Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

General Data Protection Regulation (GDPR) Implications for Canadian Firms

The General Data Protection Regulation (GDPR) represents significant challenges for financial institutions to comply with the new data processing and record keeping requirements. This Accenture Finance & Risk presentation explores the impact of GDPR on Canadian firms, including lessons learned from our work with clients and knowledge gained that can be used for an effective GDPR journey.

Les commentaires sont fermés

  • Identifiez-vous pour voir les commentaires

General Data Protection Regulation (GDPR) Implications for Canadian Firms

  2. 2. The goal of the General Data Protection Regulation is to protect personally identifiable data of European Union (EU) citizens, wherever it is processed or controlled • Increased Right to be Forgotten • Introduction of Right to Erasure • New Right to Portability • Accountability for 3rd party data processors • Unambiguous consent required for data usage • Fines up to 4% of annual worldwide turnover • Civil suits from government agencies, business entities and individuals • Imposes direct obligations and liability for processors (previously only for controllers) • Data Protection Authority assessment and approval • Harmonized rules - simpler legal landscape • Overseen by a European Data Privacy Board plus local regulators • Contract reviews and changes • Wider definitions with tighter principles • Covers EU data subjects, regardless of where data controller / processor located • Data Protection Officer to be appointed for high risk / large scale processing • New rules for genetic, biometric and pseudonymous data Stronger Enforcement & Accountability Harmonization across EU Scope Widened Individual’s Rights Increased GDPR – EXECUTIVE SUMMARY Copyright © 2018 Accenture. All rights reserved. 2 The General Data Protection Regulation (GDPR) represents significant challenges for financial institutions to comply with the new data processing and record keeping requirements. Who does the GDPR affect? GDPR applies to all organizations located within the EU as well as any organizations outside the EU if they: • Offer goods or services to, or monitor the behavior of, EU data subjects (individuals). or • Process and hold the personal data of subjects residing in the EU, regardless of where the company is located. What are the penalties for non-compliance? Fines up to 4% of annual global turnover or €20 million • This is the maximum fine that can be imposed for the most serious infringements. • There is a tiered approach to fines e.g. for not having records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. Note: these rules apply to both controllers and processors, meaning “clouds” will not be exempt from GDPR enforcement. Source: EU General Data Protection Regulation portal. Access at: http://www.eugdpr.org/eugdpr.org.html
  3. 3. GDPR IMPACT ON CANADIAN FINANCIAL FIRMS Copyright © 2018 Accenture. All rights reserved. GDPR has a wider reach than the EU Data Protection Directive and therefore has the potential to impact companies that do not have any operations in the EU. WHAT IS THE IMPACT OF GDPR ON CANADIAN FIRMS When GDPR comes into effect, it will be applicable to companies that either have a presence in the EU or engage in personal data processing activities that relate to offering goods and / or services to EU residents. PIPEDA VS GDPR GDPR requirements are consistent with many of the requirements under the Personal Information Protection and Electronic Documents Act (“PIPEDA”); Canadian organizations that already comply with PIPEDA (or similar provincial legislations) could potentially be compliant under some of the GDPR requirements. GDPR-SPECIFIC REQUIREMENTS Given the severity of the potential sanctions and fines under GDPR, it would be prudent for impacted organizations to initiate steps to address GDPR-specific requirements (where they differ from PIPEDA). Some examples may include: • Review PIPEDA consent forms for EU residents vs. GDPR requirements; • Review contracts with existing Data Processors and enhance future Data Processor selection criteria; • Appoint a Data Protection Officer (“DPO”) in an appropriate jurisdiction (the role of a DPO may be performed by either the Chief Privacy Officer or another qualified executive); • Review and remediate privacy and data protection policies / practices that apply to the management of EU residents’ personal data; • Appropriately communicate and provide training related to personal data protection policy and practices (P&Ps) under GDPR. 3 Source: Accenture analysis based upon publicly available PIPEDA and GDPR documents
  4. 4. GDPR CHALLENGES AND BENEFITS Copyright © 2017 Accenture. All rights reserved. GDPR means extensive change for financial firms handling personal data. 4Copyright © 2018 Accenture. All rights reserved. 4 Competitive advantage as a trusted brand Improved data quality & data operations More data-driven business decisions Streamlined data policies Data to provide advisory support to management Culture of data responsibility Aligned security strategy BENEFITS OF GDPR COMPLIANCE Controller Responsibility Lawfulness & Reporting Privacy by Design / Default Data Protection & Breaches Notify of All Usages, Changes Impact Assessments Limit Data Transfers Encryption, Pseudonyms, Masking Be Forgotten Be Erased / Deleted Not To Be Profiled Use Only With Consent Accuracy / Remediation Data Portability Explanation of Usage Suspend Data Use DATA CONTROLLER AND PROCESSOR OBLIGATIONS DATA SUBJECT RIGHTS
  5. 5. HOW ACCENTURE CAN HELP Copyright © 2018 Accenture. All rights reserved. 5 Accenture’s Finance & Risk (F&R) practice has significant experience and know-how in Risk Management, Data Privacy & Security and Regulatory Compliance to support you on your GDPR compliance journey. Our data-centric approach can help you transform GDPR from a compliance concern into a competitive advantage. 100 100 010 OUR HOLISTIC APPROACH TECHNOLOGY • Heightened level of controls around data, encryption and breaches • Improvement of technology architecture with respect to privacy and data protection • Incorporating advanced technologies that permit constant surveillance and compliance with rights and obligations PROCESSES • Redesigned processes around Primacy of the Data Subject • Requirement for robust governance of data and data protection • Design privacy into all activities, new and legacy • Redefine relationships with processors and other external organizations PEOPLE • New roles and associated skills • New operating models • Transformed organizational structure DATA • Full and ongoing discovery and connectedness of personal data • Permanent, rigorous data governance regime ACCENTURE’S GDPR INTELLIGENCE PLATFORM Automated data scan Automated identification and classification of personal data Map personal data to processes and applications Validation of personal data Assembly of Personal Data Knowledge Graphs • Article 30 Reporting • Data Subject Rights Provisioning • Breach Response Personal Data Knowledge Graph Data Subject Rights Provisioning Automatically Discover Personal Data Using Machine Learning Algorithms Discover Data Visualization the Customer Connect Run GDPR Operations Implement Personal Data Repository Discover Analyze Tag Govern Sources ERPs, Analytics Collaboration Mainframes Content ManagementWorkstations & Devices Unstructured Structured Semi-Structured Biometrics Types
  6. 6. WHAT WE HAVE LEARNED Copyright © 2018 Accenture. All rights reserved. 6 Lessons learned from our work with clients and knowledge gained that can be used for an effective GDPR journey. GDPR - a cross- functional team is key GDPR compliance requires collaborative involvement from Risk, IT and the business. Business involvement is key to reducing business as usual process disruption. From burden to opportunity GDPR investment can be leveraged to help drive business value and opportunities, e.g. establishing simpler data operations and reducing cost and data noise. Business process- led discovery Identify the top 5-10 customer-related business processes, they will often generate the biggest risks like data movement across entities and across a system’s landscape. Prioritize risks and demonstrate change In many ways GDPR is too big to be totally completed by 2018 – focus on the most important risk(s) first with an intent to cover all areas. GDPR accountability This is more than just a name in the frame, it introduces legal accountability obligations and will require effective influence to enable change within the organization. Vendors and alliances are your responsibility You are now accountable for your ecosystem alliances being Data Processors and these are often obscure e.g. cloud providers. Assess existing projects to scale Drive demand into existing projects – data privacy should be a part of them all and not something for a dedicated program to do for them. Embed the DPO in the organization The DPO should have the right capabilities (skills, team, authority) and be empowered to escalate risks to senior leadership, including the ability to drive and execute changes to resolve issues. Different parts of the organization can be in different maturity stages It’s natural for some areas to be further ahead. Use the wins of leading parts of the organization and make sure all areas are coordinated. Tools and a solid foundation are critical This requires deep investigation within the organization. While tools can help, tools are no silver bullet and won’t find obscure cases that talking to people will help uncover. 1 2 3 4 5 6 7 8 9 10
  7. 7. Breadth and Depth of Experience to Meet Your Business Needs: We help the world’s banks, insurance, capital markets and FinTech firms meet unparalleled strategic, operational, technology and sourcing demands. Our goal is to be recognized as the premier innovation and execution “partner” in the Financial Services industry, collaborating with our client and ecosystem alliances to create sustainable value for our clients and our communities. We offer innovative solutions developed jointly with key alliances such as Microsoft Corporation, SAP SE, Oracle Corporation, Cisco Systems, Inc. and Salesforce.com,inc. US$32.9 billion In Annual Revenues 384,000 Employees 40+ Industries Served 5,000+ Clients 200+ Locations across 55 countries serving clients in 120+ countries 150+ Powerful alliance network of market leaders and innovators 50,000 Financial Services professionals globally FINANCE & RISK F&R Resources in 40+ countries 5,000+ Finance & Risk professionals across the globe Banking 10/15 of the top Banks Capital Markets 8/8 of the top Capital Markets companies Insurance 8/10 of the top Insurers Fortune Global 500 companies we work with include We help clients streamline operating models, integrate risk and finance functions, align and integrate disparate sources of data, innovate to manage risk & deliver technology solutions FINANCIAL SERVICESACCENTURE Cyber Risk & Resilience Finance & Accounting Sourcing & Procurement Regulatory & Compliance Financial Risk Management Finance & Risk Analytics Areas of Focus: of Financial Services Institutions in the Global Fortune 100 Our Clients: of Financial Services Institutions in the Global Fortune 500 of our top Financial Services clients have been clients for at least 15 years 92% 82% 80% Copyright © 2018 Accenture. All rights reserved. 7
  8. 8. FOR MORE INFORMATION Contact us: Samantha Regan Managing Director, Accenture Finance & Risk (E): samantha.regan@accenture.com (P): +1 917-452-5500 Avinash Pimento Managing Director, Accenture Finance & Risk (E): avinash.p.pimento@accenture.com (P): +1 416-641-3103 Usman Raj: Senior Manager, Accenture Finance & Risk (E): usman.raj@accenture.com (P): +1 416-641-3588 To find out more: Accenture Finance & Risk: https://www.accenture.com/us-en/financial-services-finance-risk Accenture Finance & Risk Blogs: http://financeandriskblog.accenture.com/homepage/ Copyright © 2018 Accenture. All rights reserved. 8 https://www.linkedin.com/showcase/16183502 https://twitter.com/AccentureFSRisk
  9. 9. GENERAL DATA PROTECTION REGULATION (GDPR) IMPLICATIONS Copyright © 2018 Accenture. All rights reserved. 9 ABOUT ACCENTURE Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network —Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 435,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com DISCLAIMER This presentation is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.