The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). This comes into force in May 2018. Jersey and Guernsey in the Channel Islands will also be introducing their own data protection legislation, which are aligned with the EU GDPR. Ipes has appointed KPMG to conduct a gap analysis of all data and processes within the organisation with a view to being compliant by May 2018.
Teijo Peltoniemi, a Cyber and IT Consultant at KPMG discusses the key features of the new regulation and its implication on businesses.
Preparing for GDPR
By Teijo Peltoniemi
Until recently, Data Protection regulation in the EU received only limited attention. Fines for breach of regulations were limited and enforcement actions infrequent. With the GDPR, this will change.
Three factors attribute to this:
Real reputational risk
Enforcement activities by Data Protection regulators will increase. Data Protection breaches will hence be brought to light sooner. The risk of reputational consequences will therefore become all the more real.
Large geographic reach
With the GDPR, the geographic reach of the legislation is increased to ‘all organisations offering goods or services to EU citizens’ and ‘organisations that monitor the (online) behaviour of EU citizens’. This means that your organisation might now be in scope of the EU Data Protection regulation, where it was not the case before.
Failure to implement one or more Data Protection requirements adequately, will lead to very significant fines. The GDPR introduces fines that can amount to 20 million EUR or 4% of global annual turnover, whichever is higher.
This is a big and serious change compared to the limited sanctioning possibility under the old regime. Hence, adequate implementation of Data Protection requirements within your organization is now more important than ever.
We at KPMG Channel Islands have an expanding team of data privacy consultants ready to help you with GDPR. Data privacy has been an established KPMG service line for many years and our toolkits and methodologies are tested and proven.
Based on our work in this field, both in the Channel Islands and indeed globally, we encounter organisations at different stages of compliance. Most organisations lack a comprehensive picture of the personal data they process. We commonly discover instances of shadow data and shadow IT, such as emails and/or documents in shared folders. Understanding the data means understanding your most critical information assets, and a risk based approach is the key. With the short timeframe available remediation efforts need to be structured and allocated wisely.
Another common challenge relates to multi-jurisdictional organisations, whereby the governance structures are not straightforward to implement. Our global network of practices can assist to ensure compliance across a wide range of jurisdictions. Our recommendations often include organisational factors, such as the importance of the Board’s role in the GDPR program, as it is best practice to embed privacy risk into the corporate risk management practice. Unfortunately as organisations tend to downplay the likelihood of a data breach, they often do not have adequately documented or rehearsed response plans which can leave them significantly exposed should they become subject to a breach.
As data privacy impacts so many areas, including people, systems, and policies, processes and procedures, it is crucial to start with an assessment of the current state and gaps. This detailed review allows for a rational and proportionate approach to remediation. Some of our clients also see data privacy as a long term initiative, and they are looking beyond May 2018 as they seek competitive advantage and other benefits.