ey general data protection regulation: are you ready?
TRANSCRIPT
What do you need to know about the new EUGeneral Data Protection Regulation?
Data protection has entered a period of unprecedented change.
This has been driven by:
► An increasing number of high profile data breaches reported in the media that has led consumers and
regulators to be concerned about how personal data is managed
► The demise of Safe Harbor
► The new EU General Data Protection Regulation (GDPR) – a landmark moment in data protection
On December 17, 2015, after more than three years of tough negotiations and several draft versions of the GDPR,
an informal agreement has been reached between the European Parliament and Council of the European Union.
The GDPR is a game changer for organisations. The final draft has been backed by the Committee on Civil Liberties,
Justice and Home Affairs. It introduces more stringent and prescriptive data protection compliance challenges,
backed by fines of up to 4% of global annual revenue. The Regulation will replace the Directive 95/46/EC, which
has been the basis of European data protection law since it was introduced in1995. When the GDPR is officially
adopted later this year it will apply in EU Member States without further consultation after a period of two years.
The Regulation will have a significant impact on businesses in all industry sectors, bringing with it both positive and
negative changes for business in terms of cost and effort. Organisations are likely to welcome the harmonisation
of laws across the 28 member states which will make the complex data protection landscape easier to navigate for
multinational organisations. The introduction of new rights for individuals, such as the Right to be Forgotten and
the Right to Portability, as well as the introduction of mandatory breach notification, are likely to increase the
regulatory burden for organisations. Businesses need to review their current data protection compliance
programmes to determine next steps and decide on the level of investment they need to make over the next two
years to address the changes.
Organisations need to act now to ensure that they are ready to comply with the new Regulation when it comes into
force in the spring of 2018.
EU General Data Protection Regulation: Are you ready? 1
Key changes proposed by the EU GDPR
Fines of up to4% of annual worldwideturnover
Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to:► 4% of total annual worldwide turnover or €20,000,000
Expanded scope Applies to all data controllers and processors established in the EU and organisationsthat target EU citizens
Data Protection Officers(DPOs)
DPOs must be appointed if an organisation conducts large scale systematic monitoringor processes large amounts of sensitive personal data
Accountability Organisation must prove they are accountable by:► Establishing a culture of monitoring, reviewing and assessing data processing
procedures► Minimising data processing and retention of data► Building in safeguards to data processing activities► Documenting data processing policies, procedures and operations that must be made
available to the data protection supervisory authority on request
Privacy ImpactAssessments
Organisations must undertake Privacy Impact Assessments when conducting risky orlarge scale processing of personal data
Consent ► Consumer consent to process data must be freely given and for specific purposes► Customers must be informed of their right to withdraw their consent► Consent must be ‘explicit’ in the case of sensitive personal data or transborder
dataflow
Mandatorybreach notification
► Organisations must notify supervisory authority of data breaches ‘without unduedelay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals
► If there is a high risk to individuals, those individuals must be informed as well
New rights ► The right to be forgotten — the right to ask data controllers to erase all personal datawithout undue delay in certain circumstances
► The right to data portability — where individuals have provided personal data to aservice provider, they can require the provider to ‘port’ the data to another provider,provided this is technically feasible
► The right to object to profiling — the right not to be subject to a decision based solelyon automated processing
Privacy by Design ► Organisations should design data protection into the development of businessprocesses and new systems
► Privacy settings are set at a high level by default
Obligations on processors New obligations on data processors — processors become an officially regulated entity
EU General Data Protection Regulation: Are you ready? 1
Organisations will have two years to prepare for the GDPR in the transition period between the old directive and the
new regulation.
Now is the time to take action.
Ask yourself these key questions:
EU General Data Protection Regulation: Are you ready? 2
Are organisations ready for the EU General DataProtection Regulations?
Expanded scope Are you a data processor or a data controller processing personal datainside the EU or processing the personal data of EU citizens?
Data ProtectionOfficers
Do you conduct large scale systematic monitoring (including employeedata) or process large amounts of sensitive personal data?
Accountability Do you have a data protection programme and are you able to provideevidence of how you comply with the requirements of the EU GDPR?
Privacy byDesign
Do you design data protection and privacy requirements into thedevelopment of your business processes and new systems?
MandatoryBreachNotification
Would you be able to notify a data protection supervisory authority of adata breach within 72 hours?
New rightsDo you know how you will comply with the new rights: the ‘right to beforgotten’, the ‘right to data portability’ and the ‘right to object toprofiling’?
Findings from the joint IAPP-EY Annual Privacy Governance Report 2015 and the EY Global Information Security
Survey 2015 both indicated that organisations still need to increase their investment in data protection.
► Both reports identified that data protection is not yet a high priority
► 63% of respondents from the IAPP-EY Annual Privacy Governance report highlighted that their privacy maturity
was only at early or middle stages of maturity
Organisations will need to increase their focus on data protection compliance given the stringent requirements of
the GDPR and the potential fines which can be up to 4% of an organisations global annual turnover.
The new EU GDPR is driving organisations to invest in privacy programmes:
► 67% of organisations interviewed for the IAPP-EY Annual Privacy Governance Report 2015 said that regulatory
and legal compliance was one of their top reasons for investing in privacy
► 31% of organisations are planning to increase the number of employees dedicated to their privacy programmes
and increase privacy budgets in the coming year
EU General Data Protection Regulation: Are you ready? 3
Where is privacy maturityprocess in your company?
Privacy program priorities(% ranking each in top two)
In the coming year, number ofemployees dedicated toprivacy is expected to:
9%
10%
17%
18%
28%
32%
44%
67%
0% 20% 40% 60% 80%
Increaseemployee trust
Maintaining orenhancing the
valueof information…
Ensuring businesspartner
compliance
Ethical decision-making
concerning use ofdata
Marketplacereputation and
brand
Increasingconsumer trust
Safeguarding dataagainst
attacks andthreats
Regulatory andlegal compliance
In the next 12 months, expectprivacy budget will:
31%
3%
60%
6%
Increase Decrease
Stay the same No way to tell
31%
6%
49%
13%
Increase Decrease
Stay the same No way to tell
19%
44%
37%
Early stage Middle stage
Mature stage
Mean number of years for theduration of a privacy programme= 7
Source: The IAPP-EY Annual PrivacyGovernance Report 2015
To prepare for the new EU GDPR, organisations will need to have a clear understanding of their current compliance
position.
An important first step will be for organisations to have clarity of their personal data processing, including:
► What personal data they process
► Where it is across their organisation
► Where it is transferred from and to (including to third parties and cross-border)
► How it is secured throughout its lifecycle.
With an understanding of their compliance gaps, organisations will be in a position to assess their personal data risks
and develop prioritised remediation plans.
EY is helping clients address these challenges with the following solutions:
EU General Data Protection Regulation: Are you ready? 4
How can you prepare for the EU General DataProtection Regulation?
Lega
ladv
ice
and
supp
ort
GDPR SpeedAssessment1:1 meeting to establishkey GDPR gaps
GDPR ‘360 Degree’AssessmentDetailed assessment ofmaturity and compliancewith the GDPR
Privacy ImpactAssessments (PIA)Assessments of privacyrisk across new systemsor projects
Data protection improvement programmeHolistic programme to achieve compliance with the GDPR
‘Know your personal data’Identify where personal data is across your network and create a personal datainventory using tooling, e.g., the Raven Exonar tool
EU General Data Protection Regulation: Are you ready? 5
How do we do it?Detailed questionnaires,interviews and workshops tounderstand your GDPRcompliance position.
What do you get?A detailed assessmentshowing your maturityagainst the GDPRrequirements, your key gapsand risks, and a remediationroadmap.
How do we do it?Design of a tailored PIAtemplate. Interviews withsystem/project owners andreview of designs anddocumentation to assessthe risks of harm toindividuals through themisuse of their personalinformation.
What do you get?A detailed assessment ofyour systems or projectsidentifying key privacy risksand remediation required toproduce compliant methodsfor handling personalinformation.
How do we do it?Use the Exonar Ravenplatform to scan an agreedsample of your networkand interrogate thecontents of documents tounderstand what personaldata you have in yourorganisation and where itis.
What do you get?A personal data inventory,dashboard and a data mapof the data analysedenabling you to have aclear picture of thepersonal data you useacross your organisation.
‘Know your personal data’– data inventory
How do we do it?A programme of interlinkedactivities to develop yourprivacy framework andimprove your maturity andcompliance with the GDPR.
What do you get?Development andimplementation of a robustdata protection framework,remediating your GDPRcompliance gaps.
Data protectionimprovement programme
How do we do it?Global network of lawyerswith cross border expertise,on hand to provide tailoredlegal advice and solutions.
What do you get?Legal advice tailored to theneeds of your organisation.
Legal advice and support
How do we do it?1:1 meeting using our speedassessment tool to walkthrough your currentcompliance with the newGDPR and identify significantgaps and remediationrequired.
What do you get?A targeted and quickassessment of yourcompliance with the GDPR,providing a dashboardshowing your readiness tocomply with each of the keyGDPR requirements.
Privacy ImpactAssessments (PIA)
GDPR Speed Assessment GDPR ‘360 Degree’assessment
EU General Data Protection Regulation: Are you ready? 5
Our Legal Privacy Client Solution
How do we do it?EY law assist you in themapping of data flows inorder to identify andimplement the appropriatedata transfer tools(Standard contractualclauses (SCC), BCRs, codeof conducts and otherrelevant certificationschemes).What do you get?A detailed mapping of yourtransfer of personal data,legal requirements and theappropriate tools andprocedures to frame yourinternational transfers ofpersonal (such as SCCagreements, code ofconducts…)
How do we do it?EY Privacy lawyerssupport internal auditteams to conduct privacyrisks audits. By means of aspecific privacy auditprogram, we map the dataprocessing operations andassess the risks accordingto the sensitivity of thedata processed and youractivities.
What do you get?A detailed sector-orientedprivacy impactassessment of you dataprocessing operations inthe light of the GDPRrequirements. We identifyrisks, gaps and we build aremediation roadmap.
Internal Audit SupportServices
Relationships with DPAsand EU institutions forspecial projects
International data transfersstrategy (BCRs, EU modelclauses…)
GDPR Compliance toolkit
How do we do it?We make privacycompliance easier formultinational companies bydrafting a set of bindingcorporate rules to frametheir intra-group exchangeof information. With thehelp of our Global networkof lawyers with crossborder data protectionexpertise, we prepare andassist you in theimplementation of theBCRs set of policies.
What do you get?A set of BCR and relatedprocedures which fits theparticulars of your groupand assistance in theimplementation within EUMember States.
BCR preparation, draftingand implementation
How do we do it?EY may help you appointingand training a dataprotection officer (DPO) or anetwork of DPOs.EY may also act as a DPO foryou (identification of filingsrequirements,documentation of dataprocessing operations andmanagement of theregister…)
What do you get?The appointment andtraining of a DPO and legalassistance and support foryour DPO to prepare for theGDPR.EY acting as a external DPO.
DPO legal support
How do we do it?EY law may assist you inyour endeavors with EUinstitutions and DPAs:request of adequacy of acountry located outside theEU, drafting of codes ofconducts and certificationschemes, assistance duringinvestigations andimplementation of complexprivacy impact assessments(PIA).
What do you get?Strong support to liaise withDPAs and EU institutions inhearings and through thedrafting of legal memos,PIAs, adequacy applicationrequest and related reports,ad hoc policies andcompliance program.
How do we do it?EY law designs and providesassistance in implementingcompliance tools (such asdata processing inventory,global data privacy chartsand check lists, retentionpolicies, informationnotices, awareness raisingtools for employees, privacyimpact assessmenttemplates, codes ofconducts etc.).EY law also performstailored legal monitoring.What do you get?Development,implementation andmanagement of robustprocedures to comply withthe GDPR requirements.
How we can help you get ready
Privacy ImpactAssessment
Customised PrivacyImpact Assessment
► Assessment of your systemsor projects identifying keydata protection risks
1-2 weeks dependingon the size andcomplexity of theproject or systemsthat need to beanalysed
GDPR SpeedAssessment
High levelassessment of dataprotection maturity
1 day► Targeted assessment gaugingreadiness for the newrequirements of the GDPR
GDPR ‘360 Degree’Assessment
Detailed assessmentof data protectionmaturity
Risk assessments
Compliancerequirements
► Risk assessment and maturityevaluation based on industryframework and EU GeneralData Protection Regulation
► Recommendations androadmap for remediation
► Product and process-specificrisks
2-4 weeks dependingon the size andcomplexity of theorganisation
‘Know your personaldata’ – datainventory
► Use of the Exonar Raven toolto identify and document asample of the personal datayou have in yourorganisation, where it is,where is transferred from/to,who has access to it
► Process or system specificpersonal information flowdiagrams and documentation
2-12 weeksdepending on thesize and complexityof the organisation
Personal informationinventory
Personal Informationflow documentation
TimescalesOverview Service providedSolution
TimescalesOverview Service providedSolution
Data protectionimprovementprogramme
► Design and delivery of dataprotection improvementprogrammes, including thedevelopment andimplementation of:► Data protection
frameworks► Privacy governance and
organisation design► Policy and procedures► Training and awareness► Incident management► Third Party management► Risk management► Procedures and controls► Information security
controls► Binding Corporate Rules
program compliance► Ongoing compliance and
monitoring
3-24 monthsdepending onmaturity and size ofthe organisation
Programme design
Programmeimplementation
Compliance andmonitoring solutions
Ongoing Programmesupport
LegalSupport
► Legal analysis of compliancewith data protectionlegislation
► Drafting and advising oncompliance programmes andpolicies
► Assessment of any non-compliance and suggestionsof remedial action
► Drafting for data controllerand data processoragreements
► Drafting of Binding CorporateRules
Assessed on a caseby case basis –depending uponscope
Legal analysis
Drafting of legaldocuments
EU General Data Protection Regulation: Are you ready? 9
TimescalesOverview Service providedSolution
Data protectionimprovementprogramme
► Design and delivery of dataprotection improvementprogrammes, including thedevelopment andimplementation of:► Data protection
frameworks► Privacy governance and
organisation design► Policy and procedures► Training and awareness► Incident management► Third Party management► Risk management► Procedures and controls► Information security
controls► Binding Corporate Rules
program compliance► Ongoing compliance and
monitoring
3-24 monthsdepending onmaturity and size ofthe organisation
Programme design
Programmeimplementation
Compliance andmonitoring solutions
Ongoing Programmesupport
LegalSupport
► Legal analysis of compliancewith data protectionlegislation
► Drafting and advising oncompliance programmes andpolicies
► Assessment of any non-compliance and suggestionsof remedial action
► Drafting for data controllerand data processoragreements
► Drafting of Binding CorporateRules
Assessed on a caseby case basis –depending uponscope
Legal analysis
Drafting of legaldocuments
EU General Data Protection Regulation: Are you ready? 10
TimescalesOverview Service providedSolution
International datatransfers strategy
► Identification of data flows► Design and delivery of the
appropriate data transfertools, including thedevelopment andimplementation of:► Standard contractual
clauses (for datacontrollers or dataprocessors)
► BCRs► Policy and procedures
(such as audit program,internal compliancemanagement…)
► Privacy governance andorganization design
► Codes of conducts andother certificationschemes
1-24 monthsdepending on thesize of the entity andthe tools to beimplemented
Standard ContractualClauses
Binding ContractualClauses
Other tools such asCodes of conductsand othercertification schemes
Preparation of thegroup to theimplementation ofBCRs
BCR preparation,drafting andimplementation
► Understanding of the group’sstructure and data flows
► Assistance to present theBCRs project to the DPA andliaising with the DPAs
► Drafting of the BCRs► Drafting of the related
procedures and policies:complaint handlingmanagement, annual auditprogram, BCRs check list,data protection trainingprograms, model contractualclause to include inagreements
► Implementation of the BCRsin all contemplatedjurisdictions
12 months – 18months
Drafting of BCRs andassistance in theadoption
Implementation ofBCRs
EU General Data Protection Regulation: Are you ready? 11
TimescalesOverview Service providedSolution
GDPR Compliancetool kit
► Mapping of legalrequirements in the light ofthe GDPR
► Legal monitoring of legalevolutions worldwide
► Documentation of dataprocessing operations
► Design and delivery of dataprotection procedures andcompliance tools, includingthe development andimplementation of:► Global data privacy chart► Retention policies► Information notices► Awareness raising tools
for employees► Privacy impact
assessment templates► Data privacy checklists► BCRs
► Assistance in implementingdata protection procedureand compliance tools
Assessed on a caseby case basis –depending uponscope
Mapping ofapplicable legalrequirements
Compliance and legalmonitoring solutions
Documentation ofdata processingoperations
Drafting andimplementation ofprocedures andpolicies
DPO LegalSupport
► Strategic organisation of dataprivacy governance scheme
► Assistance of appointment ofthe DPO with DPA
► Training of DPO► Legal support► EY Law as DPO
Assessed on a caseby case basis –depending uponscope
Appointment,training of DPO andlegal support
EY acting as externalDPO
EU General Data Protection Regulation: Are you ready? 12
TimescalesOverview Service providedSolution
Internal AuditSupport Services
► Conducting privacy auditsand PIAs as a part of theinternal audit program(identifying data processingoperations, gaps and risks)
► Building a remediationroadmap and maturity in dataprotection matters
► Assistance in theimplementation of theremediation measures tocomply with GDPR
1-3 monthsdepending onmaturity and size ofthe organisation
Privacy risks audit
Privacy impactassessment (PIAs)
Remediation actions
AdequacyRelationships withDPAs and EUinstitutions forspecial projects
► Preparing the applicationrequest of a country locatedoutside the EU to berecognized as offering anadequate level of protection
► Preparing complex PIAs forcomplex technologicalprojects, notably in thehealth sector
► Liaising with EU institutionsand DPAs
► Drafting ad procedures andcompliance programs
Assessed on a caseby case basis –depending uponscope
Privacy ImpactAssessments andother certificationprocedures
Liaising with DPAsand EU institutions
EU General Data Protection Regulation: Are you ready? 13
We can work with organisations to enhance their understanding of their compliance position and maturity level.
Below are some examples of the types of work products we have previously produced on data protection
engagements:
EU General Data Protection Regulation: Are you ready? 8
Example outputs
Organisations face many challenges preparing for the EU GDPR over the next couple of years. It is important that
they understand their current state and the steps necessary to move towards compliance with the EU GDPR.
If you would like to discuss any of the issues raised in this brochure then please get in touch with the contacts
overleaf.
20,12335,236
12,423
34,561
76,43264,521
34,562
0
25,000
50,000
75,000
100,000
Com
plai
nts
Man
agem
ent
CRM
Cust
omer
Serv
ice
Dat
aW
areh
ouse
Emai
l
Mar
ketin
g
Web
site
Tota
lDoc
umen
ts
SPI/PII by Application System1
1 Images from Raven Exonar
GeoLocation of SPI/PII Data Outside the UK1
1
Chris GouldPartner, Cyber Security and ResilienceDirect Tel: + 44 20 7951 0086Mobile: + 44 7831 136 995Email: [email protected]
Nicola HermanssonDirector, UKI Data protection leaderDirect Tel: + 44 20 7951 8332Mobile: + 44 7795 828 811Email: [email protected]
Louisa ElderDirector, Head of IP and Data for LawDirect Tel: + 44 20 7197 7929Mobile: + 44 7714 204 208Email: [email protected]
Contacts
EU General DataProtectionRegulation:Get ready, theclock is ticking
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisoryservices. The insights and quality services we deliver help build trustand confidence in the capital markets and in economies the worldover. We develop outstanding leaders who team to deliver on ourpromises to all of our stakeholders. In so doing, we play a critical rolein building a better working world for our people, for our clients andfor our communities.
EY refers to the global organization, and may refer to one or more, ofthe member firms of Ernst & Young Global Limited, each of which is aseparate legal entity. Ernst & Young Global Limited, a UK companylimited by guarantee, does not provide services to clients. For moreinformation about our organization, please visit ey.com.
Ernst & Young LLPThe UK firm Ernst & Young LLP is a limited liability partnership registered in England andWales with registered number OC300001 and is a member firm of Ernst & Young GlobalLimited.
Ernst & Young LLP, 1 More London Place, London, SE1 2AF.
© 2016 Ernst & Young LLP. Published in the UK.All Rights Reserved.
ED None
71565 (UK) 01/16. Creative Services Group.
In line with EY’s commitment to minimise its impact on the environment, thisdocument has been printed on paper with a high recycled content.
Information in this publication is intended to provide only a general outline of the subjectscovered. It should neither be regarded as comprehensive nor sufficient for making decisions,nor should it be used in place of professional advice. Ernst & Young LLP accepts noresponsibility for any loss arising from any action taken or not taken by anyone using thismaterial.
ey.com/uk