General Data Protection Regulation (GDPR)

On 25th May 2018 the General Data Protection Regulation came into force, revolutionising the way that personal data are used and handled. Controllers and processors of personal data need to adhere to the new regulation in their processes, and PwC can help.

What does GDPR mean for my organisation?

If you are an organisation processing personal data in the European Union (EU); or you are targeting EU goods and services; or you are monitoring the activities of EU citizens online, you will need to comply with GDPR.

The GDPR is the largest shift in EU data protection legislation since the European Data Protection Directive from 1995. It requires wide-scale privacy changes and changes to internal processes in organisations. Regulators have gained new powers to impose fines. Nevertheless, the GDPR also represents an opportunity to:

  • transform your approach to privacy and increase efficiency of personal data processing,
  • harness the value of your data, and
  • ensure your organisation is fit for the digital economy.

It is essential that organisations are able to demonstrate to regulators that they have appropriate mechanisms in place to comply.

General Data Protection Regulation - our view on the key components in the GDPR

loading-player

Playback of this video is not currently available

Stewart Room, Joint Global Head of Data Protection and Global Legal Services leader, PwC UK, discusses the General Data Protection Regulation (GDPR) and its impacts for both entities and citizens | Duration 1:48 

GDPR at a glance

It puts individuals back in control of their personal data

Consumers, customers, workers and users of public and charitable services have more power to control how their data is used. Controllers and processors of personal data could be required to report on, move or dispose of personal data if requested and they must have the capabilities to do this whenever the laws apply. The options for using personal data is restricted.

How you use data will be more transparent

The idea of transparency is now considerably strengthened under the GDPR. Article 5 of the GDPR sets out a number of principles with which data controllers must comply when processing data. They must process the data “lawfully, fairly and in a transparent manner in relation to the data subject”. Organisations will be required to articulate all of the ways personal data is used, and make it clear to individuals what their data is being used for and with whom they have shared it.

Organisations will be subject to higher standards of accountability

Organisations will be required to implement measures to prove their compliance. Such measures include keeping records of processing activities, providing individuals with notice of their rights and employing techniques like pseudonymisation or encryption to ensure the security of personal data. Additionally, organisations will also have to ensure that data they pass to third parties is handled in a manner compliant with the GDPR. As well as this, some may have to appoint a Data Protection Officer (DPO) and undertake privacy impact assessments.

Fines are getting bigger, and the timelines are getting shorter

The GDPR introduces a tougher enforcement regime and it exposes entities to increased financial liability. Fines for non-compliance can be as severe as 4% of annual turnover or 20m EUR – whichever is higher.

Data subjects’ rights have been strengthened and expanded upon

The data subjects’ rights aim to allow individuals to have control over their personal data and people will also be entitled to sue for compensation if they suffer damage or distress by reason of non-compliance. The regulation retains the existing rights of data subjects and creates new rights for individuals such as the “right to be forgotten” and the “right to data portability”. As data subjects’ rights strengthen, it is important that organisations are aware of what each right means for them and their business.

01. Inventory of personal data processing

A detailed inventory of personal data processing is a basis that enables to plan and effectively manage personal data processing in the company. As a structured database it provides a summary of all purposes of personal data processing in the company and gives the management an easily accessible overview of what types of personal data are processed in particular systems, relevant access rules, etc..

 Output

  • Inventory of personal data in database form, either in the readily accessible format of MS Excel or MS Access, or using a customized, user interface extension
  • the company will fulfill the requirement of GDPR Article 30 to maintain Records of Processing Activities.

02. Internal processes and organizational measures

Well-designed inventory of personal data is a basis on which effective processes and organizational measures should be built. Compliance requires appropriate internal guidelines that define company employees´ responsibilities, position and responsibilities of the Data Protection Officer, or processes to safeguard the rights of the Data Subjects.

 Output

  • Our internal process experts will help in analyzing, amending and/or preparing new guidelines for internal processes that are required to document the compliance with GDPR requirements. Up to date and clearly understandeable internal guidelines (for example in form of department-specific “GDPR cookbooks”) serve as a fundamental reference and a set of rules for the employees as well as evidence of compliance with GDPR.

03. Preparation of documentation: consents, information on personal data processing, data processing agreements

Clear and understandable GDPR documentation is essential for a number of reasons:

  • It will ensure compliance with documentation requirements of GDPR verified by a regulatory authority,
  • it will allow your partners, employees and general public to be transparently informed about how you process their personal data,
  • it communicates the overall responsible approach to personal data processing of your organisation.

Output

We will prepare for you, or we will review and modify:

  • consents with personal data processing in line with the GDPR requirements,
  • information on personal data processing in line with GDPR Articles 13 and 14,
  • tailored templates of personal data processing agreements in line with GDPR Article 28,
  • tailored templates of any other documents as needed.

04. Retention periods for types of personal data and rules of erasure

Fulfillment of GDPR requirements (minimization of data, ensuring exercise of rights, including the right to erasure) means that companies need to have detailed rules for duration of processing and subsequent archiving and erasure or anonymization of specific types of personal data.

This is a significant challenge for each personal data controller, and requires detailed mapping of types of personal data in all systems, and setting rules for their automatic and manual erasure.

 Output

  • Analysis of types of personal data, and determination of retention periods in line with legal requirements and the  organization´s needs,
  • identification and prioritization of information systems,
  • defining rules for termination of legal basis of personal data processing and the subsequent archiving and erasure,
  • defining procedural and organizational measures (process  workarounds) to perform manual erasure of data

05. Data protection impact assessment under GDPR Article 35

In certain cases when a company processes or plans to process sensitive personal data or data on a large scale, GDPR requires that it assess  risks in a specific way: by performing Data Protection Impact Assessment  (“DPIA”) in line with requirements of GDPR Article 35.

Using our proprietary automated tool for performing DPIA, we can perform this assessment for you, or we can prepare and deliver to you a tailored methodology in a standardized format (MS Excel, MS Access, or other) which will enable you to repeatedly perform DPIA on your own.

 Output

  • Performance of the Data Protection Impact Assessment using our own methodology, which is based on the requirements of GDPR Article 35 WP29 guidelines,
  • Preparing and delivery of your own internal methodology to perform the DPIA, including a pre-assessment to determine for which processing purposes a full DPIA necessary.

06. Trainings for employees, and support for the Data Protection Officer

Protection of personal data cannot be achieved by an organization just formally on paper. To comply with GDPR requirements, it is necessary to implement appropriate processes and to take suitable organizational measures. These processes must be performed by well-informed employees with a high level of security awareness.

Trainings in various format are the basic tool to provide information to employees. Trainings designed and conducted by our experts can take the form of classroom-style presentations, e-learnings, or tailored employee guidelines. The aim is to make your employees aware of the practical principles of personal data protection, and to make sure that your employees comply with these principles when communicating with your customers and stakeholders.

Output

DPIA, including a pre-assessment to determine for which processing purposes the  a full DPIA necessary.

  • Our experts with a tons of practical experience in implementing GDPR provide training courses in the following areas:
  • Personal training on basic principles of GDPR,
  • personal training focused on specific categories of employees and adapted to your processes (e.g. customer-facing employees),
  • providing e-learning trainings (self-study) for the employees, including assessments,
  • training for Data Protection Officers and support for the role of DPO.

07. Post-implementation review of compliance and tools for internal audit

Management of an organization needs information on the status of compliance with GDPR, and existence of any major risk areas. The methodology of compliance assessment may also be used as a working program for an internal audit.

There is currently no internationally acknowledged methodology or a standard to evaluate GDPR compliance. Our assessment framework is based on PwC´s own methodology and experience from implementation projects, information security projects and audits.

Output

The objective is:

  • to provide the company management with information on results of GDPR implementation, and to recommend corrective action, if necessary,
  • to provide the internal audit department a with a scalable tool to evaluate GDPR compliance.

Contact us

Štefan Čupil

Director, PwC Slovakia

Tel: +421 2 593 50 599

Marek Frecer

Manager, PwC Slovakia

Tel: +421 915 998 429

Follow us