Download PDF - 8 MB
Meet our PwC UK multi-disciplinary Data Protection team
Meet our multi-disciplinary team of experts who can support you with GDPR programmes on a global scale, including legal services
If you are an organisation processing personal data in Europe; or you are targeting Europe goods and services; or you are monitoring the activities of European citizens online, you will need to comply with GDPR.
The GDPR was the largest development to data protection legislation since the European Data Protection Directive in 1995. It requires wide-scale privacy changes in all regulated organisations, and regulators have gained unprecedented powers to impose fines. Nevertheless, the GDPR also represents an opportunity to:
It is essential that organisations are able to demonstrate to regulators that they have robust plans in place to comply.
Consumers, customers, workers and users of public and charitable services have more power to control how their data is used. Controllers and processors of personal data could be required to report on, move or dispose of personal data if requested and they must have the capabilities to do this whenever the laws apply. The options for using personal data is restricted.
The idea of transparency is now considerably strengthened under the GDPR. Article 5 of the GDPR sets out a number of principles with which data controllers must comply when processing data. They must process the data “lawfully, fairly and in a transparent manner in relation to the data subject”. Organisations will be required to articulate all of the ways personal data is used, and make it clear to individuals what their data is being used for and with whom they have shared it.
Organisations will be required to implement measures to prove their compliance. Such measures include keeping records of processing activities, providing individuals with notice of their rights and employing techniques like pseudonymisation or encryption to ensure the security of personal data. Additionally, organisations will also have to ensure that data they pass to third parties is handled in a manner compliant with the GDPR. As well as this, some may have to appoint a Data Protection Officer (DPO) and undertake privacy impact assessments.
The GDPR introduces a tougher enforcement regime and it exposes entities to increased financial liability. Fines for non-compliance can be as severe as 4% of annual turnover or 20m EUR – whichever is higher.
The data subjects’ rights aim to allow individuals to have control over their personal data and people will also be entitled to sue for compensation if they suffer damage or distress by reason of non-compliance. The regulation retains the existing rights of data subjects and creates new rights for individuals such as the “right to be forgotten” and the “right to data portability”. These rights are complex and it is unclear how these rights will operate in practice. As data subjects’ rights strengthen, it is important that organisations are aware of what each right means for them and their business.
The regulatory imperative of GDPR creates some very specific issues. These changes include
Under the right to erasure/to be forgotten individuals will have the right to ask organisations to delete their personal data in certain circumstances.
In certain circumstances, individuals can request to transfer their personal data from your organisation to a third party. The transferred data must be sent in a structured, machine-readable format to the third party, so organisations should begin thinking about technical implications of data portability.
If you have a data breach you will have 72 hours to report it. Fines for non-compliance of the GDPR could be up to 2% global annual turnover.
Download PDF - 8 MB
Meet our multi-disciplinary team of experts who can support you with GDPR programmes on a global scale, including legal services
Download PDF - 3 MB
The GDPR has introduced new compliance requirements for organisations that process personal data, including new, more expansive rules on the content of written contracts between controllers and processors. See how our GDPR bulk data processor contract analysis and remediation service can support you in addressing this...
Download PDF - 975 KB
These client breakfast seminars take place every month and aim to equip you with the information you need to prepare for the GDPR in May 2018. The bootcamps are free of charge and relevant for anyone with responsibility for the GDPR within their organisation.
Download PDF - 2 MB
Our Readiness Assessment Tool can help you assess your current state of data privacy and your readiness for the GDPR.
Download PDF - 2 MB
Find out how we can help you understand if your GDPR programme is on the right track to deliver real risk reduction, meaningful and measurable operational change along with the necessary compliance obligations in time for May 2018.
Download PDF - 3 MB
This paper introduces a new perspective on the impending General Data Protection Regulation (GDPR), arguing that we should not simply view the legislation through a privacy and security lens, but also as a catalyst for improved business operations and innovation.
