The EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, creating challenges—and opportunities—for every organisation doing business in the European Union before, during and after the deadline. It requires a wide-scale privacy changes in all regulated organisations and regulators will gain unprecedented powers to impose fines (up to EUR 20 million or 4% of annual turnover).
Nevertheless, the GDPR also represents an opportunity to:
• Transform your approach to privacy,
• Harness the value of your data, and
• Ensure your organisation is fit for the digital economy.
This means getting ready now. Not all organisations will be compliant by May 2018, but GDPR regulators will need to see by then that robust plans are in place.
Personal data protection also plays a pivotal role in Mauritius' digital economy. To meet the evolving needs the Data Protection Act 2017, aimed to strengthen the control and personal autonomy of data subjects over their personal data. It also seeks to bring Mauritius data protection framework into line with international standards, namely GDPR.
- transform your approach to privacy,
- harness the value of your data, and
- ensure your organisation is fit for the digital economy.
It is essential that organisations are able to demonstrate to regulators that they have robust plans in place to comply.
- transform your approach to privacy,
- harness the value of your data, and
- ensure your organisation is fit for the digital economy.
It is essential that organisations are able to demonstrate to regulators that they have robust plans in place to comply.
- transform your approach to privacy,
- harness the value of your data, and
- ensure your organisation is fit for the digital economy.
It is essential that organisations are able to demonstrate to regulators that they have robust plans in place to comply.
Stewart Room, Joint Global Head of Data Protection and Global Legal Services leader, PwC UK, discusses the General Data Protection Regulation (GDPR) and its impacts for both entities and citizens | Duration 1:48
Questions you should ask yourself
GDPR’s scope and requirements are deep and complex, so prepare for it now to help ensure compliance. The regulation requires a programmatic approach to data protection - so you’ll need a defensible program for compliance and to prove you’re acting appropriately. Ask your organisation these questions:
- What is our data footprint in the European Union (e.g., data about employees, consumers and clients)?
- Are we prepared to provide evidence of GDPR compliance to EU or US privacy regulators, who may request it on demand?
- Do we have visibility of and control over what personal data we collect? How do we use it? With whom do we share it?
- Do we have a privacy-by-design program, with Privacy Impact Assessments (PIAs), documentation and escalation paths?
- Do we have a tested breach-response plan that meets GDPR’s 72-hour notification requirement?
- Have we defined a roadmap for GDPR compliance?
- Have we identified a Data Protection Officer (DPO) as required by GDPR?
- Have we adopted a cross-border data transfer strategy?
What will change for your organisation?
It puts individuals back in control of their personal data
Consumers, customers, workers and users of public and charitable services have more power to control how their data is used. Controllers and processors of personal data could be required to report on, move or dispose of personal data if requested and they must have the capabilities to do this whenever the laws apply.
The options for using personal data is restricted.
How you use data will be more transparent
The idea of transparency is now considerably strengthened under the GDPR. Article 5 of the GDPR sets out a number of principles with which data controllers must comply when processing data. They must process the data “lawfully, fairly and in a transparent manner in relation to the data subject”.
Organisations will be required to articulate all of the ways personal data is used, and make it clear to individuals what their data is being used for and with whom they have shared it.
Organisations will be subject to higher standards of accountability
Organisations will be required to implement measures to prove their compliance. Such measures include keeping records of processing activities, providing individuals with notice of their rights and employing techniques like pseudonymisation or encryption to ensure the security of personal data.
Additionally, organisations will also have to ensure that data they pass to third parties is handled in a manner compliant with the GDPR. As well as this, some may have to appoint a Data Protection Officer (DPO) and undertake privacy impact assessments.
Fines are getting bigger, and the timelines are getting shorter
The GDPR introduces a tougher enforcement regime and it exposes entities to increased financial liability. Fines for non-compliance can be as severe as 4% of annual turnover or 20m EUR – whichever is higher.
Data subjects’ rights have been strengthened and expanded upon
The data subjects’ rights aim to allow individuals to have control over their personal data and people will also be entitled to sue for compensation if they suffer damage or distress by reason of non-compliance. The regulation retains the existing rights of data subjects and creates new rights for individuals such as the “right to be forgotten” and the “right to data portability”. These rights are complex and it is unclear how these rights will operate in practice.
As data subjects’ rights strengthen, it is important that organisations are aware of what each right means for them and their business
Where are you on the GDPR journey and how we can help?
Your organisation may be just getting started - or may already have a GDPR programme in place. We believe that the major steps on the way to compliance are as follows: Assess - Design - Transform/Implement - Operate.
PwC has developed a 5-phase transformation approach to support you through the compliance process. Wherever you are on your journey, our Data Protection Team can help you meet the requirements of GDPR, by tailoring industry-specific solutions for your organisation.
Where do you go from here?
You should determine what existing practices need to be changed or what new processes you’ll need to achieve GDPR compliance. Depending on the scope of your business with EU residents, that may include establishing clear (and documented) accountability for compliance, reviewing the context for lawful processing and third-party contracts, and developing policies and protocols to execute on any data deletion request. It also means regularly reviewing your processes to ensure you’re staying compliant.
Tools like PwC’s GDPR Readiness Assessment Tool can provide a top-down assessment to help prioritize your efforts and identify areas which require utmost attention.
