In 2016 the EU adopted the General Data Protection Regulation (GDPR) replacing the 1995 Data protection Directive. The European Commission has said that 90% of European say they want the same data protection across the EU, regardless of where their data is processed. The reform of EU data protection rules mean people have more control over their personal data and businesses benefit from a level of playing field.
These changes which came into effect in May 2018, reflect an increased focus by the European Commission on data protection. The GDPR mean one set of rules for all companies operating in EU, wherever they are based. The following steps outline some of the key areas you should consider to help you prepare for the road ahead.
It's not enough to say that you are GDPR compliant. You must be able to prove it. The Accountability principle makes businesses responsible for demonstrating compliance with the GDPR. Businesses must have confidence in their Data Protection Strategy in order to be able to demonstrate Accountability.
Do your data and privacy processes demonstrate accountability?
KPMG's Privacy Management Framework addresses the GDPR articles by design. It covers the twelve main categories covered by the data protection regulations and analyses your control framework.
Following this enables you to adopt a risk based and pragmatic approach to achieve your goals.
Breach notifications are now mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals". Data controllers are required to report breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals.
Data processors are also required to notify their customers, the controllers, " without undue delay" after first becoming aware of a data breach. A loss of personal data can cause severe reputational damage, potentially leading to a loss of customer trust.
What should you consider?
Are you able to detect, investigate, report and document any breaches? KPMG experts have developed breach management solutions to manage, report and minimise the impact of data breaches.
The GDPR makes it necessary for businesses to maintain a record of all processing of personal data. Businesses must record how and what types of personal data is captured, stored and processed.
How KPMG can support you?
KPMG can support the creation and management of records of personal data processing activities. Our teams work with businesses to create consolidated Personal Data Registers. Personal Data Registers should be created and maintained for every business to effectively manage personal data and can be used to demonstrate GDPR compliance.