Privacy: get ready for the GDPR


Privacy: get ready  for the GDPR

Marrio31 /

With the new EU rules on the way, organisations need to consider their attitudes towards privacy—and quickly, to minimise the risks to balance sheet and reputation, as Chris Eaton of KPMG in Bermuda explains.

Organisations can no longer afford to treat privacy as an afterthought. Cybersecurity and the battle against hackers has long dominated the chief information officer’s agenda, but cybersecurity is not the same as privacy. The EU’s new rulebook, the General Data Protection Regulation (GDPR), marks a fundamental shift towards the view that privacy must be at the forefront of organisations’ minds when dealing with consumer data.

Due to come into force in May 2018, the GDPR could lead to organisations being hit with fines of up to 4 percent of global worldwide turnover for non-compliance.

Although the GDPR is perhaps the most comprehensive attempt to define a coherent regulatory framework for privacy, governments around the globe are sharpening their focus on the issue and introducing legislation to offer greater protection to consumers—and harsher penalties for violations.

The stricter approach being adopted globally catapults privacy towards the top of organisations’ risk radars. In this rapidly changing environment, organisations need to consider a new attitude towards privacy—and they need to do it quickly to minimise the risks to their balance sheet and their reputation.

Bermuda, PIPA and adequacy
Bermuda has introduced the Personal Information Protection Act (PIPA), which received Royal Assent on July 27, 2016 and is due to come into force in the summer of 2018. PIPA was drafted with the intent to enable Bermuda to join the international ‘network of trust’ currently existing between countries with similar levels of informational privacy protection—a concept the EU refers to as ‘adequacy’.

The EU permits third party countries to apply for an adequacy finding, which allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions. As a result of securing adequacy, transfers to the country in question will be assimilated to intra-EU transmissions of data, thereby providing privileged access to the EU single market, while opening up commercial channels for EU operators.

At present, Canada, Guernsey, Jersey, Isle of Man, Israel, New Zealand, Argentina, Uruguay, and Switzerland have been identified as having met the standard and are able to transfer personal information with the EU member states.

How must businesses adapt to survive?
One of the first issues to tackle should be mindset. What may have been accepted, or at least tolerated, in the past, should be reviewed in light of stricter global approaches to privacy legislation.

Gaining customer consent by mystifying them with long-winded legal statements and 20-page policy disclaimers is not a sustainable strategy. Transparency should be the guiding principle regarding privacy. Organisations need to ensure they fully understand what they want to do with customer data, and where and how they are storing it, and then explain it to customers in a clear and simple way.

Are you privacy ready?
As authorities around the globe sharpen their focus on privacy, many organisations are not ready for what’s about to hit them. Fines that were once measured in the tens of thousands for organisations caught mishandling, mis-collecting or misusing customer data could potentially rise to hundreds of millions or even billions. With many industry insiders expecting regulators to flex their newfound muscles early in order to make a point, organisations need to move quickly to understand their obligations. 

Seven steps to privacy readiness
Step 1: Educate senior stakeholders so they understand what privacy means for your organisation.
Step 2: Understand the level of privacy risk to which your organisation is exposed.
Step 3: Understand the expectations of the individuals whose data you process and set a privacy strategy that aligns to this.
Step 4: Understand the organisation’s level of privacy maturity and set a clear strategy aligned to your desired target privacy maturity state and your consumer’s ‘creepy line’.
Step 5: Develop a robust plan to mitigate your privacy risks and deliver your target state.
Step 6: Execute your plan. Introduce sustainable structures to help manage your privacy risks, ensuring compliance but also providing a strong foundation to flexibly leverage personal data to create value for the organisation, your customers and your employees.
Step 7: Monitor, maintain and repeat.

How KPMG can help
KPMG member firms’ privacy professionals support clients around the globe in resolving complex privacy issues, from niche challenges specific to certain organisations to end-to-end privacy compliance programmes in complex and highly regulated industries.

The KPMG privacy team has deep experience in helping clients to address the challenges posed by privacy risk, with a structured and flexible approach to meet the needs of diverse organisations. The global reach of KPMG member firms enables them to work effectively across multiple territories at a local level.

Areas where KPMG member firms are frequently engaged

Assessment: providing an independent assessment of privacy risk and how to reduce it;

Design: designing privacy compliance programmes;

Implementation: implementing robust privacy processes, policies and controls;

Strategy: developing pragmatic privacy strategies and gaining buy-in from senior management;

Operations: providing ongoing support to help clients operate their privacy framework; and

Monitoring: helping clients as they maintain and monitor the performance privacy regimes

Chris Eaton is senior manager, advisory at KPMG in Bermuda. He can be contacted at:

Chris Eaton, KPMG, Bermuda

Bermuda Re