How the upcoming GDPR can frustrate or support growth in the digital era

Tony de Bos, 18 May 2017

Slide: 2

1. GDPR’s biggest changes 03

2. Digital 08

a. Connected Cars 11

b. Wearables 13

Table of content

3. Key takeaway 15

011. GDPR’s biggest changes

Slide: 4

Privacy is a hot topic, and it is here to stay

Privacy and Data Protection is increasingly in

the spotlight and undergoing a paradigm shift

in light of the new General Data Protection

Regulation (GDPR) and uncertainty post Brexit

Personal Information (PI) is a valuable asset

through intelligence and monetisation

opportunities

Privacy awareness of the public has increased

significantly, exacerbated by frequent personal

data breaches catching media attention

Demonstrating good privacy governance and

practices will be expected and monitored by

local regulators

Slide: 5

GDPR is coming into force in May 2018 and organizations need to act now (if they haven’t started already)

The volume of people, process and technology change required by the 25 May 2018 deadline of the GDPR should not be

underestimated

Many organisations are compliant, on paper, with existing legislation, but are yet to face the challenge of implementing the

requirements through the entire personal data lifecycle

As business models have been digitised, the volume of data held by organisations has increased significantly, resulting in

organisations not understanding how much PI they hold, why they retain it and how it is being used

GDPR Timeline

14 April 2016

GDPR formally

adopted by member

states

Transition period of 2 years

25 May 2018

GDPR takes effect

January 2012

European

Commission (EC)

proposed GDPR

March 2014

EU Parliament

adopt compromise

text Dec 2015

GDPR agreed

Slide: 6

There are ten high impact GDPR changes that need to beconsidered (1/2)

Applies to all data controllers and processors established in the EU and organizations

that target EU citizensExpanded scope

► Consumer consent to process data must be freely given and for specific purposes

► Customers must be informed of their right to withdraw their consent

► Consent must be ‘explicit’ in the case of sensitive personal data or trans border dataflow

Consent

► The right to be forgotten — the right to ask data controllers to erase all personal data without undue delay in certain circumstances

► The right to data portability — where individuals have provided personal data to a service provider, they can require the provider to ‘port’ the data to another provider, provided this is technically feasible

► The right to object to profiling — the right not to be subject to a decision based solely on automated processing

New rights

Organizations must undertake Privacy Impact Assessments when conducting risky or

large scale processing of personal data

Privacy Impact

Assessments

Organizations should design data protection into the development of business

processes and new systemsPrivacy by Design

Slide: 7

There are ten high impact GDPR changes that need to beconsidered (2/2)

DPOs must be appointed if an organization conducts large scale systematic monitoring

or processes large amounts of sensitive personal data

Data Protection Officers

(DPOs)

Organization must prove they are accountable by:

► Establishing a culture of monitoring, reviewing and assessing data processing procedures

► Minimizing data processing and retention of data

► Building in safeguards to data processing activities

► Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory authority on request

Accountability

New obligations on data processors — processors become an officially regulated entityObligations on

processors

► Organizations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals

► If there is a high risk to individuals, those individuals must be informed as well

Mandatory breach

notification

Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total

annual worldwide turnover or €20,000,000, whichever is greater

Fines of up to

4% of annual worldwide

turnover

022. Digital

Slide: 9

The Internet of Things provides endless opportunities for organisations to build new businesses

The Internet of Things (IoT) is a network of physical objects that contain technologies

to communicate and sense or interact with their internal states or the external

environment.

Embedded systems and sensors connect the objects to the internet, interacting with it

to generate meaningful results and convenience to the end user community.

Slide: 10

The GDPR can frustrate or support this digital propositions, depending on the adoption rate of the organization

Connected Cars Digital Wearables

Organisations need to identify which is the minimum amount of personal identifiable information they need in order to perform their data analysis, or perform

anonymization or pseudonymization.

More and more Internet of Things devices are introduced and generate large volumes of

data which can be used by organizations to support their market and client insights and improve digital proposition. For example mobiles, connected

cars and wearables.

Organization are transformation their business

into digital propositions. These propositions are build on

technology and data. Precondition is the reuse of

data.

Organization are more and more connected with partners in an ecosystem. To utilize the advantages data need to be

shared across the ecosystem, while supporting privacy

regulations.

Companies nowadays collect a high amount of data, which might lead to the collection and / or creation of personal identifiable information

032a. Connected Cars

Slide: 12

Connected cars: communication comfort, or driver discomfort?

The global telematics

market is poised to

grow exponentially.

By 2025:

90%of new cars will have

embedded telematics

€18 billionrevenue from

embedded telematics

€11 billionof the revenue from

service and content

providers

Traditional insurance

Use the following as proxy of the true risk:

Car factors

► Age of the car

► Make and model of the car

► Value of the car

Driver factors

► Age of the driver

► Claims history

Other

► Socio demographic

► Geographic

True risk of the insured

Car

► Age of the car

► Make and model of the car

► Condition of the car

Driver

► Age of the driver

► Experience of the driver

Where the car is driven

► Traffic density

► Type of road

► Traffic enforcement (e.g. Speed cameras)

When the car is driven

► Day or night

► Weather conditions

► Seasonal use only

How the car is driven (DBD)

► General adherence to laws & regulation

► Length of journeys

► Acceleration, deceleration and speed of car on different road types / traffic density

Telematics Data

Image Source: http://www.wired.com/autopia/2007/05/will_auto_safet/

042b. Wearables

Slide: 14

Wearables: a great financial investment or a big sacrifice of privacy?

How can we anonymize or pseudonimize big data to make it an interesting and helpful tool?

When adopting or expanding digital propositions, be sure to ask: “How can I ensure the privacy of my data subjects?”

Slide: 16

Questions?

Drs. Tony de Bos RE RA CISSP CEH CIPP/E

Executive Director EY Financial ServicesAdvisory

EMEIA Data Protection and Privacy lead

• tony.de.bos@nl.ey.com

• +31 6 29084182

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2016 EYGM Limited.All Rights Reserved.

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com