EY s data privacy service offering How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world
In May 2018, the European Union s new General Data Protection Regulation (GDPR) ushers in unprecedented levels of data protection for EU residents. Backed by fines of up to 20 million or 4% of global revenue, whichever is higher, the GDPR gives individuals new, expanded rights over their personal data and heightens the responsibilities and liabilities of controllers and processors, regardless of their geographic location. EU GDPR is a global game changer. No organization storing or processing the personal data of EU residents can afford to be complacent, wherever the organization is based and irrespective of its current privacy maturity level. As well as the urgency of working towards compliance, there is also the opportunity to take a strategic approach to GDPR. EY s risk-based, multi-disciplinary approach targets GDPR investment where it matters most for regulatory compliance and competitive advantage. Drawing on our extensive privacy knowledge and proven tools and methodologies, we help to identify clients highest risks, and design and execute a tailored road map for compliance and beyond. GDPR timeline January 2012 European Commission (EC) proposed GDPR December 2015 GDPR agreed 25 May 2018 GDPR takes full effect Transition period of two years Monitoring and Compliance Ensuring compliance: Monitoring Continuous improvement March 2014 EU Parliament adopted compromise text 14 April 2016 GDPR formally adopted by EU member states 2 EY s data privacy service offering
GDPR: what you need to know When GDPR comes into force, it will introduce a raft of new rights for individuals and principles to facilitate and protect the flow of personal data in the market. Among the key changes, organizations must prove that they have a robust accountability framework in place for data protection, an ongoing data protection impact assessment and a privacy-by-design approach. The latter ensuring that data protection safeguards are built into products and services from the earliest stage of development. Key rights for individuals include the right to erasure (right to be forgotten), and the requirement for consent to be explicitly given for specific uses and transfer of sensitive data. Notification regime limited to sensitive data processing/prior checking approach Legitimate interest Right to be forgotten Broad definition of personal data An (almost) harmonized EU data protection regime Data protection officer International data transfers One-stop-shop Extended territorial effect Scope-Defiinitions Formalities Key Changes Data subjects rights Legal grounds grounds for data processing High bar for consent Data portability Children Clear and plain language Profiling Transparency Data minimisation Accountability Appropriate safeguards New principles Security and breach notifiication Enforcement/sanctions Penalties for companies Liability of data processor Impact assessments Security & data breach notification Privacy by design and by default EY s data privacy service offering 3
EY approach towards GDPR compliance Five stage transformational approach 1 Understand Getting to grips with the impacts and implications of data privacy The fact that data privacy regulations in general, and GDPR in particular, have broad impacts across the organization, can make it hard to pinpoint their specific effects. It can also be difficult to look beyond the regulatory and technological issues to grasp the competitive opportunities that privacy presents. You should understand your current content and how much GDPR impacts you, in particular looking into: The business and governance models Gather information related to the organization and its adopted strategies to understand the current data protection governance model. Assess the industry and market, the organization s management structure and its digital and data strategy, as well as the data protection measures and awareness in place. 1. Understand 4. Recommend 2. Assess 5. Run 3. Define 2 Assess Strategic alignment and risk appetite Determine the strategic alignment and risk appetite in a workshop. Define the tone at the top towards strategy, risk culture, direction and conduct. the gaps between the current and desired state. This provides input for our team to develop your practical and tailored roadmap to GDPR compliance, including clearly stated goals and purpose. This approach not only drives GDPR compliance, but also increases the data maturity of the business as a whole helping clients to extend their data usage capabilities, and boost the effectiveness of their data analytics and dashboarding. Our broad transformation approach mirrors the cross-functional nature of the GDPR We bring our own multidisciplinary team of professionals, combining knowledge and experience across legal, cybersecurity and data analytics, to engage with stakeholders from all parts of the organization, to bring GDPR to life. 3 Define GDPR maturity and gap assessment To plan out your responses to GDPR, you must first identify the gaps between where you are today in terms of data privacy and where you need to get to in the future. You also need to conduct a Data Protection Impact Assessment (PIA) and map out the flows of data across your operations. All of these elements are part of EY s GDPR assessment and roadmap offering. Often combined with the GDPR awareness workshop, this approach starts with our privacy team executing our proven GDPR assessment to pinpoint Establish the mechanism to address the requirements of the GDPR Data subject rights Define processes to ensure data subject rights are enforceable. Facilitate compliance through privacy by design, e.g., embed user access Data flow mapping and records of processing activities (ROPA) Mapping data flows is vital for identifying your organization s data privacy requirements and implementing data protection processes that comply with relevant regulations, including GDPR. However, all too often, businesses undertake data flow mapping with an IT mindset, meaning it produces outputs that quickly become outdated and are too detailed for use in the business. This is because an IT-orientated data flow mapping tends to focus on specific technical fields rather than the types of data used by business processes. In contrast, an EY data flow mapping rights in online applications. Evaluate and redesign processes for retrieval, correction and erasure of personal data throughout the organization. Vendor and partner management Identify and prioritize the vendor relationships, which include personal data processing activities. Evaluate the contracts, security measures Our five-phased approach is a framework from which we can build a tailored approach for each organization, to operationalize GDPR, and provide compliance and beyond. 4 Recommend Based on company assessments getting situational insights and making a privacy risk assessment, EY recommend the processes and measures defined in the previous phase 3, by leveraging existing processes within the organization. Ensure that data protection governance and documentation are in place by introducing internal guidelines and process documentation. 5 Run Privacy control framework Facilitate compliant personal data management through a holistic privacy control framework, integrating data protection throughout the organization, including project management, process and product development, as well as risk and vendor management. EY can help with Privacy strategy and governance Privacy design and implementation 4 EY s data privacy service offering
Data protection and privacy framework Leverage acknowledged frameworks, gather information and create an understanding of the existing data protection and privacy posture of the organization, including policies, standards and guidelines. Legal and regulatory framework Understand the organization s status and compliance toward the applicable laws and regulations, specifically GDPR and sector-specific laws and regulations. Data transfers with vendors and partners Understand the organization s vendors and partners, including providers of cloud services and outsourcing. Create an overview of data transfers abroad, and understand the legal and regulatory impact Raising awareness Ensure data protection and privacy awareness through appropriate information, and specific data protection awareness trainings and workshops. An EY GDPR awareness workshop helps clients understand why privacy is much more than just a compliance or security issue. After the workshop, your business will understand how you are impacted by GDPR and be well equipped to navigate today s complex privacy landscape. delivers business-driven results at high pace, by focusing on the business-relevant aspects of data and applying leadingedge data discovery tools and strong data governance. encompassing the full privacy life cycle shown below, will help you embed data privacy and data protection into the design of all your processes and applications that process personal data. 5 Review of privacy expectations 1 Appropriate collection of data Map data flows to enhance the implementation support of data privacy. The identified data streams can be used to determine the requirements for privacy (on the basis of applicable laws and regulations) and setting up data protection. On this basis, formalize the records of processing activities which will serve as the foundation for a privacy risk assessment and the DPIA if applicable. Data Protection Impact Assessment (DPIA) and privacyby-design A high quality DPIA process throughout the organization is imperative for ensuring compliance with GDPR. An EY DPIA, EY can support you in the design and execution of DPIAs using our established GDPR toolset, and supplement this with training to raise data privacy awareness and compliance across the organization. Assess personal data collection and processing activities with a data protection impact assessment to identify the risks inherent to the personal data processing activities. Reduce such risks by redefining the processes in accordance with the principles of privacy by design and privacy by default. 4 Appropriate retention and disposal Privacy life cycle 3 Managed disclosure Privacy risk assessment 2 Relevant use of data GDPR is a regulation which should trigger responses commensurate with the privacy risk exposure of the organisations. A privacy risk assessment shall be conducted to develop solid recommendations for the implementation and remediation steps in light of company s risk appetite and level of compliance gap. and oversight governance against compliance with GDPR and define a strategy to renegotiate personal data processing agreements. Ensure appropriate security measures and vendor management are in place by defining a lean oversight governance. Monitoring and incident handling Define a process for personal data breach monitoring and reporting. Develop a process for personal data breach reporting towards the data protection authority and towards the data subjects. Design templates and communication approval processes to ensure that the notification deadline of 72 hours can be met. Governance, policy, standards and guidelines Redefine the data protection governance model, including a detailed description of the roles and responsibilities with regard to management of external relationships and communication with regulators. These actions as well as the ones defined in phase 5 will help to comply with the accountability principle, moving towards compliance. Roadmap The roadmap contains the necessary actions identified during the assessments and workshops. It focuses on compliance towards the applicable laws and regulations, and the defined privacy and data protection strategy. Data flow mapping Managed services On-site and web-based data privacy and GDPR awareness Data protection impact assessments Privacy program and data management Compliance monitoring Privacy and data analytics, including anonymization and pseudonymization Maturity assessment Gap assessment Data breach notification and incident management Data breach stress tests Third-party and vendor management Continuous improvement EY s data privacy service offering 5
Why EY? Extensive privacy knowledge and experience EY employs over 200 Certified Information Privacy Professionals (CIPPs) across EU and privacy lawyers to help organizations to better understand data privacy risk and GDPR compliance. Close cooperation with EY legal specialists means EY CIPPs can translate legal requirements into a risk-based, customized approach. Highly experienced For over a decade, EY has assisted multi-national organizations in understanding privacy and data protection and regulations such as GDPR. Using their deep industry and client knowledge, EY has helped clients across financial services achieve both compliance and competitive advantage through effective GDPR programs, from gap analysis through to ongoing managed services. Global teams EY teams work within common global structures so they can easily draw on EY s global industry and functional experts to bring insights on legislation, regulations and business practice across the globe. EY has proven success in rollout across multiple countries. Professional approach EY uses a risk-based, multi-disciplinary approach supported by robust tools and methodologies to help you to understand the impact of GDPR on your organization, achieve timely and consistent GDPR compliance and leverage GDPR for wider strategic benefit. How EY can help 1 Approach Comprehensive transformation approach to guide our clients 2 Risks Identification of high risks and focus on compliance with current legislation while keeping sight of the GDPR readiness 3 Cooperation Close cooperation with EY regulatory and compliance to transpose regulatory requirements into customized approach 4 Solutions Multi-disciplinary solutions by integrating the IT, risk and business perspectives of privacy EY s unique approach 5 Assessments Unique combination of maturity and Privacy Impact Assessments 6 Tools Maturity and Privacy Impact Assessment, data discovery tools and enablers to support our engagements 6 EY s data privacy service offering
Is your organization ready for the EU General Data Protection Regulation? Now it is time to take appropriate actions towards becoming compliant with GDPR. Areas of consideration based on EY approach are as follows: Expanded scope Are you a data processor or a data controller processing personal data inside the EU or processing the personal data of EU citizens? DPOs Do you conduct large-scale systematic monitoring (including employee data) or process large amounts of sensitive personal data? New rights Do you know how will comply with the new rights: the right to be forgotten, the right to data portability and the right to object to profiling? Accountability Do you conduct large-scale systematic monitoring (including employee data or process large amounts of sensitive personal data? Privacy by design Do you design data protection and privacy requirements into the development of your business processes and new systems? Mandatory breach notification Would you be able to notify a data protection supervisory authority of a data breach within 72 hours? EY s data privacy service offering 7
EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. 2018 Ernst & Young Business Advisory Services S. à R. L. All Rights Reserved. ED none This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com/luxembourg Contacts To find out more about any of our privacy-related services and how EY can help you use GDPR as a catalyst for change, beyond compliance, please contact: Olivier Maréchal GDPR Advisory Services Leader Partner, Advisory Leader for Financial Services +352 42 124 8948 Olivier.Marechal@lu.ey.com Philippe Belche Senior Manager, Legal Advisory Services +352 42 124 8646 Philippe.Belche@lu.ey.com Patrice Fritsch Directeur Associé Managed services +352 42 124 8950 Patrice.Fritsch@lu.ey.com Karim Bouaissi Senior Manager, IT Risk Assurance, Financial Sector +352 42 124 8779 Karim.Bouaissi@lu.ey.com Alexandre Minarelli Director, IT Risk & Assurance Leader, Commercial and Public Sector +352 42 124 8669 Alexandre.Minarelli@lu.ey.com Alejandro del Rio Manager +352 42 124 8301 alejandro.del-rio@lu.ey.com