Privacy: get ready for the GDPR | KPMG | BM
Share with your friends

Privacy: Get ready for the GDPR

Privacy: Get ready for the GDPR

With the new EU rules on the way, organisations need to consider their attitudes towards privacy—and quickly, to minimise the risks to balance sheet and reputation, as Chris Eaton of KPMG in Bermuda explains.


Related content


Organisations can no longer afford to treat privacy as an afterthought. Cybersecurity and the battle against hackers has long dominated the chief information officer’s agenda, but cybersecurity is not the same as privacy. The EU’s new rulebook, the General Data Protection Regulation (GDPR), marks a fundamental shift towards the view that privacy must be at the forefront of organisations’ minds when dealing with consumer data.

Due to come into force in May 2018, the GDPR could lead to organisations being hit with fines of up to 4 percent of global worldwide turnover for non-compliance.

Although the GDPR is perhaps the most comprehensive attempt to define a coherent regulatory framework for privacy, governments around the globe are sharpening their focus on the issue and introducing legislation to offer greater protection to consumers—and harsher penalties for violations.

Bermuda, PIPA and adequacy

Bermuda has introduced the Personal Information Protection Act (PIPA), which received Royal Assent on July 27, 2016 and is due to come into force in the summer of 2018. PIPA was drafted with the intent to enable Bermuda to join the international ‘network of trust’ currently existing between countries with similar levels of informational privacy protection—a concept the EU refers to as ‘adequacy’.

The EU permits third party countries to apply for an adequacy finding, which allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions. As a result of securing adequacy, transfers to the country in question will be assimilated to intra-EU transmissions of data, thereby providing privileged access to the EU single market, while opening up commercial channels for EU operators.

At present, Canada, Guernsey, Jersey, Isle of Man, Israel, New Zealand, Argentina, Uruguay, and Switzerland have been identified as having met the standard and are able to transfer personal information with the EU member states.

How must businesses adapt to survive?

One of the first issues to tackle should be mindset. What may have been accepted, or at least tolerated, in the past, should be reviewed in light of stricter global approaches to privacy legislation.

Gaining customer consent by mystifying them with long-winded legal statements and 20-page policy disclaimers is not a sustainable strategy. Transparency should be the guiding principle regarding privacy. Organisations need to ensure they fully understand what they want to do with customer data, and where and how they are storing it, and then explain it to customers in a clear and simple way.

Are you privacy ready?

As authorities around the globe sharpen their focus on privacy, many organisations are not ready for what’s about to hit them. Fines that were once measured in the tens of thousands for organisations caught mishandling, mis-collecting or misusing customer data could potentially rise to hundreds of millions or even billions. With many industry insiders expecting regulators to flex their newfound muscles early in order to make a point, organisations need to move quickly to understand their obligations.

Seven steps to privacy readiness:

  • Step 1: Educate senior stakeholders so they understand what privacy means for your organisation.
  • Step 2: Understand the level of privacy risk to which your organisation is exposed.
  • Step 3: Understand the expectations of the individuals whose data you process and set a privacy strategy that aligns to this.
  • Step 4: Understand the organisation’s level of privacy maturity and set a clear strategy aligned to your desired target privacy maturity state and your consumer’s ‘creepy line’.
  • Step 5: Develop a robust plan to mitigate your privacy risks and deliver your target state. 
  • Step 6: Execute your plan. Introduce sustainable structures to help manage your privacy risks, ensuring compliance but also providing a strong foundation to flexibly leverage personal data to create value for the organisation, your customers and your employees.
  • Step 7: Monitor, maintain and repeat.

How KPMG can help

KPMG member firms’ privacy professionals support clients around the globe in resolving complex privacy issues, from niche challenges specific to certain organisations to end-to-end privacy compliance programmes in complex and highly regulated industries.

The KPMG privacy team has deep experience in helping clients to address the challenges posed by privacy risk, with a structured and flexible approach to meet the needs of diverse organisations. The global reach of KPMG member firms enables them to work effectively across multiple territories at a local level.

Areas where KPMG member firms are frequently engaged

  • Assessment: providing an independent assessment of privacy risk and how to reduce it;
  • Design: designing privacy compliance programmes;
  • Implementation: implementing robust privacy processes, policies and controls;
  • Strategy: developing pragmatic privacy strategies and gaining buy-in from senior management;
  • Operations: providing ongoing support to help clients operate their privacy framework; and
  • Monitoring: helping clients as they maintain and monitor the performance privacy regimes.

Bermuda Re+ILS interviewed Chris Eaton for their spring publication. Chris Eaton is senior manager, advisory at KPMG in Bermuda. He can be contacted at:

© 2019 KPMG, a group of Bermuda limited liability companies which are member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

KPMG International Cooperative (“KPMG International”) is a Swiss entity.  Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.


The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Connect with us


Request for proposal