General Data Protection Regulation (GDPR)

The use of mobile technology has seen an unprecedented rise in business, for both public and private bodies. Within that environment, increasing amounts of data are being collected on employees and clients, data that are stored on IT systems, laptops or mobile phones. The efficient management of such information is paramount to achieving competitive advantage (e.g. in the measuring of customer preferences). On the other hand, however, insufficient or faulty management of personal information entails risks on multiple levels.

The European Union’s General Data Protection Regulation (GDPR) tightens the requirements for data handling in numerous respects, while raising the maximum amount of fines for privacy breaches. Therefore, the key to successful preparation (and eventual compliance) is to have a global privacy framework that not only protects personal information but also concurrently manages the legal, organizational, technological and human elements entailed in data protection.

Preparation for GDPR

Both private enterprises and public bodies have to deal with today’s turbulent business environment that, despite entailing difficult challenges, also opens up the new opportunities afforded by targeted marketing. For companies to stay on track, they are increasingly emphasizing targeted advertisements and strategies that enable them to offer their products and services directly to groups of relevant customers, thus greatly minimizing their marketing expenses.

However, to do this they require relevant personal information to leverage their strategies as well as processes, regulations and policies on the privacy management of the data collected.
The EU’s General Data Protection Regulation (GDPR) provides a requirement framework that applies to all public and private organizations that manage personal data. GDPR entered into effect on 25 May 2018 in all EU member states. It is a regulation that renders policies and processes transparent, facilitating competitiveness by fostering privacy and security across the depth and breadth of enterprise.

Privacy protection includes all personal information managed by both public and private organizations and that they are aware of. The regulation covers all client- and employee-related data throughout the entire life cycle including collection, use (e.g. for marketing purposes), retention, disclosure and disposal of personal information.

Even though the crux of privacy management processes concerns private companies, the GDPR requirements apply to public bodies as well. Thus, cultural, educational and social institutions, including public offices and hospitals, are also required to bring their policies and processes up to standard in the relevant areas with the aim of achieving compliance.

KPMG’s Privacy Management Framework offers indispensable assistance in preparation for the privacy regulation. Applying this framework, KPMG’s IT Risk Advisory Services provide assistance in the review and evaluation of information security and privacy maturity. Our professionals help to orchestrate the planning and implementation of an assessment-based and cost-efficient approach in all areas that are affected by GDPR. The scope of the model encompasses resolution of questions pertaining to information security, privacy, legal issues, risk management, organizational development, and technical issues. Our objective is to help in bringing the organization into compliance with the EU’s new General Data Protection Regulation, using a minimum of allocated resources.

Download a fact sheet about our GDPR Preparation Services (PDF)

Our Data Privacy Services

KPMG’s Data Management and Data Protection services help you to manage and protect sensitive employee and client data effectively and in compliance with legal regulations. Our professionals support you with the enhancement of your data classification system, review your data management solution from legal compliance and information security perspectives and help you in implementing an efficient solution for data leakage management by taking into consideration the cost-effective management of incidents that have already occurred.