Breaches. Data subject rights. Data Protection Impact Assessment. Compliance. These are some of the terms under the General Data Protection Regulation (GDPR) that have kept many of us awake at night. Data privacy has become more than ever a top priority, with the average firm spending a total of $3 million as a result of the GDPR. Your organization has analyzed the risks and rewards, completed the numerous steps on the compliance roadmap and should have by now reached compliance. “Way to go!”
Interestingly, by the end of 2018 a mere 44% of GDPR-affected companies were comfortable enough with their efforts performed so far to claim that they indeed have reached full GDPR compliancy. If when reading this statement you are thinking “I’m still quite sure my company is one of the 44´” you could (and should) start differentiating yourself from the competition in the way you promote your services. Your effort and resources spent could be turned into your very own business differentiator by actually showcasing your compliance.
Showcasing your GDPR compliance will provide reasonable assurance to not only the Data Protection Authorities but also to your customers that your systems and controls are operating in compliance with the relevant GDPR requirements. This is where we see a competitive advantage for your organization: when given the choice, customers will most likely place their trust, and thus business, in the company that can provide them with relevant and independent assurance on GDPR compliance.
As KPMG privacy practitioners, our ambition is to help you seize that competitive advantage. Through our Attestation Services, we can help your company obtain independent assurance over the reliability and validity of your GDPR program through a GDPR Attestation Report. To this end, we have developed a checklist based on the KPMG Privacy Management Framework. A set of control objectives was created over 12 privacy domains (e.g. ranging from Governance to Security to Data Management to Operational Integration) that cover all principles and objectives as set out in the GDPR. In combination with our expert knowledge and expertise we not only provide you with a GDPR Attestation Report but we also provide you with insights into your Privacy Program, allowing you to continue to function accountably in this privacy-focused era and, at the same time, provide your stakeholders with the trust they seek.
What is a GDPR Attestation Report? Similar to an ISO 27001 certification it proves to your customers your capability of maintaining an effective Information Security Management system and provides them with assurance regarding how you manage compliance to the GDPR. In other words, a GDPR Attestation Report certifies that the correct control environment has been implemented throughout your organization.
But is that enough? As we have seen on the market companies are not only looking for assurance in just one particular area. Companies want all their compliance efforts to be validated. To meet this expectation, we offer an integration of the GDPR Attestation Report with the other certifications (ISO 27001, SOC 2 and Cybersecurity) that we offer. This way of reporting allows us to perform the audit in a more efficient manner ("multi-purpose testing"), enabling you to cut costs, see reductions in the number of audit days and lighten the burden the audit has on your internal resources.
Having a seal of assurance on your internal compliance program, designed around the GDPR, can go a long way toward gaining that trust which will ultimately lead to a growth in sales and an improvement in retention.
Senior Advisor - Technology Advisory
 IAPP-EY Annual Privacy Governance report 2018.