EU General

Data Protection
Regulation:
Are you ready?
Contents
What do you need to know about the new
EU General Data Protection Regulation? 2
Are organisations ready for the EU
General Data Protection Regulations? 4
How can you prepare for the EU
General Data Protection Regulation? 6
How we can help you get ready 8
Example outputs 10
Contacts 12
W h at do you need to k now
about the new EU General
Data Protection Regulation?
D ata p rotection h as entered a p eriod of unp recedented ch ang e.

T h is h a s b e e n d r iv e n b y :

1 .
An increasing number of high
2.
The demise of Safe Harbor
3 .
The new EU General Data
profile data breaches reported Protection Regulation (GDPR)
in th e m edia th at h as l ed – a l andm ark m om ent in data
consum ers and reg ul ators to b e p rotection
concerned ab out h ow p ersonal
data is m anag ed

On December 17, 2015, after more The Regulation will have a significant O rg anisations need to act
th an th ree years of toug h neg otiations im p act on b usinesses in al l industry
and several draf t versions of th e sectors, b ring ing w ith it b oth p ositive now to ensure th at th ey
GDPR, an informal agreement has and neg ative ch ang es f or b usiness in are ready to com p l y w ith
b een reach ed b etw een th e E urop ean term s of cost and ef f ort. O rg anisations
Parliament and Council of the European are l ik el y to w el com e th e h arm onisation the new Regulation when
Union. The GDPR is a game changer of laws across the 28 member states
it com es into f orce in th e
for organisations. The final draft has w h ich w il l m ak e th e com p l ex data
b een b ack ed b y th e C om m ittee on C ivil p rotection l andscap e easier to navig ate spring of 2018.
Liberties, Justice and Home Affairs. f or m ul tinational org anisations.
I t introduces m ore string ent and Th e introduction of new rig h ts f or
p rescrip tive data p rotection com p l iance individuals, such as the Right to be
challenges, backed by fines of up to Forgotten and the Right to Portability,
4 % of g l ob al annual revenue. Th e as w el l as th e introduction of m andatory
Regulation will replace the Directive breach notification, are likely to increase
95/46/EC, which has been the basis th e reg ul atory b urden f or org anisations.
of E urop ean data p rotection l aw since B usinesses need to review th eir current
it w as introduced in1 9 9 5 . W h en th e data p rotection com p l iance p rog ram m es
GDPR is officially adopted later this to determ ine next step s and decide on
year it will apply in EU Member States th e l evel of investm ent th ey need to
w ith out f urth er consul tation af ter a m ak e over th e next tw o years to address
p eriod of tw o years. th e ch ang es.

2 EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?
 Key changes proposed by the EU GDPR

F in e s o f u p t o 4 % o f a n n u a l Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to:
w o r ld w id e t u r n o v e r • 4% of total annual worldwide turnover or €20,000,000

Ex p a n d e d s c o p e Applies to all data controllers and processors established in the EU and organisations
that target EU citizens

Data Protection Officers DPOs must be appointed if an organisation conducts large scale systematic
(D P O s ) m onitoring or p rocesses l arg e am ounts of sensitive p ersonal data

A c c o u n t a b ilit y Organisation must prove they are accountable by:

• E stab l ish ing a cul ture of m onitoring , review ing and assessing data p rocessing
p rocedures
• Minimising data processing and retention of data
• B uil ding in saf eg uards to data p rocessing activities
• D ocum enting data p rocessing p ol icies, p rocedures and op erations th at m ust b e
m ade avail ab l e to th e data p rotection sup ervisory auth ority on req uest

P r iv a c y Im p a c t A s s e s s m e n t s Organisations must undertake Privacy Impact Assessments when conducting risky or

l arg e scal e p rocessing of p ersonal data

C o n s e n t • Consumer consent to process data must be freely given and for specific purposes
• C ustom ers m ust b e inf orm ed of th eir rig h t to w ith draw th eir consent
• C onsent m ust b e ‘ exp l icit’ in th e case of sensitive p ersonal data or transb order
dataflow

Mandatory breach notification • O rg anisations m ust notif y sup ervisory auth ority of data b reach es ‘ w ith out undue
delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals
• I f th ere is a h ig h risk to individual s, th ose individual s m ust b e inf orm ed as w el l

N e w r ig h t s • Th e rig h t to b e f org otten — th e rig h t to ask data control l ers to erase al l p ersonal data
w ith out undue del ay in certain circum stances
• Th e rig h t to data p ortab il ity — w h ere individual s h ave p rovided p ersonal data to a
service p rovider, th ey can req uire th e p rovider to ‘ p ort’ th e data to anoth er p rovider,
p rovided th is is tech nical l y f easib l e
• The right to object to profiling — the right not to be subject to a decision based solely
on autom ated p rocessing

P r iv a c y b y D e s ig n • O rg anisations sh oul d desig n data p rotection into th e devel op m ent of b usiness

p rocesses and new system s
• Privacy settings are set at a high level by default

O b lig a t io n s o n p r o c e s s o r s New obligations on data processors — processors become an officially regulated

entity

EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ? 3
Are organisations ready
for the EU General Data
Protection Regulations?
Organisations will have two years to prepare for the GDPR in the
transition p eriod b etw een th e ol d directive and th e new reg ul ation.

N ow is th e tim e to tak e action.

A s k y o u r s e lf t h e s e k e y q u e s t io n s :

E xp anded scop e Data Protection Accountability

Officers
Are you a data processor or D o you conduct l arg e scal e D o you h ave a data p rotection
a data control l er p rocessing system atic m onitoring p rog ram m e and are you ab l e
personal data inside the EU or (including employee data) to p rovide evidence of h ow you
p rocessing th e p ersonal data of or p rocess l arg e am ounts of com p l y w ith th e req uirem ents
EU citizens? sensitive personal data? of the EU GDPR?

Mandatory Breach Privacy by Design N ew rig h ts

Notification
W oul d you b e ab l e to notif y D o you desig n data p rotection D o you k now h ow you w il l com p l y
a data p rotection sup ervisory and p rivacy req uirem ents with the new rights: the ‘right to
auth ority of a data b reach into th e devel op m ent of your b e f org otten’ , th e ‘ rig h t to data
within 72 hours? b usiness p rocesses and new p ortab il ity’ and th e ‘ rig h t
systems? to object to profiling’?

4 EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?
Findings from the joint IAPP-EY Annual Organisations will need to increase their focus
Privacy Governance Report 2015 and the on data protection compliance given the
EY Global Information Security Survey 2015 stringent requirements of the GDPR and the
both indicated that organisations still need to potential fines which can be up to 4% of an
increase their investment in data protection. organisations global annual turnover.

67%
of organisations
Both reports interviewed for the
IAPP-EY Annual
identified that data protection
Privacy Governance
is not yet a high priority
Report 2015 said that regulatory and legal
compliance was one of their top reasons
for investing in privacy

63% 31%
of respondents from
the IAPP-EY Annual of organisations are
Privacy Governance planning to increase
report highlighted the number of
that their privacy maturity was only at employees dedicated
early or middle stages of maturity to their privacy programmes and increase
privacy budgets in the coming year

Where is privacy maturity In the coming year, number of In the next 12 months, expect
process in your company? employees dedicated to privacy privacy budget will:
is expected to:
19% 31% 31%
37%

6% 3% 13%
6%

44% 60% 49%

Early stage Mature stage

Middle stage Increase Stay the same Increase Stay the same
Decrease No way to tell Decrease No way to tell
Mean number of years for the duration
of a privacy programme = 7

Privacy program priorities (% ranking each in top two)

80%
70%
67%
60%
50%
40% 44%
30% 32% 28%
20%
18% 17%
10%
10% 9%
0%
Regulatory Safeguarding Increasing Marketplace Ethical Ensuring Maintaining Increase
and legal data against consumer reputation decision- business or enhancing employee
compliance attacks and trust and brand making partner the value of trust
threats concerning compliance information...
use of data
Source: The IAPP-EY Annual Privacy Governance Report 2015

EU General Data Protection Regulation: Are you ready? 5

H ow can you p rep are
for the EU General Data
Protection Regulation?

To prepare for the new EU GDPR, organisations will need to have a

cl ear understanding of th eir current com p l iance p osition.

An important first step will be for organisations to have clarity of their personal
d a t a p r o c e s s in g , in c lu d in g :
► W h at p ersonal data th ey p rocess
► W h ere it is across th eir org anisation
► Where it is transferred from and to (including to third parties and cross-border)
► H ow it is secured th roug h out its l if ecycl e.

W ith an understanding of th eir com p l iance g ap s, org anisations w il l b e in a p osition to assess th eir p ersonal
data risk s and devel op p rioritised rem ediation p l ans.

EY i s h e l p i n g c l i e n t s a d d r e s s t h e s e c h a l l e n g e s w i t h t h e f o l l o w i n g s o l u t i o n s :

GDPR Readiness GDPR ‘360 Privacy Impact

Assessment D eg ree’ Assessments
Assessment (PIA)
Legal advice and support

Workshops and 1:1

m eeting to estab l ish D etail ed assessm ent of Assessments of privacy
key GDPR gaps m aturity and com p l iance risk across new system s
with the GDPR or p roj ects

‘Know your personal data’

I dentif y w h ere p ersonal data is across your netw ork and create a p ersonal data inventory
using tooling, e.g., the Raven Exonar tool

D ata p rotection im p rovem ent p rog ram m e

Holistic programme to achieve compliance with the GDPR

6 EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?
 GDPR Readiness GDPR ‘360 Degree’ Privacy Impact
Assessment assessm ent Assessments (PIA)

How do we do it? How do we do it? How do we do it?

Workshops and 1:1 meeting using D etail ed q uestionnaires, interview s Design of a tailored PIA template.
our Readiness Assessment tool and w ork sh op s to understand your Interviews with system/project
to w al k th roug h your current GDPR compliance position. ow ners and review of desig ns and
compliance with the new GDPR docum entation to assess th e risk s
and identify significant gaps and of h arm to individual s th roug h
rem ediation req uired. th e m isuse of th eir p ersonal
inf orm ation.

What do you get? What do you get? What do you get?

A targeted and quick assessment A detailed assessment showing A detailed assessment of your
of your compliance with the GDPR, your maturity against the GDPR system s or p roj ects identif ying
p roviding a dash b oard sh ow ing your req uirem ents, your k ey g ap s and k ey p rivacy risk s and rem ediation
readiness to com p l y w ith each of th e risk s, and a rem ediation roadm ap . req uired to p roduce com p l iant
key GDPR requirements. m eth ods f or h andl ing p ersonal
inf orm ation.

‘Know your personal data’ – D ata p rotection Legal advice and support
data inventory im p rovem ent p rog ram m e

How do we do it? How do we do it? How do we do it?

Use the Exonar Raven platform A programme of interlinked Global network of lawyers with cross
to scan an ag reed sam p l e of activities to devel op your p rivacy b order exp ertise, on h and to p rovide
your netw ork and interrog ate f ram ew ork and im p rove your tail ored l eg al advice and sol utions.
th e contents of docum ents to m aturity and com p l iance w ith
understand w h at p ersonal data the GDPR.
you h ave in your org anisation and
w h ere it is.

What do you get? What do you get? What do you get?

A personal data inventory, D evel op m ent and im p l em entation Legal advice tailored to the
dash b oard and a data m ap of th e of a rob ust data p rotection needs of your org anisation.
data anal ysed enab l ing you to h ave f ram ew ork , rem ediating your
a cl ear p icture of th e p ersonal data GDPR compliance gaps.
you use across your org anisation.

EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ? 7
H ow w e can h el p you g et ready

Solution O verview Service provider Tim escal es

GDPR Targeted H ig h l evel ► Targ eted assessm ent g aug ing readiness f or th e new 1 day
Assessment assessm ent of requirements of the GDPR
data p rotection
m aturity

GDPR ‘360 D etail ed ► Risk assessment and maturity evaluation based on 2-4 weeks
D eg ree’ assessm ent of industry framework and EU General Data Protection dep ending on
Assessment data p rotection Regulation th e siz e and
com p l exity
m aturity
► Recommendations and roadmap for remediation of th e
org anisation
C om p l iance ► Product and process-specific risks
req uirem ents

Risk
assessm ents

Privacy Impact C ustom ised ► Assessment of your systems or projects identifying 1-2 weeks
Assessment Privacy Impact k ey data p rotection risk s dep ending on
Assessment th e siz e and
com p l exity of
th e p roj ect or
system s th at
need to b e
anal ysed

‘Know your Personal ► Use of the Exonar Raven tool to identify and document 2-12 weeks
p ersonal data’ inf orm ation a sam p l e of th e p ersonal data you h ave in your dep ending on
– data inventory inventory organisation, where it is, where is transferred from/to, th e siz e and
com p l exity
w h o h as access to it
of th e
► Process or system specific personal information flow org anisation
Personal
I nf orm ation diag ram s and docum entation
flow
docum entation

8 EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?
 Solution O verview Service provider Tim escal es

D ata p rotection Programme D esig n and del ivery of data p rotection im p rovem ent 3-24 months
im p rovem ent desig n p rog ram m es, incl uding th e devel op m ent and dep ending on
p rog ram m e implementation of: m aturity and
siz e of th e
► D ata p rotection f ram ew ork s org anisation
► Privacy governance and organisation design
Programme
im p l em entation ► Policy and procedures
► Training and aw areness
► I ncident m anag em ent
C om p l iance ► Third Party management
and m onitoring
sol utions ► Risk management
► Procedures and controls
► I nf orm ation security control s
O ng oing
Programme ► Binding Corporate Rules program compliance
sup p ort
► O ng oing com p l iance and m onitoring

Legal Support Legal analysis ► Legal analysis of compliance with data protection Assessed
l eg isl ation on a case b y
case b asis –
► D raf ting and advising on com p l iance p rog ram m es dep ending
and p ol icies up on scop e

► Assessment of any non-compliance and suggestions

of rem edial action
D raf ting of l eg al
docum ents ► D raf ting f or data control l er and data p rocessor
ag reem ents
► Drafting of Binding Corporate Rules

EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ? 9
E xam p l e outp uts
W e can w ork w ith org anisations to enh ance th eir understanding of th eir com p l iance
p osition and m aturity l evel . B el ow are som e exam p l es of th e typ es of w ork p roducts
we have previously produced on data protection engagements:

Governance
Key
5
Training and Awareness Policies Current Maturity
4
Desired Maturity

3 Average Current
Inventory Compliance Control Maturity
2

Third Party Procedures and Controls

Management

Risk Management Incident Management

Information Security

GeoLocation of SPI/PII Data Outside the UK1

1 0 EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ?
 Ey’s risks map

1
Key
Risk

High

2
3 Circles Sectors
B 4 A 1 . Th ird p arty A. Higher risk;
5 m anag em ent Lower maturity
2. Training and aw areness B. Higher risk;
6 H ig h er m aturity
3 . Risk Management
7 C. Lower risk;
4 . Policy Lower maturity
5 . D ata l eak ag e D. Lower risk;
D C H ig h er m aturity
6. Treating custom er f airl y
7 . I ncident m anag em ent
Low

Level 4 Level 3 Level 2 Level 1

Maturity

Organisations face many challenges preparing for the EU GDPR over the next couple
of years. I t is im p ortant th at th ey understand th eir current state and th e step s
necessary to move towards compliance with the EU GDPR.

SPI/PII by Application System1 HR Data Located in Wrong Place1

100,000

76,432
75,000 W e b S e r v e r
Total Documents

64,521

50,000
P u b lic S e r v e r
35,236 34,561 34,562
D :/ / in e t p u b
25,000 20,123
12,423 In t e r n a l

0 D : / / EX P D :// w w w
C om p l aints
Management

CRM

C ustom er
Service

D ata
W areh ouse

Marketing

W eb site
E m ail

1 Images from Raven Exonar

EU G e n e r a l D a t a P r o t e c t i o n R e g u l a t i o n : A r e y o u r e a d y ? 1 1
C ontacts
I f you w oul d l ik e to discuss any of th e
issues raised in th is b roch ure th en
p l ease g et in touch .

Chris Gould
Partner, Cyber Security
and Resilience
Tel: +44 20 7951 0086
Mobile: +44 7831 136 995
Email: [email protected]

Nicola Hermansson
Director, UK&I Data
Protection Leader
Tel: +44 20 7951 8332
Mobile: +44 7795 828 811
Email: [email protected]

Louisa Elder
Director, Head of IP and Data
for Law
Tel: +44 20 7197 7929
Mobile: +44 7714 204 208
Email: [email protected]
EU General
Data Protection
Regulation:
Get ready, the
clock is ticking
EY | Assurance | Tax | Transactions | Advisory

A b o u t EY
E Y is a g l ob al l eader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence
in th e cap ital m ark ets and in econom ies th e w orl d over. W e devel op
outstanding l eaders w h o team to del iver on our p rom ises to al l of
our stak eh ol ders. I n so doing , w e p l ay a critical rol e in b uil ding a b etter
w ork ing w orl d f or our p eop l e, f or our cl ients and f or our com m unities.
E Y ref ers to th e g l ob al org aniz ation, and m ay ref er to one or m ore, of
the member firms of Ernst & Young Global Limited, each of which is a
separate legal entity. Ernst & Young Global Limited, a UK company limited
b y g uarantee, does not p rovide services to cl ients. F or m ore inf orm ation
ab out our org aniz ation, p l ease visit ey. com .

Ernst & Young LLP

The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales
with registered number OC300001 and is a member firm of Ernst & Young Global Limited.

Ernst & Young LLP, 1 More London Place, London, SE1 2AF.

© 2016 Ernst & Young LLP. Published in the UK.

All Rights Reserved.

E D N one

1411555.indd (UK) 03/16. Artwork by Creative Services Group Design.

I n l ine w ith E Y ’ s com m itm ent to m inim ise its im p act on th e environm ent, th is docum ent
h as b een p rinted on p ap er w ith a h ig h recycl ed content.

I nf orm ation in th is p ub l ication is intended to p rovide onl y a g eneral outl ine of th e sub j ects covered.
I t sh oul d neith er b e reg arded as com p reh ensive nor suf f icient f or m ak ing decisions, nor sh oul d it
be used in place of professional advice. Ernst & Young LLP accepts no responsibility for any loss
arising f rom any action tak en or not tak en b y anyone using th is m aterial .

ey.com/uk