The General Data Protection Regulation (GDPR) represents significant challenges for financial institutions to comply with the new data processing and record keeping requirements. This Accenture Finance & Risk presentation explores the impact of GDPR on Canadian firms, including lessons learned from our work with clients and knowledge gained that can be used for an effective GDPR journey.

1. GENERAL DATA
PROTECTION REGULATION
(GDPR) IMPLICATIONS FOR
CANADIAN FIRMS
FINANCE
& RISK
MARCH 2018

2. The goal of the General Data Protection Regulation is to protect personally identifiable data of European Union (EU) citizens, wherever it is
processed or controlled
• Increased Right to be Forgotten
• Introduction of Right to Erasure
• New Right to Portability
• Accountability for 3rd party data processors
• Unambiguous consent required for data usage
• Fines up to 4% of annual worldwide turnover
• Civil suits from government agencies, business entities and
individuals
• Imposes direct obligations and liability for processors
(previously only for controllers)
• Data Protection Authority assessment and approval
• Harmonized rules - simpler legal landscape
• Overseen by a European Data Privacy Board plus local
regulators
• Contract reviews and changes
• Wider definitions with tighter principles
• Covers EU data subjects, regardless of where data
controller / processor located
• Data Protection Officer to be appointed for high risk / large
scale processing
• New rules for genetic, biometric and pseudonymous data
Stronger Enforcement
& Accountability
Harmonization
across EU
Scope Widened
Individual’s Rights
Increased
GDPR – EXECUTIVE SUMMARY
Copyright © 2018 Accenture. All rights reserved. 2
The General Data Protection Regulation (GDPR) represents significant challenges for financial institutions to
comply with the new data processing and record keeping requirements.
Who does the GDPR affect?
GDPR applies to all organizations located within the EU as
well as any organizations outside the EU if they:
• Offer goods or services to, or monitor the behavior of, EU data
subjects (individuals).
or
• Process and hold the personal data of subjects residing in the
EU, regardless of where the company is located.
What are the penalties for non-compliance?
Fines up to 4% of annual global turnover or €20 million
• This is the maximum fine that can be imposed for the most
serious infringements.
• There is a tiered approach to fines e.g. for not having records
in order, not notifying the supervising authority and data
subject about a breach or not conducting impact assessment.
Note: these rules apply to both controllers and processors,
meaning “clouds” will not be exempt from GDPR enforcement.
Source: EU General Data Protection Regulation portal. Access at: http://www.eugdpr.org/eugdpr.org.html

3. GDPR IMPACT ON CANADIAN FINANCIAL FIRMS
Copyright © 2018 Accenture. All rights reserved.
GDPR has a wider reach than the EU Data Protection Directive and therefore has the potential to impact companies
that do not have any operations in the EU.
WHAT IS THE IMPACT OF GDPR ON CANADIAN FIRMS
When GDPR comes into effect, it will be applicable to companies that either have a presence in the EU or engage in personal data
processing activities that relate to offering goods and / or services to EU residents.
PIPEDA VS GDPR
GDPR requirements are consistent with many of the requirements under the Personal Information Protection and
Electronic Documents Act (“PIPEDA”);
Canadian organizations that already comply with PIPEDA (or similar provincial legislations) could potentially be
compliant under some of the GDPR requirements.
GDPR-SPECIFIC REQUIREMENTS
Given the severity of the potential sanctions and fines under GDPR, it would be prudent for impacted
organizations to initiate steps to address GDPR-specific requirements (where they differ from PIPEDA). Some
examples may include:
• Review PIPEDA consent forms for EU residents vs. GDPR requirements;
• Review contracts with existing Data Processors and enhance future Data Processor selection criteria;
• Appoint a Data Protection Officer (“DPO”) in an appropriate jurisdiction (the role of a DPO may be performed
by either the Chief Privacy Officer or another qualified executive);
• Review and remediate privacy and data protection policies / practices that apply to the management of EU
residents’ personal data;
• Appropriately communicate and provide training related to personal data protection policy and practices
(P&Ps) under GDPR. 3
Source: Accenture analysis based upon publicly available PIPEDA and GDPR documents

4. GDPR CHALLENGES AND BENEFITS
Copyright © 2017 Accenture. All rights reserved.
GDPR means extensive change for financial firms handling personal data.
4Copyright © 2018 Accenture. All rights reserved. 4
Competitive advantage as a
trusted brand
Improved data quality & data
operations
More data-driven business
decisions
Streamlined data policies
Data to provide advisory
support to management
Culture of data responsibility
Aligned security strategy
BENEFITS OF GDPR
COMPLIANCE
Controller
Responsibility
Lawfulness &
Reporting
Privacy by
Design / Default
Data Protection
& Breaches
Notify of All
Usages,
Changes
Impact
Assessments
Limit Data
Transfers
Encryption,
Pseudonyms,
Masking
Be Forgotten
Be Erased /
Deleted
Not To Be
Profiled
Use Only With
Consent
Accuracy /
Remediation
Data Portability Explanation
of Usage
Suspend
Data Use
DATA
CONTROLLER
AND
PROCESSOR
OBLIGATIONS
DATA
SUBJECT
RIGHTS

5. HOW ACCENTURE CAN HELP
Copyright © 2018 Accenture. All rights reserved. 5
Accenture’s Finance & Risk (F&R) practice has significant experience and know-how in Risk Management, Data
Privacy & Security and Regulatory Compliance to support you on your GDPR compliance journey. Our data-centric
approach can help you transform GDPR from a compliance concern into a competitive advantage.
100
100
010
OUR HOLISTIC
APPROACH
TECHNOLOGY
• Heightened level of controls around
data, encryption and breaches
• Improvement of technology
architecture with respect to privacy
and data protection
• Incorporating advanced
technologies that permit constant
surveillance and compliance with
rights and obligations
PROCESSES
• Redesigned processes around
Primacy of the Data Subject
• Requirement for robust governance
of data and data protection
• Design privacy into all activities,
new and legacy
• Redefine relationships with
processors and other external
organizations
PEOPLE
• New roles and
associated skills
• New operating models
• Transformed
organizational structure
DATA
• Full and ongoing discovery and
connectedness of personal data
• Permanent, rigorous data
governance regime
ACCENTURE’S
GDPR
INTELLIGENCE
PLATFORM
Automated data scan
Automated identification and
classification of
personal data
Map personal data to
processes and applications
Validation
of personal data
Assembly of Personal Data
Knowledge Graphs
• Article 30 Reporting
• Data Subject Rights Provisioning
• Breach Response
Personal Data Knowledge Graph Data Subject Rights
Provisioning
Automatically Discover Personal Data
Using Machine Learning Algorithms
Discover
Data Visualization
the Customer
Connect
Run GDPR
Operations
Implement
Personal Data Repository
Discover
Analyze
Tag
Govern
Sources
ERPs,
Analytics
Collaboration
Mainframes
Content
ManagementWorkstations
& Devices
Unstructured Structured
Semi-Structured
Biometrics
Types

6. WHAT WE HAVE LEARNED
Copyright © 2018 Accenture. All rights reserved. 6
Lessons learned from our work with clients and knowledge gained that can be used for an effective GDPR journey.
GDPR - a cross-
functional team is
key
GDPR compliance requires
collaborative involvement
from Risk, IT and the
business. Business
involvement is key to
reducing business as usual
process disruption.
From burden to
opportunity
GDPR investment can be
leveraged to help drive
business value and
opportunities, e.g.
establishing simpler data
operations and reducing
cost and data noise.
Business process-
led discovery
Identify the top 5-10
customer-related business
processes, they will often
generate the biggest risks
like data movement across
entities and across a
system’s landscape.
Prioritize risks and
demonstrate
change
In many ways GDPR is too
big to be totally completed by
2018 – focus on the most
important risk(s) first with an
intent to cover all areas.
GDPR
accountability
This is more than just a
name in the frame, it
introduces legal
accountability obligations
and will require effective
influence to enable change
within the organization.
Vendors and
alliances are your
responsibility
You are now accountable for
your ecosystem alliances
being Data Processors and
these are often obscure e.g.
cloud providers.
Assess existing
projects to scale
Drive demand into existing
projects – data privacy
should be a part of them all
and not something for a
dedicated program to do for
them.
Embed the DPO in
the organization
The DPO should have the
right capabilities (skills,
team, authority) and be
empowered to escalate risks
to senior leadership,
including the ability to drive
and execute changes to
resolve issues.
Different parts of
the organization
can be in different
maturity stages
It’s natural for some areas to
be further ahead. Use the
wins of leading parts of the
organization and make sure
all areas are coordinated.
Tools and a solid
foundation are
critical
This requires deep
investigation within the
organization. While tools can
help, tools are no silver bullet
and won’t find obscure cases
that talking to people will
help uncover.
1 2 3 4 5
6 7 8 9 10

7. Breadth and Depth of
Experience to Meet Your
Business Needs:
We help the world’s banks, insurance,
capital markets and FinTech firms meet
unparalleled strategic, operational,
technology and sourcing
demands.
Our goal is to be recognized as the
premier innovation and
execution “partner” in the Financial
Services industry, collaborating
with our client and ecosystem alliances to
create sustainable value for
our clients and our communities.
We offer innovative solutions developed
jointly with key alliances such as
Microsoft Corporation, SAP SE, Oracle
Corporation, Cisco Systems, Inc. and
Salesforce.com,inc.
US$32.9
billion
In Annual Revenues
384,000
Employees
40+
Industries Served
5,000+
Clients
200+
Locations across 55
countries serving clients
in 120+ countries
150+
Powerful alliance network
of market leaders and innovators
50,000
Financial
Services
professionals
globally
FINANCE & RISK
F&R Resources in
40+
countries
5,000+
Finance & Risk
professionals
across the globe
Banking
10/15
of the top Banks
Capital Markets
8/8
of the top Capital
Markets companies
Insurance
8/10
of the top
Insurers
Fortune Global 500 companies we work with include
We help clients streamline operating models, integrate
risk and finance functions, align and integrate
disparate sources of data, innovate to manage risk &
deliver technology solutions
FINANCIAL SERVICESACCENTURE
Cyber Risk &
Resilience
Finance &
Accounting
Sourcing &
Procurement
Regulatory &
Compliance
Financial Risk
Management
Finance &
Risk Analytics
Areas of Focus:
of Financial Services
Institutions in the
Global Fortune 100
Our Clients:
of Financial Services
Institutions in the
Global Fortune 500
of our top Financial
Services clients have
been clients for at least
15 years
92%
82%
80%
Copyright © 2018 Accenture. All rights reserved. 7

8. FOR MORE INFORMATION
Contact us:
Samantha Regan
Managing Director, Accenture Finance & Risk
(E): samantha.regan@accenture.com
(P): +1 917-452-5500
Avinash Pimento
Managing Director, Accenture Finance & Risk
(E): avinash.p.pimento@accenture.com
(P): +1 416-641-3103
Usman Raj:
Senior Manager, Accenture Finance & Risk
(E): usman.raj@accenture.com
(P): +1 416-641-3588
To find out more:
Accenture Finance & Risk:
https://www.accenture.com/us-en/financial-services-finance-risk
Accenture Finance & Risk Blogs:
http://financeandriskblog.accenture.com/homepage/
Copyright © 2018 Accenture. All rights reserved. 8
https://www.linkedin.com/showcase/16183502
https://twitter.com/AccentureFSRisk

9. GENERAL DATA PROTECTION REGULATION
(GDPR) IMPLICATIONS
Copyright © 2018 Accenture. All rights reserved. 9
ABOUT ACCENTURE
Accenture is a leading global professional
services company, providing a broad range of
services and solutions in strategy, consulting,
digital, technology and operations. Combining
unmatched experience and specialized skills
across more than 40 industries and all business
functions—underpinned by the world’s largest
delivery network —Accenture works at the
intersection of business and technology to help
clients improve their performance and create
sustainable value for their stakeholders. With
more than 435,000 people serving clients in more
than 120 countries, Accenture drives innovation to
improve the way the world works and lives. Visit
us at www.accenture.com
DISCLAIMER
This presentation is intended for general
informational purposes only and does not
take into account the reader’s specific
circumstances, and may not reflect the most
current developments. Accenture disclaims,
to the fullest extent permitted by applicable
law, any and all liability for the accuracy and
completeness of the information in this
presentation and for any acts or omissions
made based on such information. Accenture
does not provide legal, regulatory, audit, or tax
advice. Readers are responsible for obtaining
such advice from their own legal counsel or
other licensed professionals.
Accenture, its logo, and High Performance Delivered
are trademarks of Accenture.