Cyber & Privacy

Breach of the General Data Protection Regulation (GDPR) can incur administrative fines of up to 20 million euros or up to four percent of total worldwide annual turnover, or suspension of your personal data processing activities

GDPR: Are you at risk of non-compliance?

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. With even more regulations like e-privacy and personal data protection for EU institutions on the way, it’s clear that the use and handling of personal data is revolutionising.

Are your organisation’s actions aligned with the GDPR?

Citizens have more control than ever over how their personal data is used. All organisations that process the personal data of individuals within the EU need to adhere to the new regulations to be compliant.

Find out how PwC can help

Person holding phone and is looking at privacy settings on screen

What does GDPR mean for my organisation?

If you’re an organisation processing personal data in Europe, targeting clients in Europe or monitoring the activities of European citizens online, you need to comply with the GDPR.

The GDPR is the largest development in data protection legislation since the European Data Protection Directive in 1995. Although the underlying principles in the Organisation for Economic Co-operation and Development (OECD) guidelines from 1980 remain applicable, it requires wide-scale privacy changes on how they’re implemented in all organisations.

Regulators will now have unprecedented power to enforce the regulation, including imposing fines and suspending personal data processing.

Regulatory issues aside, the GDPR also presents the following opportunities:

  • Harness the value of your data

  • Establish trust with your clients and stakeholders

  • Ensure your organisation’s strategy is fit for the digital economy

        

               

What’s the risk of non-compliance with the GDPR? In case of a breach of the GDPR, the data protection authorities can either impose a temporary suspension of your ability to process personal data, or fines amounting to 20,000,000 euros or four percent of global consolidated revenue, whichever is higher.

        

What has changed with the introduction of the GDPR?

Organisations are required to implement a number of technical and organisational measures to protect the rights and freedoms of data subjects. This means that a privacy compliance framework needs to be put in place that’s tailored to your data processing profile and the associated risk for data subjects.

Such technical and organisational measures can include keeping records of processing activities, providing individuals with notice of their rights and employing techniques like pseudonymisation or encryption to ensure security of personal data. Additionally, you need to ensure that data you pass to third parties is handled in a manner compliant with GDPR.

Your organisation must be able to demonstrate compliance with the GDPR and that the technical and organisational measures have been designed and are operating effectively in accordance with the potential risk for data subjects. The data subjects’ rights aim to allow individuals to have control over their personal data.

Data subjects are also be entitled to sue for compensation if they suffer damage or distress by reason of non-compliance.

Privacy compliance framework

There are ten major changes with the introduction of the GDPR that must be taken into account when building a privacy compliance framework:

Appointment of an independent Data Protection Officer (DPO)

If the core activities of your organisation involve the processing of sensitive personal data or processing that requires regular and systematic monitoring on large scale, a DPO needs to be appointed. The DPO is responsible for monitoring your GDPR compliance and acts as the point of contact for the Data Protection Authorities and stakeholders.

Data Protection Impact Assessment (DPIA)

A DPIA needs to be executed and documented when implementing new technologies or in the event that processing could result in an increased risk to the rights and freedoms of data subjects.

Privacy by default and design

Processing of personal data needs to be limited to the highest extent possible and privacy risk needs to be reduced to the maximum extent. This means that your products, services, systems and daily working practices need to be designed with privacy in mind.

Notification of a personal data breach

If a breach of personal data is likely to result in a risk to the rights and freedoms of data subjects, it must be reported to the competent Data Protection Authority within 72 hours. Communication with the data subjects might also be required.

Profiling gets tougher

Data subjects have the right to not be subject to a decision based solely on automated processing and may request human intervention, unless explicit consent or a legal basis is present. This restriction includes profiling.

Better quality consent

The GDPR brings clarity on the lawfulness of data processing. You need to establish a clear legal basis that forms the grounds for data processing. Such legal grounds can be in explicit consent, embedded in a contract, to protect vital, public or legitimate interest, or based upon a particular legal obligation to keep personal data.

Right to be forgotten

Data subjects have the right to request deletion of personal data if it’s no longer needed to serve its original purpose, or if a legal basis to store the data is no longer in place

Right to data portability

Data subjects can request to transfer an overview of their personal data to another organisation in an easily accessible format.

Right to object

Data subjects can object to the processing of their personal data unless a legal basis is in place.

Right to rectification

Data subjects have the right to obtain rectification of inaccurate personal data.

Contact us

Koen Maris

Koen Maris

Assurance Partner, Cyber, Privacy & Resilience, PwC Belgium

Tel: +352 49 48 48 2096

Connect with PwC Belgium