how the upcoming gdpr can frustrate or support growth in ...de+bos... · of new cars will have...
TRANSCRIPT
How the upcoming GDPR can frustrate or support growth in the digital era
Tony de Bos, 18 May 2017
Slide: 2
1. GDPR’s biggest changes 03
2. Digital 08
a. Connected Cars 11
b. Wearables 13
Table of content
3. Key takeaway 15
011. GDPR’s biggest changes
Slide: 4
Privacy is a hot topic, and it is here to stay
Privacy and Data Protection is increasingly in
the spotlight and undergoing a paradigm shift
in light of the new General Data Protection
Regulation (GDPR) and uncertainty post Brexit
Personal Information (PI) is a valuable asset
through intelligence and monetisation
opportunities
Privacy awareness of the public has increased
significantly, exacerbated by frequent personal
data breaches catching media attention
Demonstrating good privacy governance and
practices will be expected and monitored by
local regulators
Slide: 5
GDPR is coming into force in May 2018 and organizations need to act now (if they haven’t started already)
The volume of people, process and technology change required by the 25 May 2018 deadline of the GDPR should not be
underestimated
Many organisations are compliant, on paper, with existing legislation, but are yet to face the challenge of implementing the
requirements through the entire personal data lifecycle
As business models have been digitised, the volume of data held by organisations has increased significantly, resulting in
organisations not understanding how much PI they hold, why they retain it and how it is being used
GDPR Timeline
14 April 2016
GDPR formally
adopted by member
states
Transition period of 2 years
25 May 2018
GDPR takes effect
January 2012
European
Commission (EC)
proposed GDPR
March 2014
EU Parliament
adopt compromise
text Dec 2015
GDPR agreed
Slide: 6
There are ten high impact GDPR changes that need to beconsidered (1/2)
Applies to all data controllers and processors established in the EU and organizations
that target EU citizensExpanded scope
► Consumer consent to process data must be freely given and for specific purposes
► Customers must be informed of their right to withdraw their consent
► Consent must be ‘explicit’ in the case of sensitive personal data or trans border dataflow
Consent
► The right to be forgotten — the right to ask data controllers to erase all personal data without undue delay in certain circumstances
► The right to data portability — where individuals have provided personal data to a service provider, they can require the provider to ‘port’ the data to another provider, provided this is technically feasible
► The right to object to profiling — the right not to be subject to a decision based solely on automated processing
New rights
Organizations must undertake Privacy Impact Assessments when conducting risky or
large scale processing of personal data
Privacy Impact
Assessments
Organizations should design data protection into the development of business
processes and new systemsPrivacy by Design
Slide: 7
There are ten high impact GDPR changes that need to beconsidered (2/2)
DPOs must be appointed if an organization conducts large scale systematic monitoring
or processes large amounts of sensitive personal data
Data Protection Officers
(DPOs)
Organization must prove they are accountable by:
► Establishing a culture of monitoring, reviewing and assessing data processing procedures
► Minimizing data processing and retention of data
► Building in safeguards to data processing activities
► Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory authority on request
Accountability
New obligations on data processors — processors become an officially regulated entityObligations on
processors
► Organizations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals
► If there is a high risk to individuals, those individuals must be informed as well
Mandatory breach
notification
Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total
annual worldwide turnover or €20,000,000, whichever is greater
Fines of up to
4% of annual worldwide
turnover
022. Digital
Slide: 9
The Internet of Things provides endless opportunities for organisations to build new businesses
The Internet of Things (IoT) is a network of physical objects that contain technologies
to communicate and sense or interact with their internal states or the external
environment.
Embedded systems and sensors connect the objects to the internet, interacting with it
to generate meaningful results and convenience to the end user community.
Slide: 10
The GDPR can frustrate or support this digital propositions, depending on the adoption rate of the organization
Connected Cars Digital Wearables
Organisations need to identify which is the minimum amount of personal identifiable information they need in order to perform their data analysis, or perform
anonymization or pseudonymization.
More and more Internet of Things devices are introduced and generate large volumes of
data which can be used by organizations to support their market and client insights and improve digital proposition. For example mobiles, connected
cars and wearables.
Organization are transformation their business
into digital propositions. These propositions are build on
technology and data. Precondition is the reuse of
data.
Organization are more and more connected with partners in an ecosystem. To utilize the advantages data need to be
shared across the ecosystem, while supporting privacy
regulations.
Companies nowadays collect a high amount of data, which might lead to the collection and / or creation of personal identifiable information
032a. Connected Cars
Slide: 12
Connected cars: communication comfort, or driver discomfort?
The global telematics
market is poised to
grow exponentially.
By 2025:
90%of new cars will have
embedded telematics
€18 billionrevenue from
embedded telematics
€11 billionof the revenue from
service and content
providers
Traditional insurance
Use the following as proxy of the true risk:
Car factors
► Age of the car
► Make and model of the car
► Value of the car
Driver factors
► Age of the driver
► Claims history
Other
► Socio demographic
► Geographic
True risk of the insured
Car
► Age of the car
► Make and model of the car
► Condition of the car
Driver
► Age of the driver
► Experience of the driver
Where the car is driven
► Traffic density
► Type of road
► Traffic enforcement (e.g. Speed cameras)
When the car is driven
► Day or night
► Weather conditions
► Seasonal use only
How the car is driven (DBD)
► General adherence to laws & regulation
► Length of journeys
► Acceleration, deceleration and speed of car on different road types / traffic density
Telematics Data
Image Source: http://www.wired.com/autopia/2007/05/will_auto_safet/
042b. Wearables
Slide: 14
Wearables: a great financial investment or a big sacrifice of privacy?
How can we anonymize or pseudonimize big data to make it an interesting and helpful tool?
When adopting or expanding digital propositions, be sure to ask: “How can I ensure the privacy of my data subjects?”
Slide: 16
Questions?
Drs. Tony de Bos RE RA CISSP CEH CIPP/E
Executive Director EY Financial ServicesAdvisory
EMEIA Data Protection and Privacy lead
• +31 6 29084182
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2016 EYGM Limited.All Rights Reserved.
In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com