Following four years of discussion and debate, in 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. The most significant change to the rules governing data protection comes into effect in May 2018, carrying fines of up to 4% of global turnover or €20 million, whichever is higher, for businesses that do not comply.
The EU's dataprotection laws have long been regarded as the gold standard in the protection of personal data. Over the last 25 years, technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed. Following four years of discussion and debate, in 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. It replaces the 1995 Data Protection Directive which was adopted at a time when the internet was in its infancy.
The most significant change to rules governing data protection comes into effect in May 2018, carrying fines of up to 4% of global turnover or €20 million, whichever is higher, for businesses that do not comply.1 The GDPR in conjunction with the EU Commission's data protection reform is intended to boost the Digital Single Market. The data protection reform strengthens the right to data protection, which is a fundamental right in the EU, and allows people to have trust when granting access to their personal data. Most notably, these include:
From a business perspective, the GDPR is not just a threat, it is also an opportunity. In an age when personal information is a key asset and a business driver, getting your privacy strategy right as an organisation could furnish you with a competitive edge. Complying with the GDPR is about defining, implementing and then sustaining compliant processes. Post-2018 you will be required to demonstrate, on an ongoing basis, how you collect, use, retain, disclose and destroy personal information in line with the GDPR requirements. This impacts everything you do relating to personal information and therefore constitutes a significant transformational activity for your organisation going forward.
Our approach: GDPR has to become business as usual: it is all about embedding the GDPR’s accountability principle. This requires you to demonstrate the manner in which your organaziation complies with the principles, for example by documenting the decisions made about a processing activity. The GDPR requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”.
Reaching and maintaining a state of accountability will provide you with greater control over data you process, allowing you to become more productive rather than merely complying with the GDPR. It will give you confidence that you can meet data privacy regulations around the world and at the same time put you in a position of strategic and commercial strength. To do so you are likely to require some assistance by the experts: let us guide you in reaching your goals.
© 2018 KPMG, a Malta civil partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.