Mark Thompson, global privacy lead at KPMG, comments on the implementation of General Data Protection Regulation (GDPR) and what businesses need to do to get ready
Mark Thompson, global privacy lead at KPMG, comments on the implementation of General Data Protection Regulation (GDPR) and what businesses need to do to get ready. He said:
“With implementation day upon us, many organisations are still scratching their heads as to what they need to do. The reality is that early on we can expect a few high profile examples will be made of non-compliant businesses, but perhaps not the tsunami some foresee. Though, all is not lost; businesses need to realise that even if they miss the 25th May deadline, they still have a chance to get their house in order for the long term.”
Mark raises the following practical tips to help businesses with their privacy needs and GDPR compliance.
1. Raise awareness at the board level – the board needs to understand the implications of the GDPR and need to be bought in to make enhancements. This should result in the funding being made available to undertake a privacy improvement programme.
2. Understand current state and set desired outcome – conduct a gap analysis against the GDPR to understand where your organisation is exposed to risk and determine what the risk appetite is.
3. Plan and implement – create a detailed plan to enable the desired risk appetite to be reached and undertake a privacy improvement programme to deliver against this plan.
4. Don’t rush into major technology investments - it’s tempting to believe that GDPR software solutions can ensure full compliance but the reality though, without a clear privacy strategy and a documented roadmap, it may simply add more
5. complexity — at a considerable cost. Before considering which solutions to invest in, you must first get the basics right, starting at strong governance. Once a simpler, streamlined set of processes and roles are in place, then seek appropriate applications that meet the needs to help automate repeatable processes.
5. Be prepared for questions – privacy is a hot topic and only likely to get hotter. Reputational damage — as a result of breaches or unethical activity — can be immense, and there is a small but growing community of journalists and other stakeholders that are eager to ask difficult questions. The answer is to be media ready at all times, with a well-briefed communications team and a senior, credible, privacy-aware spokesperson/people. When dealing with customers, it’s vital that all staff are fully trained and able to anticipate questions. It only takes one poor or uninformed response — especially where a customer has a good understanding of her/his rights — to create a negative experience, as well as an investigation.
For media enquiries, please contact:
Nahidur Rahman, KPMG corporate communications
T: +44 (0) 20 7694 8812
M: +44 (0)73 9376 0775
Follow us on twitter: @kpmguk
KPMG Press Office: +44 (0)207 694 8773
Notes to Editors:
KPMG LLP, a UK limited liability partnership, operates from 22 offices across the UK with approximately 14,500 partners and staff. The UK firm recorded a revenue of £2.2 billion in the year ended 30 September 2017. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 154 countries and territories and has 200,000 people working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.