Explore CAMELOT‘s latest insights on the topic of blockchain Read more

End-to-end GDPR compliance with Camelot

Key implications of GDPR

How serious is this topic for your organization?

The new EU data protection regulation implicates compliance efforts for every organization worldwide handling personal data of individuals residing in the EU. Massive revenue-based sanctions will be imposed on companies that not fully adhere to GDPR by May 2018. The clock is ticking and as few as 3% of companies from Germany indicate to be fully prepared for GDPR. Hence, there is a pressing need to start the adjustment program.
 

Which companies and data are hit by GDPR?

The new law applies to natural persons residing in the EU in relation to processing of their personal data by data controllers and data processors. Regulation completely prohibits processing of data revealing personal ethnic origin, believes (political religious), health (biometric, genetic) and orientation.

Personal data enables to identify the person or indirectly by reference to an identifier, such as: name, address, bank details, personal ID number, IP address, etc.

 

Extended territorial scope

GDPR applies to all companies processing data of the EU residents, regardless of the location of the company. Additionally, GDPR imposes a list of requirements not only on data controllers (commercially making use of the personal data, e.g. search engines or online stores) but also on data processors (handling of data on behalf of data controllers, e.g. cloud providers, shared service centers).

 

How does GDPR affect your company?

The following section will present a brief summary of the key changes of the new regime and their impact on organizations. For the exhaustive version refer directly to the regulation text.

Tougher penalties
The local supervising authorities will be put in charge to monitor the compliance with GDPR. They are allowed to conduct on-site data audits, issue public warnings and most importantly impose financial sanctions on companies not fully adhering to the new law. Fines are set to be as high as 4% on annual turnover of the entire business group or €20 million, whichever higher. Moreover, private claims for material and non-material damages will be simplified.

New obligations

1. Data protection by design and by default:

companies must demonstrate an evidence that data security is embedded in products and services from the early development stage. Following security measures were mentioned as appropriate: data pseudonymisation or technical mechanisms ensuring by default that only necessary personal data are processed.

2. Cooperation with supervising bodies:

a data breach must be reported to a regulatory authority within 72 hours.

3. Internal record keeping requirement:

companies must keep an inventory of processed personal information along with documentation describing among others the purpose of processing.

4. Data Protection Officers (DPO):

appointment of DPO will be mandatory for companies which core activities are constituted by data processing that requires systematic monitoring of individuals on large scale or by processing of special categories of data.

5. Data Protection Impact Assessments:

prior to processing personal data, a data protection impact assessment must be conducted in order to identify high risks to privacy due to processing activities.

6. Certification mechanism:

data protection seals and certificates will be introduced for companies that want to demonstrate an evidence of GDPR compliance.

How will EU residents benefit from GDPR?

GDPR also gives EU residents more control over their personal data. The selection of those rights is presented in this section.

 

Right to rectification
Individuals are allowed to request the change of incorrect data free of charge. In addition, incomplete, prohibited or irrelevant personal data must be deleted on demand of customers.

Right to portability
An individual has a right to request the transfer of own personal data from one organization to another. This provision is completely new to the data protection landscape.

Right to be forgotten
If a controller has no legal ground for processing the personal data, an individual has a right to request the erasure of own data.
 

Consent
Consent must be independent from other terms and conditions and can be withdrawn anytime by a data subject. Parental consent for children below the age of 16 is required.

The data subject rights convey serious commercial and technical consequences for organizations. For instance, most of organizations are convinced that erasure of customer data will be a challenge. Yet, 60% of companies admit not to have a system enabling deleting of personal data on request. Hence, substantial investments are required to set up new procedures and adapt the existing IT functionality to comply with GDPR.

 

How can Camelot support your organization to comply with GDPR?

With more than 10 years of experience in enterprise information management, Camelot is providing consulting in data security & privacy, risk and compliance. Camelot will help you to identify and close GDPR compliance gaps to sustain the conformity in a long run. Our approach can be broken down into four different steps:

  1. Assessment of the influence of GDPR to your enterprise in general or in selected business units. The assessment first traces areas that deal with personal data. A fit-gap analysis is outlining how far these areas comply with GDPR standards. As a result an action plan is worked out on a compliance roadmap.
  2. Design of appropriate measures and business requirements with stakeholders from key business areas to close identified gaps. As a result, the GDPR blueprint is going to be worked from an organizational, processual, data related and technological point of view.
  3. Implementation of defined processes, organizational and technological requirements as defined in the GDPR blueprint. This will ensure your company is going to be prepared before GDPR enters into force.
  4. Sustainability of the compliance ensured by monitoring and support services in key areas. The objective is to secure that your organization remains conform to the GDPR on a long run.

Due to its holistic approach Camelot is able to align processes, organization, data management and IT systems becoming the one-stop-shop for GDPR compliance.

Contact

Henrik Baumeier
Partner

For questions and inquiries, please feel free to contact us.

I agree that my data may be used by CAMELOT Management Consultants AG and associated companies to inform me about service offerings, events, studies, or further activities. The user may revoke his declaration of consent at any time. In this case, please use the following link: https://www.camelot-mc.com/en/privacy-policy/

YesNo

This site uses cookies to provide you with a personalized browsing experience. By using this site you agree to our use of cookies. More Information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close