Is your organisation prepared for the General Data Protection Regulation (GDPR)? Read Tom and Chris' thoughts on GDPR.
New rules governing data protection come into effect on May 25, 2018 with the implementation ofthe General Data Protection Regulation (GDPR) by European Privacy regulators. This represents the biggest change in regulations relating to data protection in more than 20 years. Bermuda is following suit with the introduction of the Personal Information Protection Act, PIPA, which received Royal Assenton July 27, 2016 and is due to come into force in late 2018. Regulators have made it very clear that they intend to enforce the new rules with fines and penalties for non-compliance. For the GDPR, it could mean potential fines to corporations of up to 4 percent of annual global revenues.
In an age when personal information is a key advantage and a business driver, getting your privacy strategy right can give you a competitive edge.
Perhaps the most important mind-shift relates to perceptions of ownership of personal data that companies collect. In this new world, according to the European Union, personal data still effectively belongs to the person it identifies. A core value of the GDPR for example is that: “Natural persons should have control over their own personal data” and that person has the right to control how it is processed.
How can you turn GDPR & PIPA into an advantage?
It starts with recognising that personal information is one of your organisation’s most valuable assets.
Managing this data requires a careful strategy to ensure that it’s reliable, that customers understand what you are doing with their personal information and, where required, that you have obtained their consent. This will ensure the insights it delivers are actionable, and reduces the risk that organisations won’t be perceived as intrusive as customers see more targeted offers for products, pricing or services.
Since the impacts of the new privacy regulations are universal for organisations regardless of industry sector or geography, the following five-step approach is recommended. These steps could be used specifically for the purposes of the GDPR or as a broader privacy strategy approach to cater to PIPA.
The KPMG privacy team has deep experience in helping clients to address the challenges posed by privacy risk, with a structured and flexible approach to meet the needs of diverse organisations. We support clients around the globe in resolving complex privacy issues, from niche challenges specific to certain organisations to end-to-end privacy compliance programmes in complex and highly-regulated industries.
About Tom Kelly: Tom is a Managing Director with KPMG in Bermuda. For more than 20 years, he has provided audit and advisory services primarily to insurance and reinsurance companies. This has included risk management, regulatory advice, IT architecture and cyber security maturity assessments.
About Chris Eaton: Chris is a Senior Manager with KPMG in Bermuda. He holds the CIPP/E qualification from the International Association of Privacy Professionals and is the Cyber Security Lead for the KPMG Islands Group. Chris joined KPMG in 2014 and is a Senior Manager and the Service Line Lead for IT Advisory in Bermuda. He has been principally involved in providing Information Protection, Attestation andIT Risk Consulting to a wide variety of clients including SEC registrants and large public and non-public entities.
© 2019 KPMG, a group of Bermuda limited liability companies which are member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.