Why should your business care about GDPR now?

General Data Protection Regulation (GDPR) applies directly in each of the 28 European Union (EU) Member States as well as indirectly to any organization outside of the EU which offers goods or services to customers or businesses in the EU, with effect from 25th May 2018. Introduction:
  • GDPR was approved by the European Parliament on April 14, 2016 and came into effect on May 25, 2018
  • It is the most important change in data privacy regulation in 20 years
  • It replaces the Data Protection Directive 95/46/EC
  • Organizations that are non GDPR compliant could now face heavy fines
Importance:
  • Commercial Incentives – Implementation of GDPR helps to prevent loss of customers and market share as a result of data breaches. In addition, adherence to GDPR could help to build trusting relationships with stakeholders, to drive loyalty and attention
  • Compliance – Ultimately, firms need to comply with GDPR, particularly with the increasing pressure from regulators, not to mention rising fines and penalties. Ensuring adherence will also assist in the prevention of reputational damage, along with the significant costs associated with recovery from breaches, potential lawsuits from those affected and the inherent loss of trust
Key Areas of GDPR Impact:
  • Fines
    • Fines ranging from 10-20 million Euros or up to 4% of annual worldwide turnover, can be levied for data protection breaches, which may trigger changes to risk appetite. Fines vary and depend on the type and severity of the breach
  • Wider Scope
    • GDPR applies to all data controllers and processors established in the EU and organizations that target EU citizens
  • Accountability
    • Organizations must prove they are accountable and demonstrate compliance
  • Mandatory Breach Notification
    • Organizations must notify the supervisory authority of data breaches ‘without undue delay’ or within 72 hours
  • Privacy Impact Assessments
    • Organizations must undertake Privacy Impact Assessments when conducting risky or large-scale processing of personal data
  • Consent
    • Consumer consent to process data must be a freely given statement of affirmative action, for specific purposes. Customers must be informed of their right to withdraw their consent
  • New Rights
    • Including a right to be forgotten, a right to portability and a right to object to profiling, are being introduced
Note: Areas with significant impact on insurers includes the need to:
  • Lawfully process sensitive data in line with GDPR requirements
  • Justify the collection, storage and retention of data. Provide access to that data, held in a variety of means, in multiple locations, including data held or provided by third parties
  • Implement restructured process designs
Challenges involved:
  • Privacy Governance
  • Firms need the ability to establish a comprehensive model to lead privacy transformation
  • Data Flow Mapping
  • There must be an understanding with regard to data flows in the organization combined with ambitious data flow mapping initiatives which are detailed and resource-incentive
  • Right to be forgotten
  • Applications require feature on the key changes brought by GDPR around the right to be forgotten, data portability and data retention
  • Big Data Analytics
  • Firms need to balance leveraging the strategic value of the data while ensuring privacy
MB Group Internal Audit Scope:
  • Accountability and Governance
    • Review and access the governance structure and privacy accountabilities in place
    • Review key roles and responsibilities in relation to GDPR requirements, including the role of the Data Protection Officer
    • Access the culture of data protection within the organization
  • Translation of the ‘GDPR Programme’ into ‘business as usual’
    • Review and assess the completeness of the scope of the GDPR programme that has been implemented to ensure it effectively incorporates all relevant aspects of GDPR
    • Review and assess whether the GDPR programme has been successfully implemented and whether there are any outstanding requirements
    • Assess the transition from ‘GDPR Programme’ to ‘business as usual’
    • Review the process for addressing outstanding actions including methodology for prioritizing non-compliant areas
  • Policies & procedures
    • Review policies & procedures in place including how they are embedded within the organization
    • Review the privacy impact assessment processes and supporting templates
    • Review processes in place to ensure that individual rights, including the rights of access to, rectification and erasure of personal data, can be managed in line with GDPR requirements
    • Review documentation and application of data security measures to ensure systems and applications are secure by design
    • Review processes and contracts in place with third parties that process data on the organization’s behalf
  • Awareness & additional safeguards
    • Review training in place and business awareness of the requirements of GDPR and its impact
    • Safeguards, to ensure data being transferred outside of the European Economic Area (EEA) has the benefit of adequate protection
Last Updated: 14th October 2019 This article is contributed by:  Srishti Agrawal Senior Consultant – Risk Advisory Services

Tag: GDPR, General Data Protection regulation