Professional Documents
Culture Documents
Deloitte NL Risk GDPR Nwe Vision Approach
Deloitte NL Risk GDPR Nwe Vision Approach
FINES UP TO 4% OF GLOBAL INCREASED TERRITORIAL SCOPE EXPLICIT AND RETRACTABLE DATA SUBJECT RIGHTS
TURNOVER CONSENT
GDPR will apply to all companies Data subjects can request confirmation
Previously fines were limited in size and processing the personal data of data Must be provided in an intelligible and whether or not their personal data is being
impact. GDPR fines will apply to both subjects residing in the EU, regardless of easily accessible form, using clear and processed, where and for what purpose.
controllers and processors. the company’s location. plain language. It must be as easy to Additionally, data subjects can request to
withdraw consent as it is to give it. be forgotten, which entails the removal of
all the data related to the data subject.
72 hr
??? ?
BREACH NOTIFICATION WITHIN PRIVACY BY DESIGN DATA INVENTORY MANDATORY DATA PROTECTION
72 HOURS OFFICERS
Now a legal requirement for the inclusion Organizations must maintain a record of
Previously fines were limited in size and of data protection from the onset of the processing activities under its Appointed in certain cases to facilitate the
impact. GDPR fines will apply to both designing of systems, rather than a responsibility – or, in short, they must need to demonstrate compliance to the
controllers and processors. retrospective addition. keep an inventory of all personal data GDPR and to compensate for no longer
processed. The inventory must include the requiring bureaucratic submission of data
multiple types of information, such as the processing activities or transfers based on
purpose of the processing. Model Contract Clauses.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 2
Deloitte Vision on GDPR
The GPDR introduces new New GDPR requirements will Individuals and teams tasked
requirements and challenges for mean changes to the ways in with information management
legal and compliance functions. which technologies are designed will be challenged to provide
Many organisations will require a and managed. Documented clearer oversight on data
Data Protection Officer (DPO) who privacy risk assessments will be storage, journeys, and lineage.
will have a key role in ensuring required to deploy major new Having a better grasp of what
compliance. It is estimated that systems and technologies. data is collected and where it is
28,000 new DPOs will be required Security breaches will have to be stored will make it easier to
in Europe alone. If the GDPR is notified to regulators within 72 comply with (new) data subject
not complied with, organisations hours, meaning implementation rights – rights to have data
will face the heaviest fines yet – of new or enhanced incident deleted and to have it ported to
up to 4% of global turnover. A response procedures. The other organisations.
renewed emphasis on concept of 'Privacy By Design’ has
organisational accountability will now become enshrined in law,
demands proactive, robust with the Privacy Impact
privacy governance, requiring Assessment expected to become Chief Data Officer Chief Operating
Officer
organisations to review how they commonplace across
write privacy policies, to make organisations over the next few
these easier to understand. years. And organisations will be
expected to look more into data
masking, pseudonymisation and
Chief Risk Officer Privacy Officer encryption.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 4
Vision – Legal and Compliance
General Counsels, Chief Compliance Officers, Chief Privacy Officers and Data Protection
Officers: Your privacy strategies, resourcing, and organisational controls will need to be revised.
Boardrooms will need to be engaged more than ever before.
1 2
A Revolution in Enforcement Accountability
Serious non-compliance of the EU, where analysis on The current requirement to is on organisations having a
could result in fines of up to EU citizens is performed. But provide annual notifications more proactive,
4% of annual global how will this play out in of processing activities to comprehensive view of their
turnover, or €20 million – practice? Will US local regulators will be data and being able to
whichever is higher. organisations, for example, replaced by significant new demonstrate they are
Enforcement action will take heed of EU data requirements around compliant with the GDPR
extend to countries outside protection authorities? maintenance of audit trails requirements.
and data journeys. The focus
3 4
Data Protection Officers Privacy Notices and Consent
Organisations processing with sought-after skills and Organisations should now the notion of consent as one
personal data on a large experience are currently in consider carefully how they of the conditions for lawful
scale will now be required to short supply. construct their public-facing processing, with
appoint an independent, privacy policies to provide organisations required to
adequately qualified Data more detailed information. obtain ‘freely given, specific,
Protection Officer. This will However, it will no longer be informed and unambiguous’
present a challenge for many good enough to hide behind consent, while being able to
medium to large pages of legalese. In demonstrate these criteria
organisations, as individuals addition, the GDPR will retain have been met.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 5
Vision – Technology
Chief Information Officers, Chief Technology Officers and Chief Information Security
Officers: Your approach towards the use of technology to enable information security and other
compliance initiatives will need to be reconsidered, with costs potentially rising.
1 2
Breach Reporting Online Profiling
Significant data breaches will incident management Individuals will have new understand their customers.
now have to be reported to procedures and consider rights to opt out of and This applies not just to
regulators and in some processes for regularly object to online profiling and websites, but also to other
circumstances also to the testing, assessing and tracking, significantly digital assets, such as mobile
individuals impacted. This evaluating their end to end impacting direct-to-consumer apps, wearable devices, and
means organisations will incident management businesses who rely on such emerging technologies.
have to urgently revise their processes. techniques to better
3 4
Encryption Privacy-by-Design
The GDPR formally be complacent, and the The concept of Privacy By technologies. One
recognises the privacy exemption may not apply Design (PbD) is nothing new, demonstration of of PbD is
benefits of encryption, when weak encryption has but now it is enshrined in the Data Protection Impact
including an exemption from been used. Given the GDPR. Organisations need to Assessments (DPIA), which is
notifying individuals of data potential fines, organisations build a mind set that has now required to be
breaches when data is will have to further increase privacy at the forefront of undertaken for new uses of
encrypted. However, this their focus on a robust the design, build and personal data where the risk
does not mean that information and cyber deployment of new to individuals is high.
organisations can afford to security regime.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 6
Vision – Data
Chief Data Officers, Data Stewards, Chief Marketing Officers, and Digital Leads: Your
information management activities have always supported privacy initiatives, but under the GDPR
new activities are required which specifically link to compliance demands.
1 2
Data Inventories Right to Data Portability
Identifying and tracking data A new right to request standardised copies of data
Organisations will have to activities. Data leads will A new right to ‘data but taken broadly the
take steps to demonstrate have to work closely with portability’ means that challenges could be
they know what data they privacy colleagues to ensure individuals are entitled to numerous – amongst them
hold, where it is stored, and all necessary bases are request copies of their data achieving clarity on which
who it is shared with, by covered. A thorough system in a readable and data needs to be provided,
creating and maintaining an for maintaining inventories standardised format. The extracting data efficiently,
inventory of data processing needs to be implemented. interpretation of this and providing data in an
requirement is debatable, industry-standardised form.
3 4
Right to be Forgotten Definitions of Data
A new ‘right to be forgotten’ perform wholesale reviews of The GDPR expressly data will be classed as
is further evidence of the processes, system recognises the concept of personal data and subject to
consumer being in the architecture, and third party pseudonymisation of data requirements.
driving set when it comes to data access controls. In and places emphasis on data
use of their data. Depending addition, archive media may classification and
on regulatory interpretation, also need to be reviewed and governance. But it remains
organisations may need to data deleted. unclear if and when certain
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 7
Deloitte Approach to GDPR
GDPR Privacy
Transformation by
Program Design
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 9
Approach - GDPR Readiness Assessment
The road to GDPR compliance with the GDPR Maturity Assessment & Roadmap
What is the GDPR Readiness Assessment? First steps in becoming GDPR compliant
To give a clear picture on where • Based on our Privacy, Security Our maturity approach to privacy challenges is based on
your organisation currently stands and Governance framework, industry best practices, Deloitte advisory methodology and our
with respect to the GDPR, the GDPR covering all elements of the experience with privacy and cyber engagements at a large
Readiness Assessment is the tool of described privacy program; number of other clients. Deloitte has conducted a number of
choice. The GDPR Readiness relevant benchmarks over the years, such as the Privacy
• Instrumental in finding the areas
Assessment is: Benchmark and the Governance Benchmark, which can be
with the biggest risk;
referenced to determine your organisation's current standing.
• A powerful methodology, based
• Used to focus on those areas
on an existing Deloitte practice
which most urgently need action ▶ Capture Business Insight
to create a baseline for privacy;
to become GDPR compliant;
• Part of the cyber tooling suite, Privacy compliance & GDPR Readiness framework tailored 1
• A method to measure how based on industry and organisational characteristics.
potential to incorporate into
mature the organisation
your broader cyber strategy and
currently is, using the Deloitte
roadmap;
privacy and data protection ▶ Insight in Current Privacy Situation
• Used by Deloitte globally for maturity model.
privacy and cyber assessments A thorough assessment by workshops and interviews with (a
2
and strategy definition; part of) the organisation, giving insight of the current level of
maturity against the framework.
• A good starting point for
becoming compliant with the
GDPR and getting a tailored ▶ Develop Strategy & Roadmap
privacy program; A practical and concrete roadmap with prioritised steps required
3
to improve, risk-based, the state of privacy compliance with the
GDPR.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 10
Approach - Actions to take to prepare for the GDPR
Based on a comprehensive GDPR readiness roadmap a tailored transformation program helps organisations prepare in the
optimal way for the GDPR
Strategy
A strong starting point determining high level direction and risk appetite, upon which the organisation builds its
Strategy privacy organisation.
Privacy Operations
Privacy Impact Embedding privacy into the organisations project methodology. This is done by
Assessment efficient and practical guidance during conception of a new or changed product or
Audit Privacy by service (Privacy by Design) as well as assessing new and existing systems following
and Certification Design the established PIA method. Also covers audit guidance and research into privacy
seal certification (new option in the GDPR).
Processing Inventory
Processing Inventory A processing inventory is a fundamental element of any privacy program, and
will be a mandatory requirement following the GDPR.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 11
Approach - Data Processing Inventory
Creating a data inventory provides an overview of all data and insight in the risks attached to processing activities
A Data Processing Inventory is your basis to get in control of Article 30 of the GDPR requires an up-to-date overview of
your data processing processing activities
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 12
Approach – Data Protection Impact Assessments
Embedding privacy into your project methodology by assessing privacy risks in an early stage
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 13
Approach - Third Party Procedures
External parties bring specific challenges for data controllers
When a data breach occurs there are many internal and external Are your DPAs GDPR proof? With the new data breach rules in place
challenges. Handling and communication procedures with processors, there is a requirement for contractual arrangements between Controller
authorities and data subjects are essential for effective data breach and Processors.
handling.
Every time your organisation uses a third party for any kind of service The most important external stakeholder are your data subjects. The
that might involve data processing there should be a concrete process GDPR brings increased rights to data subjects (customers, patients,
with clear requirements to assess these parties and their specific citizens) and this brings procedural challenges to a controller.
service.
Whether a data subject requests access, or correction, or restriction, or
To make sure this is done effectively there needs to be collaboration objection, or erasure or portability of their data, a good process on how
between legal, risk, IT and procurement with strong steering from the to communicate and serve these data subjects is essential.
DPO.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 14
Why Deloitte?
Ratio
LACRO
(Latin America
Africa
46 offices in
Deloitte accreditations
and Caribbean)
69 offices in 21 countries
28 countries ISC2 Over 1,100 CISSPs
ISACA Over 2,000 certified as CISA, CISM, CGEIT
BSI Over 150 trained lead system auditors
IAPP Privacy certified practitioners
Specialty Wide range of domain specific certifications
PMI PMI certified practitioners
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 16
Why Deloitte? - NWE
Deloitte North West Europe combines the breadth and depth of capabilities of eight market leading member firms.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 17
Why Deloitte?
Why our team is unique
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 18
Why Deloitte? - Our Key Privacy and Data Protection Areas
We have a dedicated team of privacy professionals, with thorough expertise in leading privacy programmes across large
scale and complex organisations
Compliance and Privacy Programmes Technology and Risk Management Training and Cultural Cyber Security
Readiness Digital Change
• GDPR readiness • Privacy programme • Data discovery, • Privacy Impact • Privacy risk and • Personal data breach
assessment development mapping, and Assessment and compliance training investigation and
• GDPR compliance • Privacy strategy and inventories health check • Training and management
roadmap roadmap • Privacy-by-design • Policy analysis and awareness design • Regulatory liaison
• Global privacy development advice and design and implementation advice
compliance • Target operating application • Governance and • Classroom and • Incident response
assessment model design and • Online and e-Privacy compliance review computer-based and forensic
• GDPR technology implementation • Digital asset risk • Third party training investigation support
impact assessment • Change programme assessment and management • Cultural change • Supplier and third
• Global compliance design and delivery management (e.g. • Mergers and programme party management
assessments websites and mobile acquisitions data development
apps) transfer and
ownership
Our deliverables help organisations to gain a better insight in We supported the cyber response for a consumer business client
their processes regarding privacy, such as: formal reports, which had suffered hacking and a data breach, providing advice
governance models, policies and processes, and roadmaps. on their customer notification and regulatory obligations.
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 19
Contact Us
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 21
Contact
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 22
Contact
© 2018 Deloitte North West Europe Deloitte Risk Advisory – NWE GDPR Brochure 23
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms
are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member
firms.
Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500®
companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges.
To learn more about how Deloitte’s approximately 225,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this
communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity
in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.