EY s data privacy service offering

Transcription

1 EY s data privacy service offering How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world Introduction Data privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information. Changing regulatory requirements including GDPR are combining with rising customer expectations to create growing challenges around data privacy. But companies that take a compliance-centric approach to data privacy are missing out on an opportunity to gain competitive edge. EY s data privacy service offering helps clients blend data privacy with transparency equipping them to win customers trust and loyalty in a GDPR world.

2 GDPR timeline January 2012 European Commission (EC) proposed GDPR December 2015 GDPR agreed 25 May 2018 GDPR takes full effect March 2014 EU Parliament adopted compromise text 14 April 2016 GDPR formally adopted by EU member states Transition period of two years Transforming and integrating your approach to data privacy Many companies today are fully aware of and focused on the need to comply with data privacy regulations, including GDPR, but many find it difficult to integrate all their data privacy-related activities into their everyday organizational processes. EY has the answer: our data privacy transformation approach, in which we integrate all our data privacy-related services into a single offering. Using our proprietary five-stage approach, we help clients embed all activities related to data privacy into their operational business as usual. Five stage transformational approach EY s data privacy capabilities include: Privacy strategy and governance Privacy design and implementation Privacy impact assessment Data flow mapping Managed services Privacy program and data management Privacy and data analytics, including anonymization and pseudonymization Maturity assessment Gap assessment Data breach notification and incident management Third-party and vendor management Training and awareness 1. Understand 2. Assess 3. Define 4. Recommend 5. Run This approach not only drives GDPR compliance, but also increases the data maturity of the business as a whole helping clients to extend their data usage capabilities, and boost the effectiveness of their data analytics and dashboarding. 2 EY s data privacy service offering

3 Getting to grips with the impacts and implications of data privacy The fact that data privacy regulations in general and GDPR in particular have broad impacts across the organization, can make it hard to pinpoint their specific effects. It can also be difficult to look beyond the regulatory and technological issues to grasp the competitive opportunities that privacy presents. An EY GDPR awareness workshop helps clients understand why privacy is much more than just a compliance or security issue. Some of the key elements are summarized below. After the workshop, your business will really understand how you re impacted by GDPR and be well equipped to navigate today s complex privacy landscape. EY s GDPR awareness workshop includes: An overview of the changing regulatory landscape An interactive three-hour session examining privacy from multiple perspectives An exploration of the links between privacy and business initiatives Sharing and discussion of leading practices and lessons learned with EY s privacy professionals Assessing GDPR s impacts and gaining the insights needed to address them To plan out your responses to GDPR, you must first identify the gaps between where you are today in terms of data privacy and where you need to get to in the future. You also need to conduct a Privacy Impact Assessment (PIA) and map out the flows of data across your operations. All of these elements are part of EY s GDPR assessment and roadmap offering. Often combined with the GDPR awareness workshop, this approach starts with our privacy team executing our proven GDPR assessment to pinpoint the gaps between the current and desired state. This provides input for our team to develop your practical and tailored roadmap to GDPR compliance, including clearly stated goals and purpose. Our GDPR assessment includes: A detailed review of key data privacy-related themes, such as current data processing roles, responsibilities, data leakage procedures, data flows and data usage Comparison of the results with both common market practices and legal obligations Examination of the impact on current operations of new topics, such as the right to be forgotten and explicit consent EY s data privacy service offering 3

4 PIA A high quality PIA process throughout the organization is imperative for ensuring compliance with GDPR. An EY PIA encompassing the full privacy life cycle shown below will help you embed data privacy and data protection into the design of all your processes and applications that process personal data. We can support you in the design and execution of PIAs using our established GDPR toolset, and supplement this with training to raise data privacy awareness and compliance across the organization. Review of privacy expectations 4 Appropriate retention and disposal 5 Privacy life cycle 3 Managed disclosure 1 Appropriate collection of data 2 Relevant use of data Data flow mapping Mapping data flows is vital for identifying your organization s data privacy requirements and implementing data protection processes that comply with relevant regulations, including GDPR. However, all too often, businesses undertake data flow mapping with an IT mindset, meaning it produces outputs that quickly become outdated and are too detailed for use in the business. This is because an IT-orientated data flow mapping tends to focus on specific technical fields rather than the types of data used by business processes. In contrast, an EY data flow mapping delivers business-driven results at high pace, by focusing on the business-relevant aspects of data and applying leading-edge data discovery tools and strong data governance. Business opportunities arising from GDPR: Identify and Access Management (IAM) and analytics GDPR compliance programs often enable an optimization of existing IT environments, in order to ensure privacy across the whole IT domain. Two high potential areas are implementing robust IAM, and anonymizing and pseudonymizing data to enable analytics. In terms of IAM, effective data privacy involves ensuring that any data available within the organization can be accessed only by those people authorized to do so. This requires tight linkage between specific roles and access levels, and the business processes that these roles participate in. EY offers an integrated suite of IAM services that support clients to manage system access continuously and efficiently, while also reducing risks to the confidentiality, integrity and availability of business-critical data. Also, while GDPR restricts how organizations use personal data, it also allows for that data to be anonymized and pseudonymized for analysis. EY can help you apply these concepts to maximize the intelligence from data analytics, while supporting GDPR compliance. By analyzing each step in the data process, we can identify whether anonymization or pseudonymization should be used. And, using the latest flexible data analysis tools, we can combine existing and new data to create new identification opportunities generating the greatest possible value from analytics without compromising on compliance. 4 EY s data privacy service offering

5 Contact us To find out more about any of our privacy-related services and how EY can help you use GDPR as a catalyst for change, beyond compliance, please contact: Erol Mustafa EMEIA Financial Services IT Risk & Assurance Leader Telephone: Mobile: emustafa@uk.ey.com Philippe Zimmermann EMEIA Financial Services Legal Leader Telephone: Mobile: philippe.zimmermann@ch.ey.com Tony De Bos EMEIA Financial Services Data Protection & Privacy Leader Telephone: Mobile: tony.de.bos@nl.ey.com Konrad Meier EMEIA Financial Services Data Privacy Professional Telephone: Mobile: konrad.meier@ch.ey.com EY s data privacy service offering 5

6 6

7 EY s data privacy service offering 7

8 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved. EYG No Gbl EY indd (UK) 10/17. Artwork by Creative Services Group London. ED None In line with EY s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com