1 / 32

The Rise of General Data Protection Regulation - A Report by EY India

In this pdf by EY India, read about the rise of General Data Protection Regulation(GDPR) and how it will help companies worldwide to be secure by encouraging data privacy in the early stages of any project. Download pdf to know more or visit https://www.ey.com/in/en/home/ey-general-data-protection-regulation

BhavyaBedha
Download Presentation

The Rise of General Data Protection Regulation - A Report by EY India

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The rise of General Data Protection Regulation (GDPR): Is your business prepared? May 2018

  2. 2 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?Contents 1 2 Introduction to privacy 08 Introduction to privacy by design 16 3 Drivers of privacy by design adoption 18 4 Implementing privacy by design 22 5 Adoption of privacy by design 26 6 The way forward 28

  3. The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 3

  4. 4 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  5. The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 5

  6. 6 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  7. Foreword As digital disruption continues to challenge privacy norms across the world, cloud, social media and mobile technology advancement is fundamentally altering the personal and professional lives of people across the globe. The constantly changing threat landscape driven by the connected world is forcing law enforcement agencies to enhance the privacy legislation regime regularly. Today, this is one of the biggest challenges encountered by many organizations as they grapple with the introduction of newer legislations and frameworks around data privacy. The concerns around data privacy impact both consumers and enterprises alike. While consumers are concerned about the misuse of personal and sensitive information, organizations are worried about having a dampening impact on their reputation, brand value, consumer trust as well as revenues. With the GDPR coming into force from 25 May 2018, organizations will need to evaluate where they stand in their data privacy journey as the onus of accountability shifts from regulators to organizations. Privacy by design is a key concept of the GDPR. Privacy by design means thinking about data privacy and its implications when you’re developing products, features, and even marketing campaigns based on personal data. ????????????????????????????????fi?????????????????????????????????????????????????????????????????????????????????? implement appropriate technical and organizational measures to ensure that, by default, only personal data which are ????????????????????????fi?????????????????????????????????????????? ???????????????????fi????????????????????????????????????????????????????????????????????????????????????????????? appropriate technical and organizational measures to ensure that privacy and the protection of data is no longer an after-thought and is embedded in in the early stages of any project and then throughout its lifecycle. In our view, many organizations are welcoming this opportunity as a serious initiative to drive data privacy beyond just mere compliance. In light of recent events on data privacy, this is an enterprise wide initiative to will help companies across the globe to be secure and stay secure. With best wishes, Sibjyoti Basu Partner & National Business Development Leader, EY India Jaspreet Singh Partner, Cybersecurity, EY The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 7

  8. 01 Introduction to privacy In a world where more than half the population is online, everything is becoming digitized. Customers today are sharing and receiving information on various portals for entertainment, banking, healthcare, and utility puposes, continuously adding to a large pool of data. 8 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  9. Digital around the world 20181 Total population Internet users Active social media users Unique mobile users e-Commerce market for consumer goods 3.196 billion 42% Penetration US$ 1.474 Trillion +16% YoY 7.593 billion 55% Urbanization 4.021 billion 53% Penetration 5.135 billion 68% Penetration Data created in the world is growing rapidly 180 ZB 44 ZB 4.4 ZB 2013 2020 2025 ???????????????????fi??????????????????????????????????????????? ????????????fi???????????????????????????????????????????????????? data to create value and insights. On 14 April 2016, the Regulation and the Directive were adopted by the European Parliament. The new rules are applicable for two years. ???????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????? maintaining privacy. ???????????????????????fi??????????? of the new General Data Protection Regulation was published 2012 With a view on the data priorioties of organizations and to safeguard rights of customers and inbibe a sense of accountability in the way personal data is shared and used by organizations. On 12 March 2014, the European Parliament voted overwhelmingly in favour of new data protection laws 2014 Emergence of GDPR On 15 December 2015, following three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the EU General Data Protection Regulation (GDPR). The aims of the GDPR are to reinforce data protection rights of individuals, ????????????????????fl?????????????????????????????????????????????? reduce the administrative burden. The GDPR replaces the 1995 General Data Protection Directive and applies directly to each of the 28 EU Member States. On 15 December 2015, the EU Commission, Parliament and Council of Ministers reached an agreement on the GDPR 2015 ????????????????????????????fi????? Journal of the European Union 2016 2 year implementation phase Regulation starts to apply 2018 1 We are Social 2018 Stats, https://wearesocial.com/blog/2018/01/global-digital-report-2018; World Economic Forum, https://www.weforum.org/agenda/2018/01/data-is-not-the-new-oil/ The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 9

  10. What is the GDPR? Scope of GDPR The EU data protection reform was adopted by the European Parliament and the European Council on April 27, 2016. The European Data Protection Regulation will be applicable as of May 25, 2018 and replace the Data Protection Directive (95/46/EC). The GDPR is an omnibus regulation by which the EU intends to strengthen and unify data protection within the European Union. GDPR focuses on the processing of data by automated means but ?????????????????????????????????????????????????????????????fi????? system. GDPR applies in three circumstances: Establishment and processing of personal information in the union The GDPR applies to any organization, regardless of geographic location, that controls or processes the data of an EU resident. It ??????????????????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????? ???????????????????????????????????????????fi?????????????????????? fail to protect the data for which they are responsible. The monitoring of the behaviour of data subjects as far as their behaviour takes place within the Union. Why is the GDPR receiving increasing attention? Organization offering of goods or services, irrespective of ??????????????????????????????????????????????????????????? subjects in the Union. The EU GDPR introduces a number of new rights for data subjects and several obligations which will directly impact data controllers and data processors, non-compliance with which will lead to tough penalties as high as €20,000,000 or 4% of annual global revenues. GDPR applies globally and companies outside the EU will have to comply with the Regulation if they process EU persons’ personal data Does the company have a presence in EU? Yes GDPR applies No Yes Does the processing relate to monitoring the behavior of persons in EU in Union? Does the Is the processing relate to offering goods or services in the EU? Yes No company’s customer an EU citizen? No No GDPR does not apply ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? activities will be directed to EU data subjects ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? relevant 10 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  11. Key changes proposed by the GDPR • Hefty penalties: Breach of the GDPR will result in substantial fi??????????????????????????????????????????????????? turnover, whichever is greater • Expanded scope: Applies to all data controllers and processors established in the EU and organizations that target EU citizens • ?an?ator? appointment of ?ata ?rotection Officers ???Os?? DPOs must be appointed if an organization conducts large scale systematic monitoring or processing of large amount of sensitive personal data • Ob?igator? breach notification? Notify supervisory authority ??????????????????????????????????????????????????????????? unless the breach is unlikely to be a risk to individuals. If there is a high risk to individuals, they must also be informed ?ata breach notification process Notify data subject (if likely to result in risk to individuals) Notify Supervisory Authority (if likelihood of risk to individuals) • Data processors must report personal data breaches to data controllers Investigate breach • Data controllers must report personal data breaches to their supervisory authority and in some cases, affected individuals, in each case following ?????fi????????????????? Awareness of breach Without undue delay • Data controllers must maintain an internal risk register Without undue delay (no later than 72 hours) Breach • Non-compliance can lead to an a?ministrati?e fine What is a data breach? 72 hours is the timeline within which breach ??????????????fi?????????????????? authority Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed Reference https://gdpr-info.eu/ • Stringent consent requirements: ???????????????????????????????????????????????????????????????????fi??????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????fl?? In addition to basic data protection principles, consent is subject to further conditions under the new Regulation Where relying on consent as the basis for lawful processing, it must be additionally ensured that: • ????????????????????????????????????????????????????????????????????????????????? • ????????????????????????????????????????????????????????????????????????????????????? agreements or declarations • Provision of services is not made contingent on consent where it is not necessary for the service to be supplied • Data subjects are informed of the right to withdraw consent at any time (through simple methods) • Separate consent is obtained for distinct processing operations • ?????????????????????????????????????????????????????????????????????????????????????????? information The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 11

  12. • Risk based Privacy Impact Assessments: Organizations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data • Broadened data subject rights: Organizations should have processes to manage the below given new rights: • The right to be forgotten: The right to ask data controllers to erase all personal data without undue delay in certain circumstances • ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????? • ??????????????????????????fi???????????????????????????????????????????????????????????????????????????????????? Right to notice Object to processing Restriction of processing Right to erasure Right to portability Right to rectification Right to access Right to information Data subject • Adequate protection for cross-border transfers: ??????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? guarantee on data protection is provided— such as standard contractual clauses or binding corporate rules (BCRs) • Obligations on processors: ??????????????????????????????????????????????????????????????????????????????????????fi??????? regulated entity • Privacy by design and default: Data protection safeguards must be built into products and services from the earliest stage of development. Privacy settings must be set at a high level by default. Data protection by default notion includes data minimization principles • Accountability and data governance: Organization must prove they are accountable by: • Establishing a culture of monitoring, reviewing and assessing data processing procedures • Building in safeguards to data processing activities • Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory ???????????????????? • ????????????????????????????????????fl?????????????????????????????????????????????????????? 12 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  13. Principle of “Accountability” Adopt policies and implement appropriate measures to ensure personal data is secured throughout the entire data lifecycle • ??????????????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????????????????????????????? • Controllers are responsible for the compliance of their processing operations with data protection rules • Controllers should have documentation ready and be able, at any time, to demonstrate compliance with data protection provisions to data subjects, to the general public and to supervisory authorities Personal Data Lifecycle Management Appropriate collection of data Relevant use of data Managed disclosure Appropriate retention and disposal Review privacy ???????????? • Ensuring the accuracy of personal data ?????????????????????????????????????fi???????????????????????????????????????????????????? that the personal data held by them is accurate and can be corrected if errors occur • Limiting the storage of personal data: Organizations will need to ensure that they retain personal data only for as long as necessary to achieve the purposes for which the data was collected • ?ns?ring sec?rit?? integrit? an? confi?entia?it? of personal data. The organization must take steps to keep personal data secure through technical and organizational security measures Incentives beyond GDPR compliance The organizations which have started their compliance journey have been successful in differentiating themselves from their competition by proactively developing trust with their customers on handling their sensitive data. These stronger customer relationships present opportunities for organizations to retain or increase their revenues from customers dealing with personal data from EU. Further, compliance with GDPR presents compliance as well as business incentives. • On the compliance front, GDPR transformation program is helping organizations avoid distraction and business disruption arising ????????????????????????????????????????????????????????????????????????????????????????????????????????fi??????????????????????????? recovery from breaches and potential lawsuits. Also, compliance with GDPR will lead to effective management of increasing pressure from the regulators • Similarly on the business front, privacy has become one of the key drivers to enhance brand reputation and to ensure privacy and trust while the added value of new digital propositions are realized. These initiatives help organizations to meet stakeholders’ ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? privacy as ethical responsibility towards clients • Create a new business line in the form of GDPR-as-a-service or DPO-as-a-service The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 13

  14. Key safeguards to be adopted by organizations The GDPR has undelined multiple changes, however there are certain key safeguards that organizations can take to ensure that they start their compliance journey for GDPR. Gap assessment to identify current state Implement privacy by design and default Data protection Impact Assessments (DPIA) ??????fi?????????????????????? of processing activities ?????????????????????????????fi??????????????????????? availability and resilience of processing services 14 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  15. The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 15

  16. 02 Introduction to privacy by design The personal data collected requires a governance plan as there are risks of exposure, unauthorized access, and hacks. Hence, to address this ever-growing data and privacy risks, the idea of privacy by design was developed in the 90s. It is now being embraced by regulatory authorities to safeguard user privacy 16 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  17. Privacy by design has seven principles which should be applied in order to maintain privacy (Figure 1). ?efinition? Privacy by design (PbD) is a concept which enables organizations to have privacy embedded in the design and architecture of information systems, business processes and networked infrastructure. Figure : Foundation Principles2 Proactive not reactive, preventative not remedial Anticipate and prevent privacy invasive events before they happen. The aim is to prevent them from occurring ????????????????????????????????????????????????????????????????????????????????????????????????????????????? IT system or business processes Privacy by default Embed privacy into design Privacy measures embedded in the IT systems and business processes and not as an add-on Full functionality- positive sum, not zero sum ????????????????????????????????????????????????????????????????????????????????????? ?????????????????????????fi?????????????????????? End-to-end security- full lifecycle protection All data should be securely retained as needed and destroyed when no longer needed Visibility and transparency- keep it open Assure all stakeholders that business processes or technology involved, are operating according to the ???????????????????????????????????????????????????????????fi?????? Respect for user privacy— keep it user centric Keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options 2????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????fi??????????????????????????????????????????????????????????? The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 17

  18. 03 Drivers of privacy by design adoption Implementation of privacy by design is primarily driven by two factors, the stringent privacy regulations coming into force and rising data breaches and associated costs. 18 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  19. Regulatory requirements: What is personal data as per GDPR?3 ‘Personal data’ means any information relating to an ??????fi????????????????????????? as the following: Privacy by design in the past was not mandated by any law, rather it was seen as an approach to ensure compliance. However, in 2016, European Union General Data Protection Regulation adopted the approach and gave a deadline for implementation by 25 May 2018. Article 25 of the regulation covers - data protection by design and by default. It prescribes the following: • Privacy by design: Companies must put technical and organizational measures such as pseudonymisation in place – to minimize personal data processing. • Privacy by default: Companies must implement appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each ?????fi???????????????????????????????????????????? ???????????????fi?????fi??????????????????????????????????????????????????????????????????? ??????????fi??????????????????????????????????????????????????????????????????????????????? greater. The regulation will impact organizations across the globe that do business within the ?????????????????????????????fi????????????????????????????????????????????????? • Name • ??????fi????????????? • Location data • ?????????????fi?? • ?????????????fi??????????????? physiological, genetic, mental, economic, cultural or social identity Rising data breaches and associated costs: Companies which were till now only mandated to protect personal data, now need to embed privacy across the life cycle of data. There will be legal implications for wrongful data collection, ???????????????????????????????fi????????????????????????????????? is one of the biggest drivers for companies to implement privacy by design. There has been a disturbing trend of rising personal data breaches (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data). The key reason is organizations do not have ?????????????????????????????????????????????????????????????? instead on proactive policies. Messaging service provider changed minimum age of users to comply with GDPR With the growing number of breaches, customers are concerned about protecting their privacy and identities more than ever before. 68%4 of the customers do not trust brands to handle their personal information appropriately, such as name, email, location or marital status. In April 2018, a global messaging service provider raised minimum age for users from 13 to 16 across the EU. The GDPR has a ???????????????????????????????????????????????????????????????? processing data of children below 16 years of age to get consent from the holder of parental responsibility. In line with this policy, the messaging service provider has also suspended its policy change wherein it could share phone numbers and other information with social media sites for effective target advertisements. In 2017, a total of 1,7655 breach incidents occurred of which ???????????????????????????fi?????????????????????????????? two major type of breaches. According to Ponemon Institute’s ????????????????????????????????????????????????????????????? million. There are also post data breach costs which include help desk activities, inbound communications, special investigative ???????????????????????????????????????????????????????????????? identity protection services and regulatory interventions. Technology company refunded for wrongful in-app purchase ???????????????????????????????????????????????fi??????????? refund a large amount for kids’ in-app purchases to its customers in a settlement with the Federal Trade Commission (FTC). In the complaints made by users, the technology company was charged with violating the FTC Act by not telling users that entering a password to approve an initial in-app purchase would allow 15 minutes of additional purchases without further authorization needed. As a part of the agreement, company was also asked ????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????? purchase. ???????????????fi?????????????????????????????????????????? reputational damage that may lead to abnormal turnover or churn rates as well as a diminished rate of new customer ????????????? 69% would boycott a company known to ??????????????????????????????????55% of respondents would avoid giving data to a company they know had been selling or misusing it before.6 3????? ?????????????????????????????????????????????????????????????????????????????????? 4????? ????????????????????????????????????????????????????????????????? 5????? ??????????????????????????????????????????????????????????????????????????????????????????????????? 6????? ???????????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????????????????????????????? The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 19

  20. Consumer credit reporting agency lost 147.7 million user’s personal data In 2017, a global consumer credit reporting agency witnessed ??????????????????????????????????????????????????????????????? bureau’s website software. The hack granted attackers access ?????????????fi??????????????????????????????????????????????????? names, dates of birth, Social Security numbers, and other personal information of 147.7 million US consumers. With the stolen identity details, attackers can apply for lines of credit in the victims’ names. The company faced widespread criticism and the share prices dipped 34% within eight days after the breach disclosure. Health app compromised 150 million users’ data resulting in decline in share value In 2018, data from about 150 million users of a health app was compromised sending the value of shares of the company down 3% in after-hours trade. The stolen data included account user names, email addresses and scrambled passwords for the app. However, Social Security numbers, driver license numbers and payment card data were not compromised. Social media giant lost credibility and share value due to data sharing scandal In 2018, a global social media giant came under the scanner for a data breach wherein the personal data of 87 million users around ?????????????????????????????????????????????????fi?????????????? ????????fl??????????????????????????????????????????????????????????? them. Post the incident, the company’s reputation fell dramatically ?????????????????????????????????????????????????????????????????????? share value within 10 days of news of the scandal. Multinational technology company paid US$17 million due to a privacy breach ??????????????????????????????????????????????????????fi?????? ?????????????????????????????????????????????????????????????? their consent or knowledge. The case involved the technology company bypassing the privacy settings in a well-known web browser to use cookies for targeted advertisement. 20 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  21. The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 21

  22. 04 Implementing privacy by design A major change caused by implementing privacy by design is that companies would need to consider privacy at the very start of product development. Privacy has to be an integral part of the company strategy and needs to run through processes via policies and procedures. 22 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  23. Regulatory requirements: EY has developed a privacy program model (Figure 3) which focuses on program, operations and the monitoring of privacy in an organization. To start with, both privacy by design and privacy by default ???????????????????????????????????????????????????????????????? of new products and services to have enough basic knowledge on privacy. The guidance should be in simple language for everyone to understand and hold training sessions should be held. Program: Device strategy wherein roles and responsibilities of ??????????????????????????????????????????????????????fi????? accountability is established with governance processes and data owners are made to understand their responsibility for classifying and protecting sensitive information. ??????????????????????????????????????????????????????????? functions to insert and monitor privacy. Clear policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to assist in ???????????????????????????? Operations: Data privacy programs rely heavily upon the implementation of strong policies and processes to enforce ???????????????????????????????????????????????????????????????? and respond to incidents in timely manner. While implementing privacy by design, the following should be considered: Monitoring: Teams and tools supporting data privacy and protection programs should be integrated to allow for correlation ????????????????????????????????????????????????????????????? organization. Effectively linking to security programs and implementing privacy by design will allow for early detection of privacy breaches and non-compliance issues. • Conduct Data Privacy Impact Assessment (DPIA) to enable organizations to analyze how a particular project or system will affect the privacy of the personal data involved. It is similar to a risk assessment for privacy. • ??????????????????????????????????fl?????????????????????? strategy. It focuses on minimizing the amount of personal data that is collected, processed, stored and disseminated; hiding ?????????????????fi???????????????????????????????????????????? how their personal data is used. EY’s Privacy Program Supporting governance roles Governances IT and information security Privacy strategy/charter Regulatory reporting Executive reporting Legal and compliance Privacy policy Communications and crisis management Managing public perception Training and awareness Managed lines of defence Privacy life cycle Operations 5 1 Appropriate collection of data Privacy by design Review of privacy expectations Risk management CPO/Privacy Office Incident management Vendor due diligence Risk and compliance 4 Consumer request/complaints 2 Appropriate retention and disposal Data classification Relevant use of data Audit Personal data inventory management 3 Cross border data management Managed disclosure Sustenance Data owners Regulatory expectations Privacy audit Data processors Data flow management Internal expectations Data collectors Source: EY Privacy by Design – GDPR, May 2017 The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 23

  24. EY’s data privacy transformation approach, integrates all data privacy-related services into a single offering. It focuses on fi?e major pi??ars as gi?en be?o??? • Program: It focuses on aligning the current framework with ??????????????????????????????????????????????????????? policies and procedures, privacy policy, reporting and training and awareness of employees and key stakeholders. • Supporting governance roles: The framework focuses on establishing a governance framework with roles and ????????????????????????????????????????????????????????????? governance and overall compliance. • Privacy lifecycle: The framework will concentrate on the end ?????????????????????????????????????????fl??????????????????????? disclosure, transmission, retention and disposal) and will ??????????????????????????????????????????????????????????????? ?????????fl??? • Privacy by design: As privacy by design is one of the key elements of GDPR which focuses on embedding GDPR into the DNA of an organization, the EY framework will ensure that all processes/functions having personal data incorporate privacy by design and default. • Monitoring: To run a successful privacy program, it is pivotal ????????????????????????????????????????????????fi???????? metrics for periodic monitoring and continual improvement. The model is self-evolving and agile to accommodate the unforeseen changes and adapt accordingly to the organization’s needs. 24 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  25. The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 25

  26. 05 Adoption of privacy by design A combined push from regulators and customers to have a stringent check on personally identifiable data storage and usage has led to companies acting on privacy by design certified platforms and apps. The initiatives are also being supported by governments to promote implementation of PbD by companies. 26 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  27. Industry Initiatives • Secured mobile health apps: European Data Protection Supervisor (EDPS) announced the launch of a contest to design mobile health (m-health) applications implementing Privacy by Design and by Default principles. • Patient data anonymization: A Hospital in Barcelona collaborated in the CLARUS project for a privacy-by-design approach to protecting healthcare-sensitive information using Encryption and Anonymization. Healthcare • Development of software privacy ecosystem: An Indian Tech Company partnered with GDPR solutions provider ???????????????????fi?????????????????????????????????????????????????????????????????????????????????????????? • PbD compliant mobile advertising service: ??????????????????????????????????????????fi???????????????????? and advertising service utilizing customer base of global network operators to create a secure, anonymised, Privacy by Design database of carrier derived data. Technology • E-Government initiative utilizing PbD: Australian Government implementing Privacy by Design in Govpass, digital ??????fi???????????????????????????????????????????????????????????????????????????????????????????????fi?????????????? and other information. • Blockchain based identity management: An Indian State government’s information technology arm is developing a proof of concept on using blockchain technology for identity management utilizing Privacy by Design. Government • PbD compliant social media analytics portal: ????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????? Media The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 27

  28. Till now privacy was more of an afterthought rather than an effort to embed it into the project or application lifecycle but in future this will change. Going forward privacy is going to be a key area of action for government and companies, as the unlawful use of personal data could not only hamper the users but also governments and companies across the globe. ??????????????????????????????????????????? of large organizations will have a privacy management program fully integrated into the business, up from 10% in 2017.By 2019, half of the world’s larger companies that process personal data will perform privacy impact assessments; ???????????????????????fi??????????????????? process. 1 Privacy by design will bring in a change in mindset and lead to the responsible use of an individual’s data. This will result in increased trust of users with the organizations, their applications and systems delivering positive-sum outcomes. In the future, implementing privacy by design can both demonstrate compliance and create a competitive advantage for companies. The way forward 06 28 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  29. Contact us EY GDPR/Privacy Team: Jaspreet Singh Partner - Cyber Security, EY India Email: Jaspreet.Singh@in.ey.com Sibjyoti Basu Partner & National Business Development Leader, EY India Email: Sibjyoti.Basu@in.ey.com Lalit Kalra Senior Manager – Cyber Security, EY India Email: Lalit.Kalra@in.ey.com EY Knowledge (EYK) Team: Gaurav Sharma Assistant Director, EYK Email: Gaurav.Sharma1@in.ey.com Ankita Singh Assistant Manager, EYK Email: Ankita.Singh1@in.ey.com Shweta Verma Assistant Manager, EYK Email: Shweta.Verma@in.ey.com The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 29

  30. In a future where data is everywhere, who will keep it out of the wrong hands? To find out, participate in the EY GDPR readiness survey today by visiting ey.com/in and be a part of the GDPR preparedness journey. 30 | The rise of General Data Protection Regulation (GDPR): Is your business prepared?

  31. EY offices Ahmedabad 2nd floor, Shivalik Ishaan Near. C.N Vidhyalaya Ambawadi Ahmedabad-380015 Tel: +91 79 6608 3800 Fax: +91 79 6608 3900 Delhi NCR Golf View Corporate Tower – B Sector 42, Sector Road Gurgaon–122 002 Tel: +91 124 464 4000 Fax: +91 124 464 4050 Kolkata 22, Camac Street 3rd Floor, Block C” Kolkata-700 016 Tel: +91 33 6615 3400 Fax: +91 33 6615 3750 Bengaluru 12th & 13th floor “U B City” Canberra Block No.24, Vittal Mallya Road Bengaluru-560 001 Tel: +91 80 4027 5000 +91 80 6727 5000 Fax: +91 80 2210 6000 (12th floor) Fax: +91 80 2224 0695 (13th floor) 3rd & 6th Floor, Worldmark-1 IGI Airport Hospitality District Aerocity New Delhi-110037, India Tel: +91 11 6671 8000 Fax +91 11 6671 9999 Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (west) Mumbai-400 028, India Tel: +91 22 6192 0000 Fax: +91 22 6192 1000 4th & 5th Floor, Plot No 2B Tower 2, Sector 126 NOIDA-201 304 Gautam Budh Nagar, U.P. India Tel: +91 120 671 7000 Fax: +91 120 671 7171 5th Floor Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai-400 063, India Tel: +91 22 6192 0000 Fax: +91 22 6192 3000 1st Floor, Prestige Emerald No.4, Madras Bank Road Lavelle Road Junction Bengaluru-560 001 India Tel: +91 80 6727 5000 Fax: +91 80 2222 4112 Hyderabad Oval Office 18, iLabs Centre Hitech City, Madhapur Hyderabad - 500081 Tel: +91 40 6736 2000 Fax: +91 40 6736 2200 Pune C—401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune-411 006 Tel: +91 20 6603 6000 Fax: +91 20 6601 5900 Chandigarh 1st Floor SCO: 166-167 Sector 9-C, Madhya Marg Chandigarh-160 009 Tel: +91 172 671 7800 Fax: +91 172 671 7888 Jamshedpur 1st Floor, Shantiniketan Building, Holding No. 1, SB Shop Area, Bistupur, Jamshedpur – 831001 Tel: 657 663 1000 Chennai Tidel Park 6th & 7th Floor A Block (Module 601,701-702) No.4, Rajiv Gandhi Salai Taramani Chennai-600113 Tel: +91 44 6654 8100 Fax: +91 44 2254 0120 Kochi 9th Floor “ABAD Nucleus” NH-49, Maradu PO Kochi - 682 304 Tel: +91 484 304 4000 Fax: +91 484 270 5393 The rise of General Data Protection Regulation (GDPR): Is your business prepared? | 31

  32. Ernst & Young LLP EY | Assurance | Tax | Transactions | Advisory About ASSOCHAM The Associated Chambers of Commerce and Industry of India (ASSOCHAM), India’s premier apex chamber covers a membership of over 4 lakh companies and professionals across the country. ASSOCHAM is one of the oldest Chambers of Commerce which started in 1920. ASSOCHAM is known as the “knowledge chamber” for its ability to gather and disseminate knowledge. Its vision is to empower industry with knowledge so that they become strong and powerful global competitors with world class management, technology and quality standards. About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. ASSOCHAM is also a “pillar of democracy” as it reflects diverse views and sometimes opposing ideas in industry group. This important facet puts us ahead of countries like China and will strengthen our foundations of a democratic debate and better solution for the future. ASSOCHAM is also the “voice of industry” – it reflects the “pain” of industry as well as its “success” to the government. The chamber is a “change agent” that helps to create the environment for positive and constructive policy changes and solutions by the government for the progress of India. Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in. Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016 As an apex industry body, ASSOCHAM represents the interests of industry and trade, interfaces with Government on policy issues and interacts with counterpart international organizations to promote bilateral economic issues. ASSOCHAM is represented on all national and local bodies and is, thus, able to pro-actively convey industry viewpoints, as also communicate and debate issues relating to public-private partnerships for economic development. The road is long. It has many hills and valleys – yet the vision before us of a new resurgent India is strong and powerful. The light of knowledge and banishment of ignorance and poverty beckons us calling each member of the chamber to serve the nation and make a difference. © 2018 Ernst & Young LLP. Published in India. All Rights Reserved. EYIN1805-003 ED None This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. JS ey.com/in @EY_India EY|LinkedIn EY India EY India careers ey_indiacareers

More Related