Whether you are at the beginning of your journey, or are already mid-way through, this document presents the key GDPR themes, priority areas, and business opportunities, which we feel are important considerations for any GDPR programme.

1. ARE YOU READY FOR THE FAST
APPROACHING GENERAL DATA
PROTECTION REGULATION
COMPLIANCE DEADLINE?
GDPR
COMPLIANCE

2. Act now
With the fast approaching General
Data Protection Regulation
(GDPR) enforcement deadline,
organisations are encouraged to
act now to prepare for the new
data privacy requirements and be
able to demonstrate compliance
inline with the new accountability
principle under this new regulation.
THE GDPR DEADLINE IS FAST APPROACHING.
BUT MANY COMPANIES HAVE NOT BEGUN
IMPLEMENTATION.
Key GDPR themes
Whether you are at the beginning
of your journey, or are already mid-
way through, this document
presents the key GDPR themes,
priority areas, and business
opportunities, which we feel are
important considerations for any
GDPR programme.
Non-compliance
The consequence of non-
compliance will be severe as GDPR
significantly strengthens data
protection enforcement and
accountability and authorises
penalties for non-compliance of up
to €20 million or 4% of global
annual turnover, whichever is
higher.
However, there is also a business
opportunity to establish a
competitive edge by focusing on re-
building digital trust with customers.
Copyright © 2018 Accenture. All rights reserved. 2
1
Source for regulatory statements: General Data Protection Regulation
1Article 83 GDPR

3. 1. RECORDS AND CONDITIONS OF PROCESSING
FIRMS ARE REQUIRED TO…
• Locate where personal data is held across the
organisation, maintain a data inventory and data
processing record (particularly retention, archiving,
disposal and audit trail of consent) and establish the
lawful basis of processing, which will feed into the Article
30 report.2
• Consent requirements have been enhanced3,which
require you to amend consent capture and management
processes to enable transparent use of personal data
e.g. consent opt-in, explicit consent for special categories
of personal data, storing copies of privacy notices and
associated audit trail etc.
3Source for regulatory statements: General Data Protection Regulation
2Article 30 GDPR; 3Article 7 GDPR
RECOMMENDATIONS FOR ADOPTING
A RISK-BASED APPROACH
• Drive GDPR into your organisation through prioritised
customer journeys and business processes, rather than just
a technology or compliance approach.
• Conduct risk-based assessments to determine the GDPR
risk exposure, focusing initially on high risk processes.
• Create conceptual consent subscription and withdrawal
model and test it with focused user groups before a wider
customer roll-out.
Build trust amongst customers, employees
and partners through fairness and
transparency of data use. Use the consent
change opportunity to increase customer buy-
in by focusing on value exchange.
Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy
Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.
Copyright © 2018 Accenture. All rights reserved.

4. 2. DATA SUBJECT RIGHTS
FIRMS ARE REQUIRED TO
PROVIDE THE FOLLOWING
SEVEN FUNDAMENTAL RIGHTS
TO BOTH EMPLOYEES AND
CUSTOMERS4:
1. Data access
2. Data rectification
3. Right to be forgotten (new)
4. Right to restrict processing
5. Right to object
6. Data portability (new)
7. Right to object to automated decision-
making (new)
4
RECOMMENDATIONS TO HELP DRIVE
COMPLIANCE
• Review the existing processes and implement enhancements
to provision the data subject rights.
• Deliver frontline staff training and communication to
operationalise the new and/or enhanced processes.
• Consider automating data subject rights beyond the
immediate compliance deadline.
Looking beyond compliance:
Customer and staff rights have been
strengthened, but this doesn’t have to be a
burden—use this as an opportunity to
establish your brand as a truly digital
customer-centric business.
Source for regulatory statements: General Data Protection Regulation
4Articles 12-23
Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy
Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.
Copyright © 2018 Accenture. All rights reserved.

5. 3. PRIVACY, SECURITY & BREACH MANAGEMENT
FIRMS ARE REQUIRED TO…
• Notify supervisory authority within 72 hours of
discovering a data breach5
• Perform privacy impact assessment on
business areas using personal data6
• Embed privacy by design and default into
business processes and systems7
• Have in place appropriate organisational and
technical security measures for the protection
of personal data8
5
Embedding privacy and security
requires both a cultural change
and proactive process, which can
reduce and mitigate risks. consumer’s (surveyed globally) trust in a company
increases when breaches are handled
swiftly and correctly†
4 out of 10
Source for regulatory statements: General Data Protection Regulation
5Article 33 GDPR; 6Article 35 GDPR; 7Article 25 GDPR; 8Article 32 GDPR
Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy
Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.
Copyright © 2018 Accenture. All rights reserved.
RECOMMENDATIONS ON TACKLING THE
COMPLIANCE CHALLENGE
• Take a risk-based approach by conducting Data Privacy Impact
Assessments (DPIAs) on high risk business processes,
applications and systems
• Identify and document the organisational and security controls
in place to mitigate the risks associated with personal data
processing
• Establish a long-term roadmap to deliver
required enhancements to existing security controls

6. 4. DATA PROTECTION OFFICE & DATA GOVERNANCE
FINANCIAL SERVICES
FIRMS ARE REQUIRED TO…
• Appoint a Data Protection Officer
(DPO) to act as a first point of contact
for supervisory authorities9. The DPO
is to monitor compliance, advise on
data protection impact assessments,
and inform the board members and
employees about their obligations to
comply with the GDPR.
• The DPO will require a dedicated team
to execute its roles and responsibilities
and in many organisations will be a new
second line of defence function.
6Source for regulatory statements: General Data Protection Regulation
9Articles 37-39 GDPR
Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy
Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.
Copyright © 2018 Accenture. All rights reserved.
DPOs are required worldwide
75,000
+3000
DPOs are needed in United
Kingdom/Ireland*
RECOMMENDATIONS ON MOVING
TOWARDS SUSTAINABLE COMPLIANCE
• Define privacy risk appetite and strategy.
• Appoint a DPO and establish the roles of the Data
Protection Office upfront.
A DPO will be
integral in
overseeing all
aspects of data
privacy and
protection beyond
25th May, 2018.

7. 5. THIRD PARTY MANAGEMENT & INTERNATIONAL DATA
TRANSFER
• Under GDPR, data processors’ and
controllers’ are subject to direct
statutory obligations and penalties,
rather than only being subject to
obligations imposed on them by
contractual agreements with the
controller10.
• Firms are required to have in place the
appropriate safe guards for all data
transfers11 and the data subject can be
provided information as to whom their
data has been shared with12.
7
GDPR impacts how you and
any third parties manage
personal data across the
entire data value chain.
Consumers surveyed globally are willing to share
personal information in exchange for a better level of
service or the ability to choose which data is shared with
3rd parties†
1/4
Source for regulatory statements: General Data Protection Regulation
10Articles 24-43 GDPR; 11Article 46 GDPR; 12Article 15 GDPR
Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy
Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.
Copyright © 2018 Accenture. All rights reserved.
RECOMMENDATIONS ON COMPLYING WITH THE
REGULATION AND DRIVING WIDER BUSINESS
VALUE
• Review and update all supplier contracts where staff or customer
personal data is shared.
• Update supplier governance policies and procedures inline with
GDPR.
• Review and enhance third-party risk management framework and
use this as an opportunity to converge towards trusted third-party
suppliers.

8. PREPARING FOR THE COMPLIANCE DEADLINE
Copyright © 2018 Accenture. All rights reserved. 8
GDPR is an opportunity to rethink the way your organisation handles customer and employee
data. Here are a few recommendations to prepare for an effective GDPR implementation.
Focus on the customer
journey
Drive GDPR into your
organisation through prioritised
customer journeys and business
processes, rather than just a
technology or compliance
approach.
Empower cross-
functional teams
Make balanced decisions more
quickly by bringing together
compliance, business and
technology teams.
Create a simple
programme structure
Develop a structure for
managing GDPR where teams
can clearly communicate and
keep end goals in mind.
Prioritise on risks and
demonstrate change
Use a risk-based approach to identify
intrinsic and actual risk to inform the
implementation roadmap
prioritisation.
Data Source for statistics: * The GDPR Demands 75k DPOs, International Association of Privacy
Professional. † A New Slice of PPP, with a Side of Digital Trust, Accenture 2017.

9. GDPR compliance is far from being a single one-off remediation effort—look beyond 25th May,
2018 and you could drive strategic and operational benefits to unlock your data’s strategic value.
Strategic
Data Sharing
Partnerships
Good
Regulatory
Relations
Trusted
Brand
Capture
High Value
Market
Share
Opportunity
for
Monetisation
Stricter consent and
transparency
More trust to strengthen opt-in
rates
STRATEGIC MARKET DIFFERENTIATION
REDUCED COSTS:
A company with a large database of customer records could save
millions (on average storing costs are $1.50 per record per year†) if they
cleanse their database of inactive customers and comply with data
retention schedules.
A BETTER CUSTOMER EXPERIENCE:
Increase marketing opt-in by focusing on value exchange and building
trust with customers. For companies, better data means better product
placement, upselling, cross-selling, and improved return on marketing—
all of which contribute to a more personalised customer experience.
FROM BURDEN… TO OPPORTUNITY
Detailed records on
data processing
More efficient data operations
Privacy by design
and data minimisation
Reduction in cost and data
noise
Stricter governance
and accountability
Smarter investments into data
Accountability for third-
party sharing
More value from data sharing
Copyright © 2018 Accenture. All rights reserved. 9
UNLOCK ADDITIONAL VALUE FROM
CUSTOMER DATA
Increased
Marketing
Opt-in
More Value
from Data
Sharing
Reduced
Cost and
Data Noise
Strengthened
Marketing
Spend
More
Efficient
Data
Operations
Value-based
Data
Investments
Data Source for statistics: * The GDPR Demands 75k DPOs, International
Association of Privacy Professional. † A New Slice of PPP, with a Side of Digital
Trust, Accenture 2017.

10. CONTACT US
Copyright © 2018 Accenture. All rights reserved. 10
Get in touch to find out more about GDPR, its impact on your organisation and how
Accenture can help you navigate and comply with the new data privacy and protection
requirements.
Umer Hamid
Management Consulting Manager
Accenture Finance & Risk
London, United Kingdom
Umer.Hamid@accenture.com
Heather D. Adams
Managing Director
Accenture Finance & Risk
London, United Kingdom
Heather.D.Adams@accenture.com
Get the latest insights from Accenture Finance & Risk:
On our blog: http://financeandriskblog.accenture.com/
On LinkedIn: https://www.linkedin.com/showcase/16183502/
On Twitter @AccentureFSRisk: https://twitter.com/AccentureFSRisk

11. .
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
ABOUT ACCENTURE
Accenture is a leading global professional
services company, providing a broad range of
services and solutions in strategy, consulting,
digital, technology and operations. Combining
unmatched experience and specialized skills
across more than 40 industries and all business
functions—underpinned by the world’s largest
delivery network —Accenture works at the
intersection of business and technology to help
clients improve their performance and create
sustainable value for their stakeholders. With
more than 425,000 people serving clients in
more than 120 countries, Accenture drives
innovation to improve the way the world works
and lives. Visit us at www.accenture.com
DISCLAIMER
This presentation is intended for general
informational purposes only and does not take
into account the reader’s specific circumstances,
and may not reflect the most current
developments. Accenture disclaims, to the fullest
extent permitted by applicable law, any and all
liability for the accuracy and completeness of the
information in this presentation and for any acts
or omissions made based on such information.
Accenture does not provide legal, regulatory,
audit, or tax advice. Readers are responsible for
obtaining such advice from their own legal
counsel or other licensed professionals.
Copyright © 2018 Accenture All rights reserved. 11