SlideShare a Scribd company logo

Aon GDPR white paper

Graeme Cross
Graeme Cross

“The European Union data privacy landscape is about to undergo dramatic change, with lasting enterprise wide implications for the way that organisations handle, protect and use the personal data of EU individuals. Organisations of all sizes, across all industries, and geographies that process personal data of EU residents need to take steps now to comply with the new EU General Data Protection Regulation by 2018, to satisfy management fiduciary duties and avoid potentially costly penalties.”

Technology
1 of 8
Download to read offline
EU General Data Protection Regulation A new era in data protection May 2017 Risk. Reinsurance. Human Resources.
Introduction The European Union General Data Protection Regulation (EU GDPR) is set to come into effect on the 25th of May 2018 and will strengthen the rights of individuals online, while creating significant obligations for businesses operating in an increasingly connected world. The regulation applies to information which directly or indirectly identifies an individual, including customer lists, contact details, genetic/biometric data, and online identifiers like IP addresses. While the EU GDPR builds on the prior EU Data Protection Directive, it brings significant changes in several areas. All organisations globally that process personal data either relating to the offering of goods or services, or the monitoring of activities of EU residents, will need to comply. The new regulation will require organisations to strengthen existing controls, implement new processes and procedures, and document, embed and evidence them appropriately. Organisations will also have to consider the best ways of enabling individuals to exercise their rights surrounding their personal data and its use. The EU GDPR is therefore a game-changer when it comes to the collection, processing and storage of personal data, and one with global implications. As such, organisations need to evaluate their existing position, prepare for the impending changes, and ensure their data protection systems are robust going forward. “The European Union data privacy landscape is about to undergo dramatic change, with lasting enterprise wide implications for the way that organisations handle, protect and use the personal data of EU individuals. Organisations of all sizes, across all industries, and geographies that process personal data of EU residents need to take steps now to comply with the new EU General Data Protection Regulation by 2018, to satisfy management fiduciary duties and avoid potentially costly penalties.” Kevin P. Kalinich, Esq., Global Cyber Practice Leader, Aon Risk Solutions 1
Requirements The business changes needed to comply with the EU GDPR will vary from organisation to organisation, however they are likely to be significant. For instance, organisations should only collect personal data needed to fulfil specific, documented purposes, and where there is a permitted basis under GDPR for the collection. Public authorities, organisations processing large amounts of special categories of data, or whose core activities involve the regular and systematic monitoring of individuals, must appoint a data protection officer with expert knowledge. The regulation introduces the concept of accountability, requiring organisations to embed privacy controls into their operations and mandatory privacy-risk impact assessments for any new project likely to result in a high risk to individuals’ privacy. The EU GDPR introduces a 72-hour notification requirement for all personal data breaches, except those which are unlikely to pose a risk to individuals. In the case of serious incidents, there will also be a duty to notify the affected individuals of the breach. Currently, the EU only requires organisations in certain sectors or countries to notify breaches or cyber attacks to regulators. Fines for non-compliance with the EU GDPR will increase to as much as €20 million or, if higher, to 4% of an organisation’s annual global turnover. This is a significant escalation from the current penalties under existing data protection laws. Fines for serious violations have the potential to reach the billions for large, global companies. Scenario of a European retail company with headquarters in Brussels A retail company based in Belgium, with operations in Belgium, France and the Netherlands, takes a proactive approach to the EU GDPR. Handling customer data from its Brussels headquarters, the company implements tough new security measures to limit any loss of personal data, while appointing a data security officer and a top-down assessment of data privacy measures. Some time after the EU GDPR has come into effect, the firm suffers a cyber attack that results in the loss of a large cache of personal data. The cyber attack exposes weaknesses in the firm’s controls, particularly in relation to deletion of personal data no longer required for business operations or record keeping. However, the firm’s incident response team effectively responded to the attack, notifying the Belgium regulator and individuals as required. While the firm is now liable to censure by the Belgium regulator – and potentially within the other territories in which it operates - thanks to its proactive approach to data privacy protection, the penalties it faces are reduced in light of its efforts to comply with the EU GDPR. The EU GDPR will create significant challenges for business, particularly following a loss or exposure of personal data per the effective date of the 25th of May 2018. Here we explore a couple of potential fictional scenarios. 2
Scenario of a US-headquartered global pharmaceutical firm A US headquartered pharmaceutical, with offices and factories throughout the world, is a conglomerate formed from the mergers of several smaller institutions over the course of the past 15 years. Because of this conglomerate and some incompatible IT, accounting, and financial systems, the company’s approach to GDPR has been fragmented, with several parallel efforts having been conducted with limited oversight from headquarters. Shortly after the EU GDPR has come into effect, data protection authorities in three EU countries receive complaints from employees of a recently acquired entity that their personal data has been unlawfully transferred to the US. The acquisition in question was previously headquartered in an EU country, but post-merger, the HR and operational administration of its employees and personal information was transferred to the appropriate departments in the US, for reasons of efficiency. After a detailed investigation, one of the regulators finds that after a two year process, there were insufficient controls, care and protection placed around the personal information of the affected employees, and that there are several similar issues affecting other groups of employees. Given the wide-spread nature of the violations, the the Data Protection Authority (DPA) seeks to impose a fine based on a percentage of the group’s worldwide turnover, rather than the local entity’s turnover. These scenarios might be fictional right now, but they could become reality in the near future. With limited time to prepare organisations are advised to make sure they are ready for the new regulatory requirements. Given the significance of the changes and the increased enforcement powers of regulators, business leaders need to ensure they are taking steps to comply with the impending rules. 3
Action checklist We have outlined ten steps to help businesses prepare: The board should be accountable for data protection and ensure data protection risks receive ongoing attention and review from the C-suite. Perform a risk analysis on new projects to identify privacy risks and necessary mitigation measures and assess the appropriate technical and organisational measures required. Create a data-processing register detailing what data is held by the company, how it is stored and transferred, what it is used for and by whom. Classify personal information in terms of risk, to comply with data retention periods, and establish a procedure to erase data when the retention period has passed. Evaluate and actively manage existing contracts with third party service providers with whom you share personal data on an ongoing basis, to ensure they include all of the mandatory obligations prescribed by the EU GDPR. Establish, embed and test a procedure to handle personal data incidents. Increase the privacy-awareness of your employees. Ensure employees can recognise and respond appropriately to requests from data subjects seeking to exercise their rights under the EU GDPR (for example: right to object, right to be forgotten). Any processes for responding to such rights should be clearly documented and embedded into business practices. Determine and document whether your organisation should have a Data Protection Officer. Review and amend privacy statements and notices to meet the enhanced transparency requirements. 1 2 3 4 5 6 7 8 9 10 4
Common pitfalls As with any change within an organisation, there are various challenges to navigate. When implementing the EU GDPR, be aware and avoid the following common pitfalls: Not having a clear understanding where and how personal data is stored, how it moves around your enterprise, how it is protected and how it is deleted once no longer required. Underestimating the challenges of implementing a robust, effective programme for data subject rights, such as subject access requests and requests to delete personal data. Not having an enterprise-wide incident response plan in place. The plan should incorporate escalation plans and nominated advisors covering all required stakeholders, including business operations, legal, PR, and key third parties such as IT service providers on whom you rely. Failing to consider supplier / third party data protection management on an ongoing basis. Failing to implement and maintain internal training programmes and procedures. 1 2 3 4 5 5
Conclusion Addressing the EU GDPR will require careful consideration and coordination by internal stakeholders in order to accommodate the multi-faceted nature of the issue. The actions that have been detailed above will be best served by parallel work streams, along with task dependencies and crossover. This can be a challenging task to manage given the limited time left to comply. The organisations that will progress most smoothly will be those that commit significant resource and have senior buy-in early in the process, and that do not underestimate the tasks ahead. Now is the time to consider the implications of the EU GDPR and to prepare and respond in a manner that is proportionate to the nature of your business. Data and individual privacy rights are increasingly significant issues facing firms globally, and the EU GDPR sets the tone for future data privacy standards that will have increasingly global implications. 6
Contacts Adam Peckman Global Cyber Risk Consulting Practice Leader +44 (0)7803 695 386 adam.peckman@aon.co.uk Alexander Carte +44 (0)20 7061 2302 Managing Director Stroz Friedberg acarte@strozfriedberg.co.uk Spencer Lynch +44 (0)20 7061 2304 Managing Director Stroz Friedberg slynch@strozfriedberg.co.uk Vanessa Leemans +44 (0)20 7086 4465 Global Cyber Chief Operating Officer vanessa.leemans@aon.co.uk Kevin Kalinich +1 312 381 4203 Global Cyber Practice Leader kevin.kalinich@aon.com About Aon Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. For further information on our capabilities and to learn how we empower results for clients, please visit: http://aon.mediaroom.com/ © Aon plc 2017. All rights reserved. The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Recommended

Aon GDPR prepare and protect solution placemat
Aon GDPR prepare and protect solution placematAon GDPR prepare and protect solution placemat
Aon GDPR prepare and protect solution placematGraeme Cross
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...Emma Mirrington
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
 
Data Protection and Data Privacy
Data Protection and Data PrivacyData Protection and Data Privacy
Data Protection and Data PrivacyIT Governance Ltd
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 

Recommended

Aon GDPR prepare and protect solution placemat
Aon GDPR prepare and protect solution placematAon GDPR prepare and protect solution placemat
Aon GDPR prepare and protect solution placematGraeme Cross
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...Emma Mirrington
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
 
Data Protection and Data Privacy
Data Protection and Data PrivacyData Protection and Data Privacy
Data Protection and Data PrivacyIT Governance Ltd
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
Introduction to gdpr
Introduction to gdprIntroduction to gdpr
Introduction to gdpr3GDR
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In PreviewRockwell Bower, Esq., CIPP(US), CIPM
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk►David Clarke FBCS CITP
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Corporate Manslaughter And Coporate Homicide Bill
Corporate Manslaughter And Coporate Homicide BillCorporate Manslaughter And Coporate Homicide Bill
Corporate Manslaughter And Coporate Homicide BillSimon McCarthy
 
GDPR for Security Professionals
GDPR for Security ProfessionalsGDPR for Security Professionals
GDPR for Security ProfessionalsSaumya Vishnoi
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationRamiro Cid
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPRData Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPRRotary International
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
CBC GDPR April 2018
CBC GDPR April 2018CBC GDPR April 2018
CBC GDPR April 2018Jason Chapman
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 

More Related Content

What's hot

Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
Introduction to gdpr
Introduction to gdprIntroduction to gdpr
Introduction to gdpr3GDR
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Corporate Manslaughter And Coporate Homicide Bill
Corporate Manslaughter And Coporate Homicide BillCorporate Manslaughter And Coporate Homicide Bill
Corporate Manslaughter And Coporate Homicide BillSimon McCarthy
 
GDPR for Security Professionals
GDPR for Security ProfessionalsGDPR for Security Professionals
GDPR for Security ProfessionalsSaumya Vishnoi
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationRamiro Cid
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPRData Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPRRotary International
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 

What's hot (20)

Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
Introduction to gdpr
Introduction to gdprIntroduction to gdpr
Introduction to gdpr
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In Preview
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Corporate Manslaughter And Coporate Homicide Bill
Corporate Manslaughter And Coporate Homicide BillCorporate Manslaughter And Coporate Homicide Bill
Corporate Manslaughter And Coporate Homicide Bill
 
GDPR for Security Professionals
GDPR for Security ProfessionalsGDPR for Security Professionals
GDPR for Security Professionals
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPRData Privacy and Data Protection: Rotary’s Compliance with GDPR
Data Privacy and Data Protection: Rotary’s Compliance with GDPR
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
CBC GDPR April 2018
CBC GDPR April 2018CBC GDPR April 2018
CBC GDPR April 2018
 

Similar to Aon GDPR white paper

GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationPete S
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxRunning Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxjeanettehully
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank"John "Jeb"" Beckwith
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Gerson Trigueiros
 

Similar to Aon GDPR white paper (20)

GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxRunning Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
GDPR: Time to Act
GDPR: Time to ActGDPR: Time to Act
GDPR: Time to Act
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 

More from Graeme Cross

Temporarily idle sites - COVID19
Temporarily idle sites - COVID19Temporarily idle sites - COVID19
Temporarily idle sites - COVID19Graeme Cross
 
Surety and Guarantee
Surety and GuaranteeSurety and Guarantee
Surety and GuaranteeGraeme Cross
 
Client bulletin; Brexit
Client bulletin; BrexitClient bulletin; Brexit
Client bulletin; BrexitGraeme Cross
 
BioEnergy Value Proposition
BioEnergy Value PropositionBioEnergy Value Proposition
BioEnergy Value PropositionGraeme Cross
 
IFRS Report - Important upcoming accounting changes
IFRS Report - Important upcoming accounting changes IFRS Report - Important upcoming accounting changes
IFRS Report - Important upcoming accounting changes Graeme Cross
 
Aon Cyber Risk Solutions
Aon Cyber Risk SolutionsAon Cyber Risk Solutions
Aon Cyber Risk SolutionsGraeme Cross
 
Aon property laser placemat
Aon property laser placematAon property laser placemat
Aon property laser placematGraeme Cross
 
Prepare to Disclose Climate Risk
Prepare to Disclose Climate RiskPrepare to Disclose Climate Risk
Prepare to Disclose Climate RiskGraeme Cross
 
Supply chain diagnostic brochure
Supply chain diagnostic brochureSupply chain diagnostic brochure
Supply chain diagnostic brochureGraeme Cross
 
Global supply chain management brochure
Global supply chain management brochureGlobal supply chain management brochure
Global supply chain management brochureGraeme Cross
 
Aon Global Client Network Fact Sheet
Aon Global Client Network Fact SheetAon Global Client Network Fact Sheet
Aon Global Client Network Fact SheetGraeme Cross
 
Aon Global Client Network map
Aon Global Client Network mapAon Global Client Network map
Aon Global Client Network mapGraeme Cross
 
Cyber Client Alert
Cyber Client AlertCyber Client Alert
Cyber Client AlertGraeme Cross
 
Global optimisation index
Global optimisation indexGlobal optimisation index
Global optimisation indexGraeme Cross
 
Aon Thought Leadership Guide
Aon Thought Leadership GuideAon Thought Leadership Guide
Aon Thought Leadership GuideGraeme Cross
 
Environmental insurance market status Q1 2017
Environmental insurance market status Q1 2017Environmental insurance market status Q1 2017
Environmental insurance market status Q1 2017Graeme Cross
 
Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Graeme Cross
 
2017 Power Industry Report Highlights
2017 Power Industry Report Highlights2017 Power Industry Report Highlights
2017 Power Industry Report HighlightsGraeme Cross
 
2017 Construction Industry Report Highlights
2017 Construction Industry Report Highlights2017 Construction Industry Report Highlights
2017 Construction Industry Report HighlightsGraeme Cross
 

More from Graeme Cross (20)

Temporarily idle sites - COVID19
Temporarily idle sites - COVID19Temporarily idle sites - COVID19
Temporarily idle sites - COVID19
 
Surety and Guarantee
Surety and GuaranteeSurety and Guarantee
Surety and Guarantee
 
Client bulletin; Brexit
Client bulletin; BrexitClient bulletin; Brexit
Client bulletin; Brexit
 
BioEnergy Value Proposition
BioEnergy Value PropositionBioEnergy Value Proposition
BioEnergy Value Proposition
 
IFRS Report - Important upcoming accounting changes
IFRS Report - Important upcoming accounting changes IFRS Report - Important upcoming accounting changes
IFRS Report - Important upcoming accounting changes
 
Aon Cyber Risk Solutions
Aon Cyber Risk SolutionsAon Cyber Risk Solutions
Aon Cyber Risk Solutions
 
Aon property laser placemat
Aon property laser placematAon property laser placemat
Aon property laser placemat
 
Prepare to Disclose Climate Risk
Prepare to Disclose Climate RiskPrepare to Disclose Climate Risk
Prepare to Disclose Climate Risk
 
Supply chain diagnostic brochure
Supply chain diagnostic brochureSupply chain diagnostic brochure
Supply chain diagnostic brochure
 
Global supply chain management brochure
Global supply chain management brochureGlobal supply chain management brochure
Global supply chain management brochure
 
Aon Global Client Network Fact Sheet
Aon Global Client Network Fact SheetAon Global Client Network Fact Sheet
Aon Global Client Network Fact Sheet
 
Aon Global Client Network map
Aon Global Client Network mapAon Global Client Network map
Aon Global Client Network map
 
Cyber Client Alert
Cyber Client AlertCyber Client Alert
Cyber Client Alert
 
Global optimisation index
Global optimisation indexGlobal optimisation index
Global optimisation index
 
Aon Thought Leadership Guide
Aon Thought Leadership GuideAon Thought Leadership Guide
Aon Thought Leadership Guide
 
2017 Risk Maps
2017 Risk Maps2017 Risk Maps
2017 Risk Maps
 
Environmental insurance market status Q1 2017
Environmental insurance market status Q1 2017Environmental insurance market status Q1 2017
Environmental insurance market status Q1 2017
 
Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017
 
2017 Power Industry Report Highlights
2017 Power Industry Report Highlights2017 Power Industry Report Highlights
2017 Power Industry Report Highlights
 
2017 Construction Industry Report Highlights
2017 Construction Industry Report Highlights2017 Construction Industry Report Highlights
2017 Construction Industry Report Highlights
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Aon GDPR white paper

  • 1. EU General Data Protection Regulation A new era in data protection May 2017 Risk. Reinsurance. Human Resources.
  • 2. Introduction The European Union General Data Protection Regulation (EU GDPR) is set to come into effect on the 25th of May 2018 and will strengthen the rights of individuals online, while creating significant obligations for businesses operating in an increasingly connected world. The regulation applies to information which directly or indirectly identifies an individual, including customer lists, contact details, genetic/biometric data, and online identifiers like IP addresses. While the EU GDPR builds on the prior EU Data Protection Directive, it brings significant changes in several areas. All organisations globally that process personal data either relating to the offering of goods or services, or the monitoring of activities of EU residents, will need to comply. The new regulation will require organisations to strengthen existing controls, implement new processes and procedures, and document, embed and evidence them appropriately. Organisations will also have to consider the best ways of enabling individuals to exercise their rights surrounding their personal data and its use. The EU GDPR is therefore a game-changer when it comes to the collection, processing and storage of personal data, and one with global implications. As such, organisations need to evaluate their existing position, prepare for the impending changes, and ensure their data protection systems are robust going forward. “The European Union data privacy landscape is about to undergo dramatic change, with lasting enterprise wide implications for the way that organisations handle, protect and use the personal data of EU individuals. Organisations of all sizes, across all industries, and geographies that process personal data of EU residents need to take steps now to comply with the new EU General Data Protection Regulation by 2018, to satisfy management fiduciary duties and avoid potentially costly penalties.” Kevin P. Kalinich, Esq., Global Cyber Practice Leader, Aon Risk Solutions 1
  • 3. Requirements The business changes needed to comply with the EU GDPR will vary from organisation to organisation, however they are likely to be significant. For instance, organisations should only collect personal data needed to fulfil specific, documented purposes, and where there is a permitted basis under GDPR for the collection. Public authorities, organisations processing large amounts of special categories of data, or whose core activities involve the regular and systematic monitoring of individuals, must appoint a data protection officer with expert knowledge. The regulation introduces the concept of accountability, requiring organisations to embed privacy controls into their operations and mandatory privacy-risk impact assessments for any new project likely to result in a high risk to individuals’ privacy. The EU GDPR introduces a 72-hour notification requirement for all personal data breaches, except those which are unlikely to pose a risk to individuals. In the case of serious incidents, there will also be a duty to notify the affected individuals of the breach. Currently, the EU only requires organisations in certain sectors or countries to notify breaches or cyber attacks to regulators. Fines for non-compliance with the EU GDPR will increase to as much as €20 million or, if higher, to 4% of an organisation’s annual global turnover. This is a significant escalation from the current penalties under existing data protection laws. Fines for serious violations have the potential to reach the billions for large, global companies. Scenario of a European retail company with headquarters in Brussels A retail company based in Belgium, with operations in Belgium, France and the Netherlands, takes a proactive approach to the EU GDPR. Handling customer data from its Brussels headquarters, the company implements tough new security measures to limit any loss of personal data, while appointing a data security officer and a top-down assessment of data privacy measures. Some time after the EU GDPR has come into effect, the firm suffers a cyber attack that results in the loss of a large cache of personal data. The cyber attack exposes weaknesses in the firm’s controls, particularly in relation to deletion of personal data no longer required for business operations or record keeping. However, the firm’s incident response team effectively responded to the attack, notifying the Belgium regulator and individuals as required. While the firm is now liable to censure by the Belgium regulator – and potentially within the other territories in which it operates - thanks to its proactive approach to data privacy protection, the penalties it faces are reduced in light of its efforts to comply with the EU GDPR. The EU GDPR will create significant challenges for business, particularly following a loss or exposure of personal data per the effective date of the 25th of May 2018. Here we explore a couple of potential fictional scenarios. 2
  • 4. Scenario of a US-headquartered global pharmaceutical firm A US headquartered pharmaceutical, with offices and factories throughout the world, is a conglomerate formed from the mergers of several smaller institutions over the course of the past 15 years. Because of this conglomerate and some incompatible IT, accounting, and financial systems, the company’s approach to GDPR has been fragmented, with several parallel efforts having been conducted with limited oversight from headquarters. Shortly after the EU GDPR has come into effect, data protection authorities in three EU countries receive complaints from employees of a recently acquired entity that their personal data has been unlawfully transferred to the US. The acquisition in question was previously headquartered in an EU country, but post-merger, the HR and operational administration of its employees and personal information was transferred to the appropriate departments in the US, for reasons of efficiency. After a detailed investigation, one of the regulators finds that after a two year process, there were insufficient controls, care and protection placed around the personal information of the affected employees, and that there are several similar issues affecting other groups of employees. Given the wide-spread nature of the violations, the the Data Protection Authority (DPA) seeks to impose a fine based on a percentage of the group’s worldwide turnover, rather than the local entity’s turnover. These scenarios might be fictional right now, but they could become reality in the near future. With limited time to prepare organisations are advised to make sure they are ready for the new regulatory requirements. Given the significance of the changes and the increased enforcement powers of regulators, business leaders need to ensure they are taking steps to comply with the impending rules. 3
  • 5. Action checklist We have outlined ten steps to help businesses prepare: The board should be accountable for data protection and ensure data protection risks receive ongoing attention and review from the C-suite. Perform a risk analysis on new projects to identify privacy risks and necessary mitigation measures and assess the appropriate technical and organisational measures required. Create a data-processing register detailing what data is held by the company, how it is stored and transferred, what it is used for and by whom. Classify personal information in terms of risk, to comply with data retention periods, and establish a procedure to erase data when the retention period has passed. Evaluate and actively manage existing contracts with third party service providers with whom you share personal data on an ongoing basis, to ensure they include all of the mandatory obligations prescribed by the EU GDPR. Establish, embed and test a procedure to handle personal data incidents. Increase the privacy-awareness of your employees. Ensure employees can recognise and respond appropriately to requests from data subjects seeking to exercise their rights under the EU GDPR (for example: right to object, right to be forgotten). Any processes for responding to such rights should be clearly documented and embedded into business practices. Determine and document whether your organisation should have a Data Protection Officer. Review and amend privacy statements and notices to meet the enhanced transparency requirements. 1 2 3 4 5 6 7 8 9 10 4
  • 6. Common pitfalls As with any change within an organisation, there are various challenges to navigate. When implementing the EU GDPR, be aware and avoid the following common pitfalls: Not having a clear understanding where and how personal data is stored, how it moves around your enterprise, how it is protected and how it is deleted once no longer required. Underestimating the challenges of implementing a robust, effective programme for data subject rights, such as subject access requests and requests to delete personal data. Not having an enterprise-wide incident response plan in place. The plan should incorporate escalation plans and nominated advisors covering all required stakeholders, including business operations, legal, PR, and key third parties such as IT service providers on whom you rely. Failing to consider supplier / third party data protection management on an ongoing basis. Failing to implement and maintain internal training programmes and procedures. 1 2 3 4 5 5
  • 7. Conclusion Addressing the EU GDPR will require careful consideration and coordination by internal stakeholders in order to accommodate the multi-faceted nature of the issue. The actions that have been detailed above will be best served by parallel work streams, along with task dependencies and crossover. This can be a challenging task to manage given the limited time left to comply. The organisations that will progress most smoothly will be those that commit significant resource and have senior buy-in early in the process, and that do not underestimate the tasks ahead. Now is the time to consider the implications of the EU GDPR and to prepare and respond in a manner that is proportionate to the nature of your business. Data and individual privacy rights are increasingly significant issues facing firms globally, and the EU GDPR sets the tone for future data privacy standards that will have increasingly global implications. 6
  • 8. Contacts Adam Peckman Global Cyber Risk Consulting Practice Leader +44 (0)7803 695 386 adam.peckman@aon.co.uk Alexander Carte +44 (0)20 7061 2302 Managing Director Stroz Friedberg acarte@strozfriedberg.co.uk Spencer Lynch +44 (0)20 7061 2304 Managing Director Stroz Friedberg slynch@strozfriedberg.co.uk Vanessa Leemans +44 (0)20 7086 4465 Global Cyber Chief Operating Officer vanessa.leemans@aon.co.uk Kevin Kalinich +1 312 381 4203 Global Cyber Practice Leader kevin.kalinich@aon.com About Aon Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. For further information on our capabilities and to learn how we empower results for clients, please visit: http://aon.mediaroom.com/ © Aon plc 2017. All rights reserved. The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.