The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

Is your company ready to transform?

Building effective Data Privacy & Protection programs is key to transforming your business and efficiently complying with the latest regulations

Why should your organization care about Data Privacy & Protection (DPP)

Changing legislative requirements, most recently demonstrated by the European Union’s General Data Protection Regulation (GDPR), Personal Information Protection and Electronics Document Act (PIPEDA) and California Law, coupled with increasing customer expectations, pose a rising number of challenges for companies.

Privacy can not only give you a competitive advantage, but in the age of increasing consumer awareness and digital interconnectivity, transparency is key to achieving and maintaining the trust of your clients. And building a leading-class, sustainable data privacy strategy that incorporates customer rights and the ethical use of data that adheres to legal and compliance obligations can achieve just that.

Download report
Is your company ready to transform?
as a printable document

What are the risks and implications for your organization when DPP are not properly managed?

Shortcomings when data privacy and protection are not properly managed

  • Oversharing/processing of personal information
  • Unable to effectively respond to data subject requests or data breach
  • Unable to demonstrate accountability and compliance
  • Good intention but misuse of data
  • Third-party service provider weakness
  • Electronic media loss
  • Website leakage
  • Unwarranted marketing communications
  • Fraudulent transactions
  • Social engineering, including phishing

If not handled properly, mismanaged data could result in…

  • Identity theft, either by a customer or employee
  • A hit to your company’s brand and reputation
  • Direct financial loss
  • A loss of consumer and business partner confidence
  • A loss of market value
  • Litigation or regulatory action
  • Becoming the industry example of what could go wrong

Fortunately these issues can be resolved before they reach catastrophic levels by building a sustaining DPP program to help implement the proper protection measures and comply with the latest regulations.

EY: Privacy program transformation

DPP is not a compliance issue — it’s strategic! By using a four-stage approach — understand, assess, define and implement — we can help you build a sustaining DPP program by integrating privacy-related components into your company’s daily processes that are catered to your organization’s DPP goals.

A sustaining DPP program is built around three main pillars: Governance, Use of Data and Validation. 


DPP workshop

In the workshop our DPP advisors share leading practices, lessons learned, and approach DPP from multiple angles to help you truly understand its impact on your organization and better navigate this complex landscape.

Assessment and roadmap

Our readily available DPP assessments will help you determine gaps between your organization’s current and desired state.

By checking important themes, such as current data processing roles, responsibilities, data leakage procedures, data flows and data usage, we compare the results to common market practices as well as legal obligations.

Privacy by design implementation

By developing a privacy by design methodology, you can effectively incorporate privacy and data protection from the design phase and embed privacy considerations throughout the lifecycle of a project.

We can also help you assess current processes and systems to determine which are at risk from a privacy perspective and determine what considerations should be implemented.

Data flow mapping

Current data mapping activities are often executed with an IT mindset, with focus often placed on specific technical fields, rather than the types of data used by business processes. The identified data streams can be used to respond to the compliance requirements and to set up data protection.

By enforcing the appropriate focus which, combined with the application of data discovery tooling and a strong data governance structure, can significantly raise the effectiveness of the exercise.

Privacy impact assessments (PIA)

PIAs are required in Canada and are of critical importance for the GDPR as Data Protection Impact Assessments. A PIA is a useful tool to embed DPP into the design of all processes and applications that process personal data. Our tool set supports the design and execution of PIAs.

Data Breach Notification & Incident Management

Recent changes to regulations are putting stricter requirements on organizations to ensure they have effective data breach notification and incident management procedures.

We can assist you with the creation of a data breach notification and incident management program that includes processes around how incidents and breaches are reported and assessed, required actions, roles and responsibilities, escalation paths, etc.

Click here for more information.

Privacy Management and Accountability Program

A successful DPP program needs to respond to corporate needs and to be adopted by the entire organization through accountability. An organization’s executives need to be aware of their responsibilities in supporting the privacy program and be held accountable on the compliance supporting actions.

Use of data

Anonymization and pseudonymization to enable data analytics

By analyzing each step in the data analytics process, it can be determined if it’s necessary to make data anonymous, or if you should apply pseudonyms to data tags. Given the flexibility of current data tools, existing data is easily combined with new sources, which could result in unforeseen identification possibilities.Our service can help you prevent any misplaced data enrichment without downsizing the power of data analytics.

Identity & Access Management (IAM)

Implementing DPP starts with giving access to an organization’s private data only to authorized people.

Our experience on DPP and cybersecurity allows us to be able to have a holistic view on defining an IAM program and focus on business enablement thus helping organizations to continuously and efficiently manage system access and mitigate risks to confidentiality, integrity and availability of critical data.

Cross-Board Data Management

Transferring personal data across jurisdictions requires understanding of the different regulations.

We can help you establish mechanisms, such as binding corporate rules, Intra Group Agreements, and monitoring the internal and external transfers of data. In addition, we can align these mechanisms with the supervising authority, formalize a procedure, appoint an accountable person for managing the transfer of data and establish a process/procedure or tools to help move data appropriately across borders.

Data Retention & Records Management

Data should be retained for at least a minimum duration that’s governed by applicable laws, regulations, subject area, and local policies and guidelines.

We develop an overall structure — processes, routines, time frames and system support — for deletion, anonymization or pseudonymization of personal data based on statutory retention periods and internal policies.

Data Leakage Prevention(DLP) and Incident Response

Understanding data flows will help an organization comprehend where data is allocated, when in rest, and when in motion. In any stage of the flow, data can face risk situations.

We can help you identify those risks and define efficient controls to respond to them. These controls can be supported by processes or tools that will prevent, detect or correct events where data leakages happen.


DPP managed services

Our portfolio of DPP managed services has been specifically designed to meet the unique requirements of any organization in a flexible and customized way. Whatever your concerns and priorities are around GDPR compliance, we can help you meet them.

Third Party & Vendor Management

Our vendor management services include due diligence processes to cover third-party activities related to information security, procurement, contracts, DPP and independence.

We use industry-standard security assessments to evaluate inherent and residual risk across DPP and cyber security, compliance and other third-party risk categories such as data classification, data location, and access and data transmission.

Security & Privacy SOC2 Reports

SOC 2 examinations are designed to deal with an organization’s controls relevant to the systems it uses to process users’ data. The resulting report helps users of the data understand the effectiveness of the organization’s controls and how they integrate with controls at the user entity.

Our team examines and reports on system controls set forth in the AICPA’s trust services criteria.

Table Top Exercises

With DPP incidents on the rise and the impact they can have on financial systems, business continuity and crisis management planning with specific cyber incident simulations have never been more important.

EY’s table top exercises include planning, designing and developing a DPP incident simulation for your crisis response team which mimics the impact of a significant attack.

Contact us

EY - Yogen Appalraju

Yogen Appalraju

Partner and Canadian Cybersecurity Leader
+1 416 943 5902
EY - Carlos Perez Chalico

Carlos Perez Chalico

Senior Manager, Data Privacy & Protection
+1 416 943 5338
EY - Nicola Vizioli

Nicola Vizioli

Associate Partner, Data Privacy & Protection
+1 514 879 8046
EY - David Witkowski

David Witkowski

Manager, Employment and Data Privacy & Protection Law
+1 416 932 5841

Thought Leadership

All eyes on PIPEDA, but there’s more on the horizon

The global privacy landscape is undergoing major change. Already, regulations like the European Union’s General Data Protection Regulation (GDPR) are disrupting how companies conduct business, with some regulators even comparing their scope and impact to Sarbanes-Oxley.

Can compliance help you compete?

Taking privacy beyond compliance can be a data strategy enabler.

Easing the burden of data privacy compliance

EU General Data Protection Regulation managed services program strategy

GDPR compliance: how data analytics can help

Can advanced analytics help organizations make the transition to a new era of data privacy and protection?

General Data Protection Regulation (GDPR)

GDPR gives EU residents new, expanded rights over their personal data and there is an opportunity for organizations to take a strategic approach to GDPR.

IAPP-EY Annual Privacy Governance Report 2018

Is it truly possible to create a globally flexible privacy program, ready to take on challenges and create trust around the world? It’s time to find out.