General Data Protection Regulation 9Articles 37-39 GDPR Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017. Copyright © 2018 Accenture. All rights reserved. DPOs are required worldwide 75,000 +3000 DPOs are needed in United Kingdom/Ireland* RECOMMENDATIONS ON MOVING TOWARDS SUSTAINABLE COMPLIANCE • Define privacy risk appetite and strategy. • Appoint a DPO and establish the roles of the Data Protection Office upfront. A DPO will be integral in overseeing all aspects of data privacy and protection beyond 25th May, 2018.
  7. 7. 5. THIRD PARTY MANAGEMENT & INTERNATIONAL DATA TRANSFER • Under GDPR, data processors’ and controllers’ are subject to direct statutory obligations and penalties, rather than only being subject to obligations imposed on them by contractual agreements with the controller10. • Firms are required to have in place the appropriate safe guards for all data transfers11 and the data subject can be provided information as to whom their data has been shared with12. 7 GDPR impacts how you and any third parties manage personal data across the entire data value chain. Consumers surveyed globally are willing to share personal information in exchange for a better level of service or the ability to choose which data is shared with 3rd parties† 1/4 Source for regulatory statements: General Data Protection Regulation 10Articles 24-43 GDPR; 11Article 46 GDPR; 12Article 15 GDPR Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017. Copyright © 2018 Accenture. All rights reserved. RECOMMENDATIONS ON COMPLYING WITH THE REGULATION AND DRIVING WIDER BUSINESS VALUE • Review and update all supplier contracts where staff or customer personal data is shared. • Update supplier governance policies and procedures inline with GDPR. • Review and enhance third-party risk management framework and use this as an opportunity to converge towards trusted third-party suppliers.
  8. 8. PREPARING FOR THE COMPLIANCE DEADLINE Copyright © 2018 Accenture. All rights reserved. 8 GDPR is an opportunity to rethink the way your organisation handles customer and employee data. Here are a few recommendations to prepare for an effective GDPR implementation. Focus on the customer journey Drive GDPR into your organisation through prioritised customer journeys and business processes, rather than just a technology or compliance approach. Empower cross- functional teams Make balanced decisions more quickly by bringing together compliance, business and technology teams. Create a simple programme structure Develop a structure for managing GDPR where teams can clearly communicate and keep end goals in mind. Prioritise on risks and demonstrate change Use a risk-based approach to identify intrinsic and actual risk to inform the implementation roadmap prioritisation. Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.
  9. 9. GDPR compliance is far from being a single one-off remediation effort—look beyond 25th May, 2018 and you could drive strategic and operational benefits to unlock your data’s strategic value. Strategic Data Sharing Partnerships Good Regulatory Relations Trusted Brand Capture High Value Market Share Opportunity for Monetisation Stricter consent and transparency More trust to strengthen opt-in rates STRATEGIC MARKET DIFFERENTIATION REDUCED COSTS: A company with a large database of customer records could save millions (on average storing costs are $1.50 per record per year†) if they cleanse their database of inactive customers and comply with data retention schedules. A BETTER CUSTOMER EXPERIENCE: Increase marketing opt-in by focusing on value exchange and building trust with customers. For companies, better data means better product placement, upselling, cross-selling, and improved return on marketing— all of which contribute to a more personalised customer experience. FROM BURDEN… TO OPPORTUNITY Detailed records on data processing More efficient data operations Privacy by design and data minimisation Reduction in cost and data noise Stricter governance and accountability Smarter investments into data Accountability for third- party sharing More value from data sharing Copyright © 2018 Accenture. All rights reserved. 9 UNLOCK ADDITIONAL VALUE FROM CUSTOMER DATA Increased Marketing Opt-in More Value from Data Sharing Reduced Cost and Data Noise Strengthened Marketing Spend More Efficient Data Operations Value-based Data Investments Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.
  10. 10. CONTACT US Copyright © 2018 Accenture. All rights reserved. 10 Get in touch to find out more about GDPR, its impact on your organisation and how Accenture can help you navigate and comply with the new data privacy and protection requirements. Umer Hamid Management Consulting Manager Accenture Finance & Risk London, United Kingdom Umer.Hamid@accenture.com Heather D. Adams Managing Director Accenture Finance & Risk London, United Kingdom Heather.D.Adams@accenture.com Get the latest insights from Accenture Finance & Risk: On our blog: http://financeandriskblog.accenture.com/ On LinkedIn: https://www.linkedin.com/showcase/16183502/ On Twitter @AccentureFSRisk: https://twitter.com/AccentureFSRisk
  11. 11. . Accenture, its logo, and High Performance Delivered are trademarks of Accenture. ABOUT ACCENTURE Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network —Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 425,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com DISCLAIMER This presentation is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals. Copyright © 2018 Accenture All rights reserved. 11

×