General Data Protection Regulation (GDPR)

Are you ready for GDPR?

The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018, creating challenges for every organization doing business in the EU before, during and after the deadline.


Counting Down to GDPR: Setting priorities now 

Any entity targeting or monitoring European citizens will need to comply with GDPR. As the largest change to data protection legislation in the last 20 years, GDPR gives regulators unprecedented power to impose fines, requiring widescale privacy changes across organizations - including US-based companies if they conduct business in Europe.

But GDPR also represents a broad opportunity to:

  • transform your approach to privacy
  • harness the value of your data, and
  • ensure your organization is fit for tomorrow’s digital economy

This means getting ready now. Not all organizations will be compliant by May 2018, but GDPR regulators will need to see by then that robust plans are in place.


Playback of this video is not currently available

PwC's Toby Spry discusses how companies are setting priorities as the GDPR deadline nears.

How will GDPR affect your organization?

GDPR’s scope and requirements are deep and complex, so prepare for it now to help ensure compliance. The regulation requires a programmatic approach to data protection - like “SOX for privacy” -  so you’ll need a defensible program for compliance and to prove you’re acting appropriately. Ask your organization these questions:

  • What is our data footprint in the European Union (e.g., data about employees, consumers and clients)?
  • Are we prepared to provide evidence of GDPR compliance to EU or US privacy regulators, who may request it on demand?
  • Do we have visibility of and control over what personal data we collect? How do we use it? With whom do we share it?
  • Do we have a privacy-by-design program, with Privacy Impact Assessments (PIAs), documentation and escalation paths?
  • Do we have a tested breach-response plan that meets GDPR’s 72-hour notification requirement?
  • Have we defined a roadmap for GDPR compliance?
  • Have we identified a Data Protection Officer (DPO) as required by GDPR?
  • Have we adopted a cross-border data transfer strategy?

GDPR program implementation areas

Strategy and governance

Define an overarching privacy program governance structure, roles and responsibilities designed to coordinate, operate and maintain the program on an ongoing basis.

Policy management
Privacy policies, notices, procedures and guidelines are formally documented and consistent with applicable laws and regulations.

Cross-border data transfer
Determine cross-border data transfer strategy based on current and future planned data collection, use and sharing.

Data lifecycle management
Create ongoing mechanisms to identify new personal data processing and use activities, and implement appropriate checkpoints and controls.

Individual rights processing
Enable the effective processing of consent and data subject requests, such as data access, deletion and portability.

Privacy by design
Develop a strategy and playbook for “privacy by design” to incorporate privacy controls and impact assessments throughout the data lifecycle for new and changing data use initiatives.

Information security
Identify existing security information protection controls and align security practices with GDPR considerations.

Privacy incident management
Align incident response processes with GDPR specifications and reporting requirements. Establish a triage approach to evaluating potential privacy breaches and incidents.

Data processor accountability
Establish privacy requirements for third parties to mitigate risks associated with access to the organization’s information assets.

Training and awareness
Define and implement a training and awareness strategy at the enterprise and individual level.

Where are you on the GDPR journey?

Your organization may be just getting started -- or may already have a GDPR program in place. Here’s what happens on the way to compliance. 

Conduct a readiness assessment

Gather information to assess your organization’s current GDPR compliance maturity, and to help understand your critical legacy risks.

Find remediation gaps

Identify existing privacy capabilities and the work that needs to be done to bring your organization into GDPR compliance.

Establish oversight

Put your organization’s ongoing GDPR governance structure and model into place to coordinate and implement your remediation activities.

Implement your program

Get your GDPR program off the ground: remediating gaps and establishing a privacy program.

Conduct operation & monitoring

Once GDPR is in effect and your program is in place, conduct ongoing compliance to drive continued accountability.

Research and insights

Contact us

Sean Joyce
US Cybersecurity and Privacy Leader
Tel: +1 (703) 918 3528

Jay Cline
Privacy Leader, Principal, PwC US
Tel: +1 (612) 596 6403

Grant Waterfall
Europe, Middle East & Africa Cybersecurity and Privacy Leader
Tel: +1 (646) 471 7779

Carolyn Holcomb
Partner, Cybersecurity and Privacy
Tel: +1 (678) 419 1696

Joseph DiVito
Principal, Cybersecurity and Privacy
Tel: +1 (412) 980 9520

Jocelyn Aqua
Principal, Cybersecurity and Privacy
Tel: +1 (202) 730 4862

Follow us