The document discusses the significant impacts and challenges posed by the General Data Protection Regulation (GDPR) on businesses, highlighting the need for extensive compliance measures that could cost Fortune 500 companies nearly $8 billion. It outlines key obligations such as appointing a Data Protection Officer, ensuring data security, and implementing new rights for data subjects, as well as the journey towards compliance over a two-year period. Additionally, it emphasizes the importance of data governance and the strategic advantages of effective data management.

1. SEPTEMBER 2019
GENERAL
DATA
PROTECTION
REGULATION
Copyright © 2019 Accenture. All rights reserved.

2. REGULATORY CONTEXT AND INDUSTRY CHALLENGES (1/2)
Main impacts
2Copyright © 2019 Accenture All rights reserved.
CUSTOMER
PROTECTION
ECONOMIC AND
REPUTATIONAL
IMPACT
DATA
MANAGEMENT
TECHNOLOGY
LANDSCAPE
~ 1 trillion of EU citizens
personal data to be
processed every year
Full impact across IT value
chain (~1.000 / 500 apps
impacted for Large / Mid
Companies)
Up to 4% of annual global
turnover (~800 / 100 Mln € for
Large / Mid Companies)
Brand & Clients trust damage
(average estimated cost per
data breach is 4mln $)
> 500 MLN EU citizens
impacted & all
industries involved
GDPR REQUIRES EXTENSIVE CHANGES ACROSS THE ORGANIZATIONS
MEMBERS OF FORTUNE 500 WILL INVEST ALMOST 8 BN $ ON GDPR TO ENSURE THEIR COMPLIANCE*
*Source: Financial times

3. REGULATORY CONTEXT AND INDUSTRY CHALLENGES (2/2)
Not a single one-off remediation effort but a 2-year journey
COMPLIANCE POSITION STRATEGIC
DIFFERENTIATION
ADDITIONAL MEASURES TO
MITIGATE “RESIDUAL RISKS”
2018 2019 2020
1. Implement new GDPR
Governance Model
2. Implement new consents &
information notice
3. Define rules for data
deletion and implement
them for high risk
applications
1. Implement data deletion &
security measures for
medium - low risk areas
2. Improve data governance &
data discovery
3. Set up third party risk
management framework
1. Reduce cost of data
operations
2. Leverage data as a
strategic differentiator
3. Reduce third party supplier
risk
3Copyright © 2019 Accenture All rights reserved.

4. 01
Data Protection
Officer
Obligation of appointing a
DPO to monitor the appropriate
application of the legislation,
carry out inspections and
consultations and act as contact
point
03
New Data Subject’s
Right
Right to be forgotten, data
portability, right to «access»
own data, right to limit data
processing, right to data
accuracy, right to consents
revocation, right to opposition
and to define the ways of
exercising it
04
Accountability
Obligation of responsibility for the
respect of the principles
applicable to personal data
processing and appropriate
technical and organizational
measures
05
Security Measures
Obligation to implement
personal data protection
measures (e.g. encryption) to
guarantee a security level
adequate to the risks, among
which those of destruction, loss,
change, disclosure
02
Consents &
Information Notice
Right to receive the
information in a transparent
manner and the request of
consent in a distinguishable
and non conditioned manner,
as well as the obligation of the
owner to demonstrate the given
consent
Data Protection
Impact
Assessment
Obligation to carry out a
preliminary assessment of
the impact on personal data
processing, including an
assessment of the risks and
the security measures
0908
Record of
Processing
Activities
Obligation to maintain records
of personal data processing
activities containing, purposes,
categories of persons concerned
and processes, description of
security measures
06
Privacy By
Design/Default
Obligation to implement
adequate measures in the
planning phase (by design) or
by default setting (by default)
on the base of the critical
issues of processed data
07
Data Breach
Notification
Obligation to notify the
supervisory authority and the
data subject any possible
personal data breach without
undue delay and within 72
hours
Data Transfer
Obligation to transfer
personal data to a third
country or international
organization only under the
terms established by the
Regulation
10
Third Party Management
GDPR REGULATORY REQUIREMENTS AT A GLANCE (1/2)
10 widespread changes compared to the existing regulations
4Copyright © 2019 Accenture All rights reserved.

5. GDPR REGULATORY REQUIREMENTS AT A GLANCE (2/2)
Hot topics and market maturity level
TOPICS CONSIDERATIONS
• DPO Organization: DPO organizational model defined
MARKET MATURITY
LEVEL
01
02 Consents & Information Notice: implementations concluded
03 New Data Subject’s Right: implementations ongoing on Right to Be Forgotten
05 Security Measures: focus on a risk based approach for logging and anonymization on
non production environment
06 Privacy By Design/Default: focus on a risk based approach for logging and
anonymization on non production environment
08 Record of Processing Activities: focus on Data Quality aspects
10 Data Transfer/Third Party: to be addressed
HML
04 Accountability: implementations ongoing on Right to Be Forgotten
07 Data Breach Notification: Focus on incident register and criteria for data notification
5Copyright © 2019 Accenture All rights reserved.