The biggest change in Data Protection of the last 20 years is taking effect in May 2018, imposing penalties either up to 4% of companies’ worldwide turnover or EUR 20 million (whichever is higher) for companies that have not complied with its requirements. The European Supervisory Authorities have made clear their intention to exercise their new power.
The General Data Protection Regulation (GDPR) aims to protect EU citizens’ personal data within an environment that is increasingly based on collecting and processing data and a very different one at that from the 1995 environment, when the first Personal Data Directive came into effect. The GDPR introduces new requirements for controllers and processors of personal data, (companies of any type that keep personal data) that must be fulfilled and applied during the entire life cycle of the information (collection, processing, transfer, saving and deleting).
Have you complied with the GDPR requirements?
– Has management and company’s employees been informed about the GDP requirements?
– Have you appointed a Data Protection Officer (DPO)? Is it necessary? To whom does the DPO report?
– Is there an obligation for compliance when it comes to subsidiaries outside of Greece? Outside the EU?
– Are you capable of reporting an incident of personal data breach within the 72 hour window? Who is responsible for the notification? Who do they notify?
– Are data subjects aware of the purpose behind the collection or processing of their data? How do you inform them? Do you have their consent? Can they object to the processing?
– What measures have you adopted in order to protect the personal data you are processing? For instance, do you keep personal data on laptops?
How do you protect them against theft?
– How do you make sure that the persons you share personal data with adequately protect them?
These questions are an indication of the GDPR compliance issues and the right answers depend on the company type, business activities, strategy and procedures, as well as the governance framework in place. In order for these questions to be answered, it is essential to adopt a structured and tested approach that starts with the recognition of the existing deviations of the company’s procedures against the GDPR requirements, continues with the implementation of organizational, procedural, operational and technological measures for addressing these differences and is completed with the adoption of a corporate culture of personal data protection that ensures compliance on an ongoing basis. In this way, the implementation of the Regulation is neither a threat nor a necessity, but rather a change that can add a competitive advantage to every company.
Our services are provided by highly trained consultants on information security and legal advisors and include:
– Education and training
– Governance and risk management assessment
– Personal data mapping and personal data flows
– Personal data impact assessment
– Review of contracts and management procedures of third parties and associates
– Gap analysis against the GDPR requirements
– Suggestions for improvement
– Support for the implementation of safety nets
– DPO (Data Protection Officer) consulting services
– Legal support
– Conducting social engineering controls
– Security incidents response services
– Compliance verification services
KPMG, as a corporate member of IAPP (International Association of Privacy Professionals – Platinum corporate member) leads the way in the sector of data privacy protection.