On 25th May 2018 the General Data Protection Regulation came into force, revolutionising the way that personal data are used and handled. Controllers and processors of personal data need to adhere to the new regulation in their processes, and PwC can help.
If you are an organisation processing personal data in the European Union (EU); or you are targeting EU goods and services; or you are monitoring the activities of EU citizens online, you will need to comply with GDPR.
The GDPR is the largest shift in EU data protection legislation since the European Data Protection Directive from 1995. It requires wide-scale privacy changes and changes to internal processes in organisations. Regulators have gained new powers to impose fines. Nevertheless, the GDPR also represents an opportunity to:
It is essential that organisations are able to demonstrate to regulators that they have appropriate mechanisms in place to comply.
Stewart Room, Joint Global Head of Data Protection and Global Legal Services leader, PwC UK, discusses the General Data Protection Regulation (GDPR) and its impacts for both entities and citizens | Duration 1:48
A detailed inventory of personal data processing is a basis that enables to plan and effectively manage personal data processing in the company. As a structured database it provides a summary of all purposes of personal data processing in the company and gives the management an easily accessible overview of what types of personal data are processed in particular systems, relevant access rules, etc..
Well-designed inventory of personal data is a basis on which effective processes and organizational measures should be built. Compliance requires appropriate internal guidelines that define company employees´ responsibilities, position and responsibilities of the Data Protection Officer, or processes to safeguard the rights of the Data Subjects.
Clear and understandable GDPR documentation is essential for a number of reasons:
We will prepare for you, or we will review and modify:
Fulfillment of GDPR requirements (minimization of data, ensuring exercise of rights, including the right to erasure) means that companies need to have detailed rules for duration of processing and subsequent archiving and erasure or anonymization of specific types of personal data.
This is a significant challenge for each personal data controller, and requires detailed mapping of types of personal data in all systems, and setting rules for their automatic and manual erasure.
In certain cases when a company processes or plans to process sensitive personal data or data on a large scale, GDPR requires that it assess risks in a specific way: by performing Data Protection Impact Assessment (“DPIA”) in line with requirements of GDPR Article 35.
Using our proprietary automated tool for performing DPIA, we can perform this assessment for you, or we can prepare and deliver to you a tailored methodology in a standardized format (MS Excel, MS Access, or other) which will enable you to repeatedly perform DPIA on your own.
Protection of personal data cannot be achieved by an organization just formally on paper. To comply with GDPR requirements, it is necessary to implement appropriate processes and to take suitable organizational measures. These processes must be performed by well-informed employees with a high level of security awareness.
Trainings in various format are the basic tool to provide information to employees. Trainings designed and conducted by our experts can take the form of classroom-style presentations, e-learnings, or tailored employee guidelines. The aim is to make your employees aware of the practical principles of personal data protection, and to make sure that your employees comply with these principles when communicating with your customers and stakeholders.
DPIA, including a pre-assessment to determine for which processing purposes the a full DPIA necessary.
Management of an organization needs information on the status of compliance with GDPR, and existence of any major risk areas. The methodology of compliance assessment may also be used as a working program for an internal audit.
There is currently no internationally acknowledged methodology or a standard to evaluate GDPR compliance. Our assessment framework is based on PwC´s own methodology and experience from implementation projects, information security projects and audits.
The objective is:
Director, PwC Slovakia
Tel: +421 2 593 50 599
Manager, PwC Slovakia
Tel: +421 915 998 429