Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

GDPR: Data Privacy in the New

In this Accenture document we explore the implications, challenges and impacts of the General Data Protection Regulation (GDPR) as well as touching on the opportunities this regulation creates for financial services firms. Learn more:

No se admiten más comentarios

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

GDPR: Data Privacy in the New

  1. 1. Copyright © 2018 Accenture. All rights reserved. 1 GDPRDATA PRIVACY IN THE NEW
  2. 2. Copyright © 2018 Accenture. All rights reserved. 2 GDPR harmonizes a series of complex European data protection requirements and codifies new privacy rights and protections for EU citizens. GDPR’S INTENT: CODIFY RIGHTS AND GIVE PEOPLE POWER OVER THEIR INFORMATION Key GDPR Requirements Data Subject Rights Can you completely erase personal data when needed? Privacy by Design Are your products and services privacy friendly? Accountability Are you confident the third parties you use will be compliant? Consent Have you collected and documented consent for every data use? Breach Notification Can you quickly recognize and report a data breach?
  3. 3. GENERAL DATA PROTECTION REGULATION SCOPE WIDENED STRONGER ENFORCEMENT & ACCOUNTABILITY INDIVIDUAL’S RIGHTS INCREASEDHARMONIZATION ACROSS EU Protect personally identifiable data of EU citizens, wherever it is possible New: Significant amendments and new obligations. Individuals have new rights to object to profiling, to be forgotten and for data portability. GDPR has come into effect The final text of the GDPR was published The EU Parliament approved the final text in its plenary session TIMELINE  Right to be forgotten, to erasure, to data portability, to rectification, to restriction of processing, of access by the data subject, to object  Notification obligation for data breaches  Unambiguous consent required for data usage 2015 2019 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 15.12.2015 25.05.201814.04.2016 IMPACT/CHANGES  Fines for violations can be 4% of global turnover (revenue), or €20 million (whichever is higher)  Data protection officer to be appointed  Privacy by Design  Data Protection Authority assessment & approval  Culture of internal monitoring & reviewing  Harmonized rules - unified legal landscape  Overseen by a European Data Privacy Board plus local regulators  Territorial scope in EU & EU data subjects, regardless of where data controller / processor located  Special rules for sensitive data such as health, biometric, ethnic data, etc., and for data concerning criminal convictions and offenses  Data controller vs. processor: accountability for 3rd party processors DRIVERS  Data breaches: increasing amount led to concerns for customers and regulators  Regulatory changes: new rights for individuals - right to be forgotten, portability, breach notification  Lack of harmonization of privacy regulation in EU: GDPR to harmonize privacy legislation among EU member states THEEUGENERALDATAPROTECTIONREGULATION 2016 2018 Ongoing compliance activities and continuous improvement Copyright © 2018 Accenture. All rights reserved. Accenture analysis based upon publicly available documents.
  4. 4. WHAT CONCERNS DO ORGANIZATIONS HAVE? 46% of companies surveyed are concerned about FINES 33% of companies surveyed are concerned about the NEED TO INFORM CUSTOMERS OF DATA BREACHES within 72hrs. 31% of companies surveyed are concerned about the VOLUME OF DATA STORE they need to protect Source: “EU General Data Protection Regulation Survey,” Access at: 36% of companies surveyed believe changing processes around DATA PROTECTION and MANAGEMENT is the biggest challenge 4 Copyright © 2018 Accenture. All rights reserved. Accenture’s research into consumer behavior suggests data privacy and protection is not just about compliance and should be at the core of wider business strategy. 8out of 10 surveyed consumers say trust is a key driver of brand loyalty† Consumers surveyed would consider asking their financial services provider to delete personal data, About 2 out of 3 †† 4 out of 10 consumers surveyed, trust in a company increases when breaches are handled swiftly and correctly† of UK consumers surveyed are willing to share their personal information with their bank in return for certain added benefits and more personalized, relevant services 54%†† † A New Slice of PI, with a Side of Digital Trust, Accenture 2017. † † UK Financial Services Customer Survey 2018, Accenture 2018.
  5. 5. Copyright © 2018 Accenture. All rights reserved. 5 REGULATORY CONTEXT AND INDUSTRY CHALLENGES GDPR COMPLIANCE IS FAR FROM BEING A SINGLE ONE-OFF REMEDIATION EFFORT AND MOST ORGANIZATIONS MAY NOT BE FULLY COMPLIANT BY 25TH MAY, 2018 2018 ACHIEVE “DEFENSIBLE” COMPLIANCE POSITION BASED ON RISK APPETITE IMPLEMENT GDPR MEASURES TO MITIGATE “RESIDUAL RISKS” STATEGIC GDPR DIFFERENTIATION  Implement data deletion and security measures for medium - low risk areas  Improve data governance and data discovery  Improve third party due- diligence / risk management  Increase customer trust by improving privacy controls and culture  Help reduce cost of data operations  Leverage data as a strategic differentiator  Reduce third-party supplier risk  Implement new GDPR Governance Model  Implement new subject rights and consent framework  Implement data deletion and security measures for high risk areas 2019 MARKET INSIGHTS MAY High Impact: GDPR is a complex game with high impact on Systems Risk-Based Approach: Clients’ GDPR is too big to be totally completed by 2018 – primary focus should be on the highest risk areas with an intent to cover in a second step the remaining ones Different actions according to Maturity Level: The action plan is linked to the maturity level / state of art of the Privacy Framework / existing solutions / projects
  6. 6. Users have the right to be forgotten; data should be erased on request Organizations have to notify authorities of data breaches Personal data is portable, and can be transferred on request Organizations handling personal data have to assign a data protection officer A user should be able to easily withdraw, and give informed data collection consent Security / Privacy by design; for solutions and processes related to handling / collecting of personal data, privacy and security should be prioritized Organizationscanbeauditedtoprovetheir compliancewithGDPR Organizations have to follow the data minimization principle; only collect data which is directly relevant and necessary to accomplish a specified purpose OPERATIONAL THEMES TO BECOME GDPR READY All data should be adequately protected and consent secured 6Copyright © 2018 Accenture. All rights reserved.
  7. 7. Copyright © 2018 Accenture. All rights reserved. 7 OPPORTUNITIES AND CONSIDERATIONS FOR THE FUTURE GDPR impacts across businesses, thus requires a cross-functional team It is not just a Risk, IT, Security or legal project – business involvement is key 1 Ensure you understand accountability of data controllers This is more than just a name in the frame, it is about where it may be funded from and who has influence to make the change happen across the organization 6 Customer journey led discovery Identify the top 5-10 customer journeys, they may often drive out the biggest risks like data movement across Utility entities and across systems and prioritize remediation accordingly 2 Embed the Data Protection Officer (DPO) in the organization Ensure that the DPO has the right capabilities (skills, team, authority) and is empowered to highlight risks and make changes happen 7 Prioritize on risks and demonstrate change In many ways GDPR might be too big to be totally completed by 2018 – focus on the highest risks first with an intent to cover all areas 3 Alliance and partners are your responsibility You are now accountable for your alliance / partners being Data Processors and these are often obscure e.g. cloud providers 4 Assess existing projects to scale Data privacy should be a part of all data-related projects, not just a one-time dedicated program 5 Different parts of the organization can be different in maturity It’s natural for some areas to be further ahead, use the wins of leading parts of the organization and make sure all areas are coordinated 8 Tools and organizational experience are critical There is no silver bullet to GDPR compliance. There should be no substitute for engaging stakeholders around the enterprise to understand the hidden nuances in getting to a compliant position 9 From burden to opportunity GDPR investment can be leveraged to drive business value and opportunities e.g. establishing simpler data operations and potentially reduce the cost and data noise 10
  8. 8. FROM BURDEN TO OPPORTUNITY A defined customer data strategy may help companies to turn regulatory burden and challenges into a competitive advantage. Stricter consent Detailed records on data use New categories of personal data Stricter governance Data privacy by design Accountability for 3rd party sharing Minimization of customer data Right to be forgotten Improve marketing opt-in More efficient data operations More comprehensive profiles Value-based data investments Improved ROI of new initiatives More value from data sharing Potential reduction of cost and data noise Improved marketing spend Enhance consent model /Value exchange Enterprise-wide customer data mapping Treat digital shadow as customer data Put customer data into business ownership Business cases with value / risk of customer data Define 3rd party data sharing strategy Cleanse data lakes from no-value records Stop targeting customers that are not interested From Burden... Opportunity 8Copyright © 2018 Accenture. All rights reserved.
  9. 9. Copyright © 2018 Accenture. All rights reserved. 9 PRIVACY ACT – WHAT’S THE BILL GOING TO DO? Personal Info Collected Personal Information Sold Right to Say No The California Consumer Privacy Act of 2018 is going to put safeguards in place to further project consumers privacy. If enacted the bill will govern the way a consumer’s personal information is being received, held and shared with businesses. The bill has severe implications to businesses that handle or share consumer(s) information. The 8 sections outlined below are components of the bill and will cover how Personal Information (PI) should be handled. 2 3 Equal Service and Price Disclosure Requirements Notice Requirements 5 6 4 Clarifying Definitions Exemptions 7 1 8 Biometric data Personal identifiers like real name, alias, account name, etc. Audio, electronic, visual, thermal Inferences to any PI info Any PI related to children of consumer Internet or network activity info Psychometric Info Geolocation data Records of property, products or services provided Professional or employment- related info Examples of Personal Information Accenture analysis based upon publicly available documents.
  10. 10. Copyright © 2018 Accenture. All rights reserved. 10 ACCENTURE CONTACT INFORMATION Lisa Bloomberg Principal Director Financial Services Regulatory & Compliance New York Tel: +1 917-452-6247 Chris Beck Senior Manager Financial Services Regulatory & Compliance Chicago Tel: +1 312-693-6246 Samantha Regan Managing Director Financial Services Regulatory & Compliance Management Lead for North America Tel: +1 404-790-7378 Ben Shorten Senior Manager Financial Services Regulatory & Compliance New York Tel: +1 (512) 739 4080 Daniel J. Maloney Senior Manager Regulatory & Compliance Charlotte Tel: +1 908-489-4602
  11. 11. Copyright © 2018 Accenture. All rights reserved. 11 GDPR DATA PRIVACY IN THE NEW About Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 442,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Disclaimer This presentation is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.