The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) will be applicable from May 25th, 2018 and replace the Data Protection Directive (95/46/EC).

The EU General Data Protection Regulation (GDPR) was released by the European Parliament and the European Council in early 2016. GDPR will be applicable from May 25th, 2018 and replace the existing Data Protection Directive (95/46/EC).

GDPR is an omnibus regulation by which the EU intends to strengthen and unify data protection regime thereby enabling EU citizens to have more control over their personal data.

GDPR has introduced stringent regulations and has included new rights such as right to be forgotten, right to data portability etc. for data subjects, this will directly impact data controllers and data processors; non-compliance with which will lead to tough penalties as high as 20 million Euros or 4% of an annual global revenues, whichever is greater.

GDPR applicability to your organization?

GDPR applies globally and companies outside EU will have to comply with the Regulation if they process personal data of EU data subjects in connection with:

  • “Offering of goods or services” (payment is not required); or
  • “Monitoring” their behaviour within the EU.

GDPR Applicability Decision Tree

GDPR Highlights

GDPR increases accountability of data processors and controllers to protect customer information and requires organization to have a holistic approach for implementation and compliance to regulations. Some of the key changes required by GDPR are highlighted below:

  • Expanded scope:
    It increases the accountability net to include data processors as well, earlier it was limited to data controllers
  • The definition of personal data is diversified:
    It now includes identifiers such as genetic, mental, economic, cultural or social identity of a natural person
  • Broadened data subject rights:
    Individuals will have stronger rights over their personal data. The new rights include; The right to be forgotten, The right to data portability, The right to object to profiling, Pseudonymisation and Children and Consent
  • Privacy by design and default:
    The GDPR requires organizations to design policies, procedures and systems that follow PbD principles at the outset of every product or process development.
  • Risk-based approach:
    Organizations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data and prepare Data Flow Diagram for its critical processes.
  • Explicit Consent:
    Consumer consent to process data must be freely given and for specific purposes. They also must be informed of their right to withdraw their consent.
  • Accountability of processors:
    The new regulation entails new obligations on data processors. Processors become an officially regulated entity.
  • Obligatory breach notification:
    Organizations must notify supervisory authority of data breaches “without undue delay” or within 72 hours, unless the breach is unlikely to be a risk to individuals. If there is a high risk to individuals, they must also be informed.
  • Hefty fines for violations:
    Organizations that violate the basic processing principles of the GDPR could face a maximum fine equivalent to 4% of the organization’s global annual revenues or 20 million Euros, whichever is higher.
  • Appointment of data protection officer (DPOs):
    DPOs must be appointed if an organization conducts large scale systematic monitoring or processing of large amount of sensitive personal data.

How EY can help?

GDPR forces organizations to take ownership of their information practices, be accountable for all associated privacy risks in the course of doing business and prove the veracity of data protection programs.

To support business stakeholders understand privacy concepts and the impact of GDPR on business lines and functions, we have developed capabilities and solutions that can help organizations to prepare them for GDPR by May 2018.

EY’s unique proposition

  • Integrated advisory and legal competency | EY brings lawyers and advisory professionals, to provide integrated and customized GDPR services. We have 200 Certified Information Privacy Professionals (CIPPs) and Privacy Lawyers over 75 countries worldwide.
  • Comprehensive approach | Five phased approach focusing across three roles of an organization-governance, data controller and processor and delivering data privacy and protection for more than 10 years
  • Automation | Inventorization of personal information, development of data flows and heat maps by leveraging our tools. End to end solution deployment on client tools such as Archer
  • Global insights | Leverage inputs from global GDPR projects across different sectors in various regions of the world especially Europe. EY has worked also worked with European and national regulators in several ways.

EY’s holistic approach tailored to meet GDPR needs

EY’s holistic approach tailored to meet GDPR needs


  • GDPR gap assessments and implementation roadmap: Assess current state of privacy capabilities and develop a roadmap for privacy program


  • Align privacy framework to GDPR: Update your existing privacy policies, procedures and notices to GDPR requirements


  • PII inventory and data flow mapping: The mapping of data flows enhances the successful implementation of data privacy. The identified data streams can be used to determine the requirements for privacy

Plan and rollout

  • Privacy impact assessments: Design privacy threshold questionnaire for organizations to profile IT systems and customer projects
  • Privacy transformation program and sustenance framework: Understand and manage the impact of the GDPR through your organization by using our privacy transformation program methodology
  • GDPR training and awareness: Bring cultural change within the organization through privacy awareness initiatives
  • Vendor risk management: A framework that will help organizations manage and guide data exchange and processing by vendors

Monitor and sustain

  • Ongoing operations and update of the processes, policies, and responsibilities developed during the compliance journey
  • Define and monitor metrics

Client growth stories

Leading ITeS organization – GDPR framework alignment and data mapping

  • Reviewed data privacy framework and associated policy / procedure documents
  • Developed PII inventorization template
  • Undertook PII inventorization for select processes and automated PII process to be undertaken for all processes
  • Prepared data flow diagrams for processes where PII exists
  • Developed training and awareness content for global coverage

International financial organization – GDPR GAP assessment

  • Performed several gap assessments amongst 6 operations with different privacy laws and regulations
  • Organized a workshop with global key stakeholders to determine the desired maturity level of the organization
  • Developed a roadmap and action plan for the client ultimately that the client is prepared for the General Data Protection Regulation. This also included detailed actions cards with concrete steps for the different stakeholders

Frequently asked questions

When will the GDPR come into effect?

The Regulation will come into effect on the 25th May 2018 and will bring in significant changes to current data protection laws as we know them. Any company deemed non-compliance will face hefty fines.

How can I “demonstrate” I am complying with the Regulation?

You will need to update or create suitable policies that set out how you process personal data.

You should also consider other compliance measures, including setting up a clear compliance structure, allocating responsibility for compliance, staff training and audit. It might also involve technical measures, visibility and applying suitable security measures.

Is there a certificate that will be issued to demonstrate compliance?

GDPR is a law and not a global standard, hence a certificate will not be issued.

Who does GDPR apply to?

GDPR applies globally and companies outside EU will have to comply with the Regulation if they process personal data of EU data subjects in connection with:

  • “Offering of goods or services” (payment is not required); or
  • “Monitoring” their behaviour within the EU

What kind of information does the GDPR apply to?

GDPR protects the personal data of EU citizens. ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’). Example: Name, an identification number, address, an IP address or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37).  If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

How does the GDPR affect policy surrounding data breaches?

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA without undue delay or within 72 hours or and to affected individuals without undue delay. 

When can customers/ data subjects access the data which is stored by the company?

Consumers can ask for access at "reasonable intervals", and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data. Consumers have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it's stored for, and who gets to see it.

How does GDPR facilitate individuals to ensure privacy?

GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. According to the Article 77, individuals enjoy the right to lodge a complaint with a supervisory authority.

What does ‘privacy by design’ mean?

Data protection must be a key consideration when designing data systems, rather than an addition. This principle also ensures that wherever consent from the individual is required for data to be processed, their consent cannot be assumed and must be given actively.

Are data flow diagrams mandatory under GDPR?

Data flow diagrams are mandatory as they are used to identify the data streams which are helpful in determining the requirements for GDPR that the organizations must comply with.

How does consent in GDPR differ from its predecessor, 'Data Protection Directive (DPD)’?

GDPR mentions "unambiguous" consent and spells out in detail what constitutes a valid consent. Demonstration of valid consent is an important obligation of the controller. Further, the GDPR also explains situations in which child's consent will be valid. Such provisions are absent in DPD.

What does it mean by “consent” in the context of GDPR?

A data subject has many more rights about how you provide personal information, how it's used and for how long it lives. Instead of just ticking a box saying, "Yes, I'm happy to be contacted for marketing material or by third parties," data subjects must now say, " I want to be contacted by email only," or by phone, etc. Much more granular consent can be given, and the ways in which that data may be used or shared are more explicit.

What happens if a consumer withdraws consent?

It is likely that the controller will have to stop processing that individual’s personal data, although in some cases controller may be able to rely on an alternative processing condition. Withdrawal of consent may also give the individual the right to be forgotten, i.e. have their data erased. However, it does not affect the lawfulness of any processing that takes place prior to that withdrawal.

Contact us

Vidur Gupta

Partner, Cyber Security

Jaspreet Singh

Partner, Cyber Security