IntroductionData privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.

Changing regulatory requirements — including GDPR — are combining with rising customer expectations to create growing challenges around data privacy.

But companies that take a compliance-centric approach to data privacy are missing out on an opportunity to gain competitive edge.

EY’s data privacy service offering helps clients blend data privacy with transparency — equipping them to win customers’ trust and loyalty in a GDPR world.

EY’s data privacy service offeringHow to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

2 | EY’s data privacy service offering

January 2012 European Commission (EC) proposed GDPR

December 2015 GDPR agreed

25 May 2018 GDPR takes full effect

March 2014 EU Parliament adopted compromise text

14 April 2016 GDPR formally adopted by EU member states

Transition period of two years

GDPR timeline

Transforming and integrating your approach to data privacyMany companies today are fully aware of — and focused on — the need to comply with data privacy regulations, including GDPR, but many find it difficult to integrate all their data privacy-related activities into their everyday organizational processes.

EY has the answer: our data privacy transformation approach, in which we integrate all our data privacy-related services into a single offering. Using our proprietary five-stage approach, we help clients embed all activities related to data privacy into their operational business as usual.

This approach not only drives GDPR compliance, but also increases the data maturity of the business as a whole — helping clients to extend their data usage capabilities, and boost the effectiveness of their data analytics and dashboarding.

Five stage transformational approach

1. Understand 2. Assess 3. Define

5. Run4. Recommend

EY’s data privacy capabilities include:

► Privacy strategy and governance

► Privacy design and implementation

► Privacy impact assessment

► Data flow mapping

► Managed services

► Privacy program and data management

► Privacy and data analytics, including anonymization and pseudonymization

► Maturity assessment

► Gap assessment

► Data breach notification and incident management

► Third-party and vendor management

► Training and awareness

3EY’s data privacy service offering |

Getting to grips with the impacts and implications of data privacyThe fact that data privacy regulations in general — and GDPR in particular — have broad impacts across the organization, can make it hard to pinpoint their specific effects. It can also be difficult to look beyond the regulatory and technological issues to grasp the competitive opportunities that privacy presents.

An EY GDPR awareness workshop helps clients understand why privacy is much more than just a compliance or security issue. Some of the key elements are summarized below.

After the workshop, your business will really understand how you’re impacted by GDPR and be well equipped to navigate today’s complex privacy landscape.

► An overview of the changing regulatory landscape

► An interactive three-hour session examining privacy from multiple perspectives

► An exploration of the links between privacy and business initiatives

► Sharing and discussion of leading practices and lessons learned with EY’s privacy professionals

Assessing GDPR’s impacts — and gaining the insights needed to address themTo plan out your responses to GDPR, you must first identify the gaps between where you are today in terms of data privacy and where you need to get to in the future. You also need to conduct a Privacy Impact Assessment (PIA) and map out the flows of data across your operations. All of these elements are part of EY’s GDPR assessment and roadmap offering.

Often combined with the GDPR awareness workshop, this approach starts with our privacy team executing our proven GDPR assessment to pinpoint the gaps between the current and desired state. This provides input for our team to develop your practical and tailored roadmap to GDPR compliance, including clearly stated goals and purpose.

Our GDPR assessment includes:

► A detailed review of key data privacy-related themes, such as current data processing roles, responsibilities, data leakage procedures, data flows and data usage

► Comparison of the results with both common market practices and legal obligations

► Examination of the impact on current operations of new topics, such as the right to be forgotten and explicit consent

EY’s GDPR awareness workshop includes:

4 | EY’s data privacy service offering

PIAA high quality PIA process throughout the organization is imperative for ensuring compliance with GDPR. An EY PIA — encompassing the full privacy life cycle shown below — will help you embed data privacy and data protection into the design of all your processes and applications that process personal data. We can support you in the design and execution of PIAs using our established GDPR toolset, and supplement this with training to raise data privacy awareness and compliance across the organization.

Privacy life cycle

Appropriate collection of data

Relevant use of data

Managed disclosure

Appropriate retention and disposal

Review of privacy expectations

1

2

3

4

5

Data flow mappingMapping data flows is vital for identifying your organization’s data privacy requirements and implementing data protection processes that comply with relevant regulations, including GDPR. However, all too often, businesses undertake data flow mapping with an IT mindset, meaning it produces outputs that quickly become outdated and are too detailed for use in the business. This is because an IT-orientated data flow mapping tends to focus on specific technical fields rather than the types of data used by business processes. In contrast, an EY data flow mapping delivers business-driven results at high pace, by focusing on the business-relevant aspects of data and applying leading-edge data discovery tools and strong data governance.

Business opportunities arising from GDPR: Identify and Access Management (IAM) and analyticsGDPR compliance programs often enable an optimization of existing IT environments, in order to ensure privacy across the whole IT domain. Two high potential areas are implementing robust IAM, and anonymizing and pseudonymizing data to enable analytics.

In terms of IAM, effective data privacy involves ensuring that any data available within the organization can be accessed only by those people authorized to do so. This requires tight linkage between specific roles and access levels, and the business processes that these roles participate in. EY offers an integrated suite of IAM services that support clients to manage system access continuously and efficiently, while also reducing risks to the confidentiality, integrity and availability of business-critical data.

Also, while GDPR restricts how organizations use personal data, it also allows for that data to be anonymized and pseudonymized for analysis. EY can help you apply these concepts to maximize the intelligence from data analytics, while supporting GDPR compliance. By analyzing each step in the data process, we can identify whether anonymization or pseudonymization should be used. And, using the latest flexible data analysis tools, we can combine existing and new data to create new identification opportunities — generating the greatest possible value from analytics without compromising on compliance.

5EY’s data privacy service offering |

Contact usTo find out more about any of our privacy-related services and how EY can help you use GDPR as a catalyst for change, beyond compliance, please contact:

Philippe ZimmermannEMEIA Financial Services Legal Leader

Telephone: +41 58 286 3219Mobile: +41 79 341 4571Email: philippe.zimmermann@ch.ey.com

Tony De BosEMEIA Financial Services Data Protection & Privacy Leader

Telephone: +31 88 407 2079Mobile: +31 62908 4182Email: tony.de.bos@nl.ey.com

Erol MustafaEMEIA Financial Services IT Risk & Assurance Leader

Telephone: +44 20 7951 0700Mobile: +44 7979 923 611Email: emustafa@uk.ey.com

Konrad MeierEMEIA Financial Services Data Privacy Professional

Telephone: +41 58 286 4327Mobile: +41 79 227 2367Email: konrad.meier@ch.ey.com

6

7EY’s data privacy service offering |

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2017 EYGM Limited. All Rights Reserved.

EYG No. 06196-174Gbl

EY-000044638 .indd (UK) 10/17. Artwork by Creative Services Group London.

ED None

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com