.jpg.pwcimage.150.100.jpg)
Getting ready for the General Data Protection Regulation
The General Data Protection Regulation (GDPR) will impact every entity that holds or uses European personal data both inside and outside of Europe. GDPR is an opportunity to be embraced and a challenge to overcome to ensure compliance.
In order to be ready for the GDPR, entities will need to set their vision, agree their strategy and constitute their structures for achieving data protection and privacy operational change and compliance. These are not simply legal questions: getting ready for the GDPR requires multi-disciplinary skill sets.
Our team has the skills to provide solutions to the challenges ahead.
Processing must be fair and transparent. This means the data subject must be informed of: who is collecting their data, what is being done with it, who it will be shared with. This information should be easily accessible and presented in language the individual can understand.
GDPR emphasises accountability and governance, and you must be able to demonstrate compliance. This will mean: written policies and procedures, privacy impact assessments, enhanced documentation requirements and a requirement for many organisations to appoint a Data Protection Officer.
Security over data processing remains a key theme under the GDPR. Security measures must be appropriate to the level of risk, and must be regularly tested and evaluated. GDPR will introduce specific requirements regarding breach reporting to the Regulator and affected individuals.
In the time available, organisations with significant personal data and complex processes will struggle to be fully compliant by May 2018. It’s therefore essential that your organisation has a clear vision and a risk-based approach to your GDPR implementation programme.
What will the GDPR mean for you?
- Emphasis on individual rights
- Other new or enhanced requirements
Emphasis on individual rights
Under the GDPR, individuals will have the following new and enhanced rights to:
- Access personal data
- Correct data inaccuracies
- Have data deleted / erased
- Prevent direct marketing
- Restrict automated decision-making and profiling
- Data portability, or the right to receive personal data
Other new or enhanced requirements
- New categories of personal information brought into scope, including images, IP addresses and biometric data
- Enhanced documentation requirements, including personal data flows and processing activity
- Designation of a Data Protection Officer for many businesses
- Mandatory 72 hour breach notification
- Performance of regular risk assessments and privacy impact assessments
- Privacy by design embedded throughout the organisation’s systems, technologies and processes
- Scope of GDPR is extended to companies that process data on behalf of other organisations
A failure to comply with the GDPR could result in fines of up to the higher of €20 million, or 4% of the organisation’s annual global turnover. However, the legal cost of dealing with data subject claims where organisations have got it wrong could exceed any fine imposed by the regulator.
Our services
We can help you to:
- Develop a GDPR strategy
- Map your data or create a data asset register
- Develop data privacy policies & procedures
- Assess the risks associated with third party vendors or partners
- Understand the implications of international data transfers
- Create a data breach response plan
- Train your staff
- Project manage your GDPR remediation programme
- Health-check the work you’ve done to date towards GDPR compliance
We recognise that one size does not fit all, and that every business has unique characteristics requiring a tailored approach to data protection. We can help you define a strategy for your privacy programme, and a tailored approach based on what matters most to your organisation and your appetite for risk.
We can help you prepare for the GDPR, from assessing your current state of compliance, through assisting you with your remediation programme, to establishing what “business as usual” will look like from May 2018.
