eu general data protection regulation: are you ready?

EU General Data Protection Regulation: Are you ready?

Contents2468

1012

What do you need to know about the new EU General Data Protection Regulation?

Are organisations ready for the EU General Data Protection Regulations?

How can you prepare for the EU General Data Protection Regulation?

How we can help you get ready

Example outputs

Contacts

2 EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?

W h at do you need to k now about the new EU General Data Protection Regulation?

On December 17, 2015, after more th an th ree years of toug h neg otiations and several draf t versions of th e GDPR, an informal agreement has b een reach ed b etw een th e E urop ean Parliament and Council of the European Union. The GDPR is a game changer for organisations. The final draft has b een b ack ed b y th e C om m ittee on C ivil Liberties, Justice and Home Affairs. I t introduces m ore string ent and p rescrip tive data p rotection com p l iance challenges, backed by fines of up to 4 % of g l ob al annual revenue. Th e Regulation will replace the Directive 95/46/EC, which has been the basis of E urop ean data p rotection l aw since it w as introduced in1 9 9 5 . W h en th e GDPR is officially adopted later this year it will apply in EU Member States w ith out f urth er consul tation af ter a p eriod of tw o years.

The Regulation will have a significant im p act on b usinesses in al l industry sectors, b ring ing w ith it b oth p ositive and neg ative ch ang es f or b usiness in term s of cost and ef f ort. O rg anisations are l ik el y to w el com e th e h arm onisation of laws across the 28 member states w h ich w il l m ak e th e com p l ex data p rotection l andscap e easier to navig ate f or m ul tinational org anisations. Th e introduction of new rig h ts f or individuals, such as the Right to be Forgotten and the Right to Portability, as w el l as th e introduction of m andatory breach notification, are likely to increase th e reg ul atory b urden f or org anisations. B usinesses need to review th eir current data p rotection com p l iance p rog ram m es to determ ine next step s and decide on th e l evel of investm ent th ey need to m ak e over th e next tw o years to address th e ch ang es.

O rg anisations need to act now to ensure th at th ey are ready to com p l y w ith the new Regulation when it com es into f orce in th e spring of 2018.

D ata p rotection h as entered a p eriod of unp recedented ch ang e.

T h i s h a s b e e n d r i v e n b y :

2. 3 .1 .An increasing number of high profile data breaches reported in th e m edia th at h as l ed consum ers and reg ul ators to b e concerned ab out h ow p ersonal data is m anag ed

The demise of Safe Harbor The new EU General Data Protection Regulation (GDPR) – a l andm ark m om ent in data p rotection

3EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?

Key changes proposed by the EU GDPR

F i n e s o f u p t o 4 % o f a n n u a l w o r l d w i d e t u r n o v e r

Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to:

• 4% of total annual worldwide turnover or €20,000,000

Ex p a n d e d s c o p e Applies to all data controllers and processors established in the EU and organisations that target EU citizens

Data Protection Officers ( D P O s )

DPOs must be appointed if an organisation conducts large scale systematic m onitoring or p rocesses l arg e am ounts of sensitive p ersonal data

A c c o u n t a b i l i t y Organisation must prove they are accountable by:

• E stab l ish ing a cul ture of m onitoring , review ing and assessing data p rocessing p rocedures

• Minimising data processing and retention of data • B uil ding in saf eg uards to data p rocessing activities• D ocum enting data p rocessing p ol icies, p rocedures and op erations th at m ust b e

m ade avail ab l e to th e data p rotection sup ervisory auth ority on req uest

P r i v a c y I m p a c t A s s e s s m e n t s Organisations must undertake Privacy Impact Assessments when conducting risky or l arg e scal e p rocessing of p ersonal data

C o n s e n t • Consumer consent to process data must be freely given and for specific purposes• C ustom ers m ust b e inf orm ed of th eir rig h t to w ith draw th eir consent• C onsent m ust b e ‘ exp l icit’ in th e case of sensitive p ersonal data or transb order

dataflow

Mandatory breach notification • O rg anisations m ust notif y sup ervisory auth ority of data b reach es ‘ w ith out undue delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals

• I f th ere is a h ig h risk to individual s, th ose individual s m ust b e inf orm ed as w el l

N e w r i g h t s • Th e rig h t to b e f org otten — th e rig h t to ask data control l ers to erase al l p ersonal data w ith out undue del ay in certain circum stances

• Th e rig h t to data p ortab il ity — w h ere individual s h ave p rovided p ersonal data to a service p rovider, th ey can req uire th e p rovider to ‘ p ort’ th e data to anoth er p rovider, p rovided th is is tech nical l y f easib l e

• The right to object to profiling — the right not to be subject to a decision based solely on autom ated p rocessing

P r i v a c y b y D e s i g n • O rg anisations sh oul d desig n data p rotection into th e devel op m ent of b usiness p rocesses and new system s

• Privacy settings are set at a high level by default

O b l i g a t i o n s o n p r o c e s s o r s New obligations on data processors — processors become an officially regulated entity


Are organisations ready for the EU General Data Protection Regulations?

Organisations will have two years to prepare for the GDPR in the transition p eriod b etw een th e ol d directive and th e new reg ul ation.

N ow is th e tim e to tak e action.

A s k y o u r s e l f t h e s e k e y q u e s t i o n s :

E xp anded scop e

Mandatory Breach Notification

Data Protection Officers

Privacy by Design

Accountability

N ew rig h ts

Are you a data processor or a data control l er p rocessing personal data inside the EU or p rocessing th e p ersonal data of EU citizens?

W oul d you b e ab l e to notif y a data p rotection sup ervisory auth ority of a data b reach within 72 hours?

D o you conduct l arg e scal e system atic m onitoring (including employee data) or p rocess l arg e am ounts of sensitive personal data?

D o you desig n data p rotection and p rivacy req uirem ents into th e devel op m ent of your b usiness p rocesses and new systems?

D o you h ave a data p rotection p rog ram m e and are you ab l e to p rovide evidence of h ow you com p l y w ith th e req uirem ents of the EU GDPR?

D o you k now h ow you w il l com p l y with the new rights: the ‘right to b e f org otten’ , th e ‘ rig h t to data p ortab il ity’ and th e ‘ rig h t to object to profiling’?

5EU General Data Protection Regulation: Are you ready?

Findings from the joint IAPP-EY Annual Privacy Governance Report 2015 and the EY Global Information Security Survey 2015 both indicated that organisations still need to increase their investment in data protection.

Organisations will need to increase their focus on data protection compliance given the stringent requirements of the GDPR and the potential fines which can be up to 4% of an organisations global annual turnover.

of respondents from the IAPP-EY Annual Privacy Governance report highlighted

that their privacy maturity was only at early or middle stages of maturity

of organisations interviewed for the IAPP-EY Annual Privacy Governance

Report 2015 said that regulatory and legal compliance was one of their top reasons for investing in privacy

identified that data protection is not yet a high priority

Mean number of years for the duration of a privacy programme = 7

Source: The IAPP-EY Annual Privacy Governance Report 2015

Early stageIncrease IncreaseMiddle stageDecrease Decrease

Mature stageStay the same Stay the same

No way to tell No way to tell

19%

3%

6%6% 13%

31% 31%

44% 60% 49%

37%

Where is privacy maturity process in your company?

In the coming year, number of employees dedicated to privacy is expected to:

In the next 12 months, expect privacy budget will:

Regulatory and legal compliance

Safeguarding data against attacks and threats

Increasing consumer trust

Marketplace reputation and brand

Ethical decision-making concerning use of data

Ensuring business partner compliance

Maintaining or enhancing the value of information...

Increase employee trust

80%70%60%50%40%30%20%10%0%

Privacy program priorities (% ranking each in top two)

67%

44%

32% 28%18% 17%

10% 9%

63%

Both reports 67%

of organisations are planning to increase the number of employees dedicated

to their privacy programmes and increase privacy budgets in the coming year

31%


H ow can you p rep are for the EU General Data Protection Regulation?

To prepare for the new EU GDPR, organisations will need to have a cl ear understanding of th eir current com p l iance p osition.

An important first step will be for organisations to have clarity of their personal d a t a p r o c e s s i n g , i n c l u d i n g :

► W h at p ersonal data th ey p rocess

► W h ere it is across th eir org anisation

► Where it is transferred from and to (including to third parties and cross-border)

► H ow it is secured th roug h out its l if ecycl e.

W ith an understanding of th eir com p l iance g ap s, org anisations w il l b e in a p osition to assess th eir p ersonal data risk s and devel op p rioritised rem ediation p l ans.

EY i s h e l p i n g c l i e n t s a d d r e s s t h e s e c h a l l e n g e s w i t h t h e f o l l o w i n g s o l u t i o n s :

Leg

al a

dvic

e an

d su

ppor

t

GDPR Readiness AssessmentWorkshops and 1:1 m eeting to estab l ishkey GDPR gaps

Privacy Impact Assessments (PIA)Assessments of privacy risk across new system s or p roj ects

GDPR ‘360 D eg ree’ AssessmentD etail ed assessm ent of m aturity and com p l iance with the GDPR

‘Know your personal data’ I dentif y w h ere p ersonal data is across your netw ork and create a p ersonal data inventory using tooling, e.g., the Raven Exonar tool

D ata p rotection im p rovem ent p rog ram m eHolistic programme to achieve compliance with the GDPR


GDPR Readiness Assessment

GDPR ‘360 Degree’ assessm ent

Privacy Impact Assessments (PIA)

How do we do it?

Workshops and 1:1 meeting using our Readiness Assessment tool to w al k th roug h your current compliance with the new GDPR and identify significant gaps and rem ediation req uired.

How do we do it?

D etail ed q uestionnaires, interview s and w ork sh op s to understand your GDPR compliance position.

How do we do it?

Design of a tailored PIA template. Interviews with system/project ow ners and review of desig ns and docum entation to assess th e risk s of h arm to individual s th roug h th e m isuse of th eir p ersonal inf orm ation.

What do you get?

A targeted and quick assessment of your compliance with the GDPR, p roviding a dash b oard sh ow ing your readiness to com p l y w ith each of th e key GDPR requirements.

What do you get?

A detailed assessment showing your maturity against the GDPR req uirem ents, your k ey g ap s and risk s, and a rem ediation roadm ap .

What do you get?

A detailed assessment of your system s or p roj ects identif ying k ey p rivacy risk s and rem ediation req uired to p roduce com p l iant m eth ods f or h andl ing p ersonal inf orm ation.

‘Know your personal data’ – data inventory

D ata p rotection im p rovem ent p rog ram m e

Legal advice and support

How do we do it?

Use the Exonar Raven platform to scan an ag reed sam p l e of your netw ork and interrog ate th e contents of docum ents to understand w h at p ersonal data you h ave in your org anisation and w h ere it is.

How do we do it?

A programme of interlinked activities to devel op your p rivacy f ram ew ork and im p rove your m aturity and com p l iance w ith the GDPR.

How do we do it?

Global network of lawyers with cross b order exp ertise, on h and to p rovide tail ored l eg al advice and sol utions.

What do you get?

A personal data inventory, dash b oard and a data m ap of th e data anal ysed enab l ing you to h ave a cl ear p icture of th e p ersonal data you use across your org anisation.

What do you get?

D evel op m ent and im p l em entation of a rob ust data p rotection f ram ew ork , rem ediating your GDPR compliance gaps.

What do you get?

Legal advice tailored to the needs of your org anisation.


Solution O verview Service provider Tim escal es

1 dayGDPR Targeted Assessment

H ig h l evel assessm ent of data p rotection m aturity

► Targ eted assessm ent g aug ing readiness f or th e new requirements of the GDPR

2-12 weeks dep ending on th e siz e and com p l exity of th e org anisation

‘Know your p ersonal data’ – data inventory

Personal inf orm ation inventory

► Use of the Exonar Raven tool to identify and document a sam p l e of th e p ersonal data you h ave in your organisation, where it is, where is transferred from/to, w h o h as access to it

► Process or system specific personal information flow diag ram s and docum entation

1-2 weeks dep ending on th e siz e and com p l exity of th e p roj ect or system s th at need to b e anal ysed

Privacy Impact Assessment

C ustom ised Privacy Impact Assessment

► Assessment of your systems or projects identifying k ey data p rotection risk s

2-4 weeks dep ending on th e siz e and com p l exity of th e org anisation

GDPR ‘360 D eg ree’ Assessment

D etail ed assessm ent of data p rotection m aturity

C om p l iance req uirem ents

Risk assessm ents

► Risk assessment and maturity evaluation based on industry framework and EU General Data Protection Regulation

► Recommendations and roadmap for remediation

► Product and process-specific risks

Personal I nf orm ation flow docum entation

H ow w e can h el p you g et ready


Solution O verview Service provider Tim escal es

3-24 months dep ending on m aturity and siz e of th e org anisation

D ata p rotection im p rovem ent p rog ram m e

Programme desig n

Assessed on a case b y case b asis – dep ending up on scop e

Legal Support Legal analysis ► Legal analysis of compliance with data protection l eg isl ation

► D raf ting and advising on com p l iance p rog ram m es and p ol icies

► Assessment of any non-compliance and suggestions of rem edial action

► D raf ting f or data control l er and data p rocessor ag reem ents

► Drafting of Binding Corporate Rules

Programme im p l em entation

C om p l iance and m onitoring sol utions

O ng oing Programme sup p ort

D esig n and del ivery of data p rotection im p rovem ent p rog ram m es, incl uding th e devel op m ent and implementation of:

► D ata p rotection f ram ew ork s

► Privacy governance and organisation design

► Policy and procedures

► Training and aw areness

► I ncident m anag em ent

► Third Party management

► Risk management

► Procedures and controls

► I nf orm ation security control s

► Binding Corporate Rules program compliance

► O ng oing com p l iance and m onitoring

D raf ting of l eg al docum ents

1 0 EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?

Key

E xam p l e outp utsW e can w ork w ith org anisations to enh ance th eir understanding of th eir com p l iance p osition and m aturity l evel . B el ow are som e exam p l es of th e typ es of w ork p roducts we have previously produced on data protection engagements:

1

2

3

4

5Training and Awareness Policies

Inventory Compliance

Governance

Third Party Management

Procedures and Controls

Risk Management Incident Management

Information Security

Current Maturity

Desired Maturity

Average Current Control Maturity

GeoLocation of SPI/PII Data Outside the UK1

1 1EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?

7

12

34

5

6

A

C

B

D

Ey’s risks map

Key

Circles1 . Th ird p arty

m anag em ent

2. Training and aw areness

3 . Risk Management

4 . Policy

5 . D ata l eak ag e

6. Treating custom er f airl y

7 . I ncident m anag em ent

SectorsA. Higher risk; Lower maturityB. Higher risk; H ig h er m aturityC. Lower risk; Lower maturityD. Lower risk; H ig h er m aturity

Level 4 Level 3 Level 2 Level 1

Maturity

Ris

k

Hig

hLo

w

Organisations face many challenges preparing for the EU GDPR over the next couple of years. I t is im p ortant th at th ey understand th eir current state and th e step s necessary to move towards compliance with the EU GDPR.

P u b l i c S e r v e r

W e b S e r v e r

I n t e r n a l

D : / / i n e t p u b

D : / / EX P D : / / w w w

HR Data Located in Wrong Place1SPI/PII by Application System1

Tota

l Doc

umen

ts

1 Images from Raven Exonar

100,000

75,000

50,000

25,000

0

Com

plai

nts

Man

agem

ent

CRM

Cust

omer

Se

rvic

e

Data

W

areh

ouse

Emai

l

Mar

ketin

g

Web

site

20,123

35,236

12,423

34,561

76,432

64,521

34,562

Chris Gould Partner, Cyber Security and Resilience

Tel: +44 20 7951 0086Mobile: +44 7831 136 995 Email: [email protected]

Nicola Hermansson Director, UK&I Data Protection Leader


Louisa Elder Director, Head of IP and Data for Law


C ontactsI f you w oul d l ik e to discuss any of th e issues raised in th is b roch ure th en p l ease g et in touch .

EU General Data Protection Regulation: Get ready, the clock is ticking

A b o u t EYE Y is a g l ob al l eader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in th e cap ital m ark ets and in econom ies th e w orl d over. W e devel op outstanding l eaders w h o team to del iver on our p rom ises to al l of our stak eh ol ders. I n so doing , w e p l ay a critical rol e in b uil ding a b etter w ork ing w orl d f or our p eop l e, f or our cl ients and f or our com m unities.

E Y ref ers to th e g l ob al org aniz ation, and m ay ref er to one or m ore, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited b y g uarantee, does not p rovide services to cl ients. F or m ore inf orm ation ab out our org aniz ation, p l ease visit ey. com .

Ernst & Young LLPThe UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited.

Ernst & Young LLP, 1 More London Place, London, SE1 2AF.

© 2016 Ernst & Young LLP. Published in the UK. All Rights Reserved.

E D N one

1411555.indd (UK) 03/16. Artwork by Creative Services Group Design.

I n l ine w ith E Y ’ s com m itm ent to m inim ise its im p act on th e environm ent, th is docum ent h as b een p rinted on p ap er w ith a h ig h recycl ed content.

I nf orm ation in th is p ub l ication is intended to p rovide onl y a g eneral outl ine of th e sub j ects covered. I t sh oul d neith er b e reg arded as com p reh ensive nor suf f icient f or m ak ing decisions, nor sh oul d it be used in place of professional advice. Ernst & Young LLP accepts no responsibility for any loss arising f rom any action tak en or not tak en b y anyone using th is m aterial .

ey.com/uk

EY | Assurance | Tax | Transactions | Advisory

eu general data protection regulation: are you ready?

Documents