The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

General Data Privacy Regulation (GDPR): demanding new privacy rights and obligations

Perspectives for global financial services firms

In May 2018, the European Union’s new General Data Protection Regulation (GDPR) ushers in unprecedented levels of data protection for EU residents. Backed by fines of up to €20 million or 4% of global revenue, whichever is higher, the GDPR gives individuals new, expanded rights over their personal data and heightens the responsibilities and liabilities of controllers and processors, regardless of their geographic location. 

For non-EU based financial institutions

EY - GDPR: demanding new privacy rights and obligations

GDPR: demanding new privacy rights and obligations

Download PDF
 

For EU-based financial institutions

EY - Developing your GDPR response for competitive advantage

Developing your GDPR response for competitive advantage

Download PDF

Key facts about the GDPR

 

Applicability

applies to organizations established within the EU — and to organizations outside the EU if they are processing personal data of EU residents in connection with providing goods or services to EU residents or are monitoring the behavior of individuals in the EU

Fines

up to €20 million or 4% of the organization’s total global revenue, whichever is greater; also provides individuals new rights to bring class actions against data controllers or processors, if represented by not-for profit organizations, which heightens litigation risk
 

GDPR highlights

Organizations will have only 72 hours to report data breaches.


Privacy-by-design principles must be incorporated into the development of new processes and technologies.


Explicit and affirmative consent will be required before processing personal data.


Most organizations will need to designate a Data Protection Officer.


Organizations will have to maintain records of processing activities.


Organizations will need to scale security measures based on privacy risks.


International transfers are subject to specific requirements and mechanisms.


Organizations will report to one supervisory authority.


Organizations will have to facilitate customers’ and employees’ right to erasure (of data), right to portability, and an increased right of access.


 

Important terms:

The GDPR prescribes certain responsibilities and liabilities to controllers and processors of personal data. It is important to understand these terms as they are defined within the GDPR.

  • Controller: a body (alone or jointly with others) that determines the purposes and means of the processing of personal data
  • Processor: a body that processes personal data on behalf of the controller; processing activity can include collecting, organizing, storing, disclosing, using, etc.
  • Personal data: any information (single or multiple data points) relating to an identified or identifiable natural person such as name, employee identification number or location data

Is GDPR applicable to you?

Although GDPR brings a welcome harmonization of fragmented data protection laws across EU Member States, its wide-reaching impact and stringent rules require a fundamental organizational shift, even for businesses compliant with existing legislation.

Many non-EU financial services firms assume that the GDPR doesn’t apply to them with limited understanding of how the regulation actually works. The three distinct questions below can be used to assess GDPR applicability*:

Are you or your service providers a processor or controller located in the EU (e.g., do I have an affiliate organization in the EU)?*

Are you or your service providers a processor or controller that offers goods or services in the EU (e.g., do I offer payment services in England)?*

Are you or your service providers a processor or controller that monitors behavior in the EU (e.g., am I a third party that monitors credit card balances in France)?*

 

If you answer no to these questions above, GDPR may apply later on and some questions to consider include (but are not limited to):

  • Do I have any plans or aspirations to do business in the EU in the future?
  • Do I process data of EU citizens who reside in the US?

*Note – the responses to these questions should be evaluated based on the facts and circumstances in your organization and discussed with legal counsel.

This question, “Are you or your service providers a processor or controller that monitors behavior in the EU?,” captures a broader range of activities than many firms think. Consider centralized functions that conduct surveillance, such as for fraud, anti-money laundering, sanctions or cyber threats. To the extent those functions use data related to EU residents, your firm may be subject to the GDPR requirements.

Impact of GDPR across your organization

GDPR impacts

Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater.

Imposes new obligations for both controllers and processors of personal data.

Organizations have only until 25 May 2018 to implement changes and comply with GDPR obligations.

Places a greater emphasis on accountability requiring greater documentation and records.

Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater.

Imposes new obligations for both controllers and processors of personal data.

Organizations have only until 25 May 2018 to implement changes and comply with GDPR obligations.

Places a greater emphasis on accountability requiring greater documentation and records.

GDPR is not a one-off compliance demonstration and requires a fundamental organizational transformation with regard to data and privacy.

 

Requirements:

  • Data protection impact assessment – This assessment, required for high risk personal data processing activities, can help organizations identify risks and define mitigating actions.
  • Data privacy accountabilities – The GDPR states that the controller is responsible for confirming that a firm adheres to the law’s privacy principles.
  • Condition for processing – The processing of personal data must rely on a lawful basis as outlined in the GDPR.
  • Data protection officer – Firms that conduct large-scale systematic monitoring of EU residents’ data or process large amounts of sensitive personal data must appoint a qualified DPO.
  • Privacy by design (PbD) – Organizations are required to establish privacy controls from the outset of product or process development.
  • Right to erasure – An individual can request the deletion or removal of personal data when there is no lawful reason for its continued processing.
  • Consent – Consent must be freely given and explicit, indicating the individual’s specific agreement to the processing of personal data.
  • Data breach notification – Organizations must notify the supervisory authority of a data breach within 72 hours of becoming aware of it.
  • Data portability – This allows individuals to move, copy or transfer personal data easily from one organization to another in a secure way for their own purposes.
 

Which parts of your organization will be most affected?

First line of defense

This encompasses business lines, day-to-day operations, technology groups, customer relationship management, marketing and human resources and involves issues such as client segmentation, protection of employee data and how data is gathered, processed, stored and transferred.

The impact of GDPR is enormous and spans across a multitude of organizational areas:

EY - The Impact of the GDPR

Second line of defense

This encompasses third-party risk management, monitoring, compliance and risk management and involves issues such as web traffic, alignment with legal requirements and privacy risk reporting.

Third line of defense

Internal audit is responsible for reviews of access processes and procedures, compliance monitoring and validation of the privacy framework.

 

EY’s Cybersecurity: three lines of defense

Source: EY’s Cybersecurity: three lines of defense webcast, 12 January 2017, replay available here

How we can help

Implementing the GDPR should be viewed as an integrated exercise set within each firm’s overall privacy risk management framework. GDPR touches on all aspects of an organization, reaching across people, processes and technology and, as such, establishes a cross-functional team that supports the transformation of the company, which is a critical step for a successful implementation.

 

EY’s privacy risk management framework

EY’s privacy risk management framework

Next steps

Educate key stakeholders, including the board of directors

Risk-assess to whether the GDPR applies to your organization

Establish cross-function and cross-business governance structure

Design and execute a prioritized implementation plan

Contact us

Americas

Cindy Doe
+1 617 375 4558
cynthia.doe@ey.com

John Doherty
+1 212 773 2734
john.doherty@ey.com

Ed Keck
+1 216 583 1296
ed.keck@ey.com

Angela Saverice-Rohan
+1 213 977 3153
angela.savericerohan@ey.com

Mark Watson
+1 617 305 2217
mark.watson@ey.com

EMEIA

Tony de Bos
+31 88 40 72079
tony.de.bos@nl.ey.com

Steve Holt
+44 20 7951 7874
sholt2@uk.ey.com

Konrad Meier
+41 58 286 4327
konrad.meier@ch.ey.com

Erol Mustafa
+44 20 7951 0700
emustafa@uk.ey.com

Philippe Zimmermann
+41 58 286 3219
philippe.zimmermann@ch.ey.com

Asia-Pacific

Jeremy Pizzala
+852 9666 3428
jeremy.pizzala@hk.ey.com