The document discusses organizations' experiences with GDPR compliance after the May 2018 deadline. It finds that many organizations are still dealing with residual risks and have uncovered more personal data than expected during their discovery processes. Specifically, organizations have struggled to fully comply with data deletion requests due to data being spread across systems without full lineage. The document advocates that organizations view GDPR not just as a compliance burden but as an opportunity to improve data governance, build customer trust, and enable digital expansion.
1. Looking beyond the compliance
deadline to achieve sustainable
position while driving strategic
business outcomes
LOOKING
BEYOND
GDPR
2. 2 LOOKING BEYOND GDPR
Many organisations will be dealing with residual risks
for the next 12-18 months
Our experience indicates that information discovery has typically
identified 30-50% more processes and applications requiring
remediation than expected, which has impacted programme phasing.
Changes are much broader and deeper than expected
Deploying changes to technology landscape is taking longer than
planned, and operating models require strengthening with more
people and rigor to support business as usual operations.
Operational scalability is a concern
If the volume of Data Subject Requests is higher than predicted,
organisations are expected to struggle to respond.
Most organisations are unable to fully comply with
'right to erasure' requests
Data is spread across the technology landscape and legacy applications
don’t support deletion or anonymisation. Lack of full data lineage means
that downstream impact of data deletion is not fully known.
Unstructured data landscape is still widely unknown
The extent of personal data exposure in unstructured data sources
(e.g. Microsoft® SharePoint® and emails) has not been fully defined.
Many organisations are yet to address such data sets.
STATE OF THE INDUSTRY
POST THE GO-LIVE
TheGeneralDataProtectionRegulation(GDPR)cameintoeffect
onMay25th,2018.Dealingwithresidualrisks,andembeddingthe
rightprivacycultureanddatamanagementpracticesisexpectedto
taketime.However,formanyorganisations,itisthestartofajourney
tosustainablecompliance.GDPRalsopresentsanopportunityto
transformdatagovernanceandinfrastructure,keyinestablishing
customertrustandsupportingexpansionofdigitalservices.
3. LOOKING BEYOND GDPR 3
Remediation
Assess and factor in the effects of data
processing on individuals using structured
Data Privacy Impact Assessment (DPIA)
frameworks.
Establish clear purpose for data processing
to help manage the data lifecycle and
clear data retention schedules that are
implementable in downstream systems.
Challenges
Consider the data minimisation principle
when designing big data analytics so as not
to collect and store personal data that may
not be necessary.
Evaluate whether profiling could have any
intrusive effects that could perpetuate
negative consequences, especially in the
context of product provisioning.
RISE OF ‘DIGITAL RISK’ IN
ENTERPRISE RISK MANAGEMENT
Big data, artificial intelligence (AI) and machine learning are
becoming part of business as usual for many organisations,
creating enhanced business benefits and new customer
insights. However, privacy by design and default principles
must be embedded from the outset to protect the rights of
the data subjects.
Balancing the rights of the data subject vs.
the legitimate interest of the data controller
Fairness of
Processing
Data
Minimisation
Compliance
Requirements
New Technologies
for Greater Efficiencies
Purpose
Limitation
Automated
Decisioning
& Profiling
Machine
Learning
& AI
Big Data
Analytics
4. † “A New Slice of PII, with a Side of Digital Trust, Accenture 2017.
†† UK Financial Services Customer Survey 2018, Accenture 2018.
Building a strong data privacy culture and
demonstrating fair and transparent use
of data is key to building and sustaining
trust amongst customers, employees,
and business partners and alliances.
Robust data management is, in our view,
also key to establishing customer trust,
requiring the rationalisation of legacy
infrastructure to dispose of data that
is no longer required and for which
there is no valid legal hold.
Our experience indicates embedding
privacy and security requires both a
cultural change and proactive process,
which can potentially help reduce and
mitigate risks.
Providing consumers greater transparency
and control over their data is key to digital
business expansion and new service
offerings under the Payment Services
Directive 2 (PSD2) and Open Banking.
LOOKING BEYOND MAY 25
ROBUST DATA
MANAGEMENT IS KEY
TO DIGITAL EXPANSION
Accenture’s research into consumer behaviour suggests data
privacy and protection is not just about compliance and should
be at the core of wider business strategy.
8OUT OF 10
consumers surveyed say trust
is a key driver of brand loyalty.†
ABOUT 2OUT OF 3
UK consumers surveyed
would consider asking their
financial services provider
to delete personal data.††
54% of UK banking
consumers surveyed are willing
to share their personal information
with their bank in return for
certain added benefits and more
personalised, relevant services.††
4OUT OF 10
consumers surveyed claim that
their trust in a company increases
when breaches are handled
swiftly and correctly.†
4 LOOKING BEYOND GDPR
5. We believe investments in GDPR compliance could help
drive strategic and operational benefits to unlock your
data’s strategic value and deliver a better customer experience.
BURDEN OPPORTUNITY
STRATEGIC MARKET
DIFFERENTIATION
GDPRTHEMES
Stricter consent
Strengthen consent
model/value exchange
Increase opt-in and
improve marketing spend
VALUEOPPORTUNITIES
Detailed records
on data processing
Enterprise-wide customer
data mapping
More efficient data
operations
New categories
of personal data
Treat digital shadow
as customer data
Opportunity to
monetise data
Stricter governance
Improve privacy
risk management
Good regulatory
relations
Privacy by design
Business cases with
value/risk of customer data
Improved RoI
of new initiatives
Accountability for
3rd party sharing
Strengthen 3rd party
data sharing strategy
More value from
data sharing
Reduction in customer data
held (data minimisation)
Delete records outside
of retention periods
Help reduce cost
and data noise
Transparency and
accountability
Demonstrate transparency
in data processing
Trusted brand and
expansion of digital services
LOOKING BEYOND GDPR 5
COMPLIANCE BURDEN OR
BUSINESS OPPORTUNITY?
6. 6 LOOKING BEYOND GDPR
HOW ACCENTURE CAN HELP
DATA-CENTRIC
APPROACH TO
COMPLIANCE
Accenture has developed a holistic data-centric approach
to compliance that helps reduce risks and improve customer
trust. This is supported by a ‘GDPR in a box’ solution that has
been developed based on our global GDPR implementation
experience, and our strategic ecosystem with key vendors.
DATA DISCOVERY
& LINEAGE
2
COMBINED WITH
OUR STRATEGIC
ECOSYSTEM SOLUTIONS
Single
ecosystem
orchestrator
Accelerate
compliance
adequacy
Easy integration
with IT
landscape
‘As a service’
option
DATA PROCESSING
ASSESSMENT
1
DATA SECURITY &
BREACH DEFENSE
4
DATA
DELETION
3
7. LOOKING BEYOND GDPR 7
1. DATA PROCESSING
ASSESSMENT
Objectives
• Manage records of processing
(RoP) activities
• Perform data privacy impact assessments
(DPIAs) to identify and manage privacy risks
Key Features
• Records of processing traceability
and workflow
• Correlation of data processing,
applications and processes
• Automated regulatory authority reporting
• Data privacy impact assessment
(DPIA) ‘engine’
2. DATA DISCOVERY
& LINEAGE
Objectives
• Systematically discover and classify
structured and unstructured personal data
• Use machine learning and AI techniques
to improve the quality of discovery
results and accelerate analysis
Key Features
• Simple interface for discovery rule creation
• Information mapping to accelerate
execution of individual rights
(e.g. deletion/portability)
• Plug & play platform integrating best
in class solutions
• Powerful data governance tool to
address new security measures using
a risk-based approach
3. DATA DELETION
Objectives
• Use a central, configurable orchestrator
to perform data deletion
• Integrate with a diverse applications
landscape
Key Features
• Eligibility engine to define data
deletion rules
• Central orchestrator enabling
configurable physical or logical deletion
• Log mining to discover downstream
data dependencies
• Application decoupling logic for
data deletion
4. DATA SECURITY
& BREACH DEFENSE
Objective
• Provide data security solutions that
help reduce risk of personal data breach
Key Features
• Plug & play integration of security
solutions/controls
• Cyber attack detection and enhanced
security measures (Accenture Cyber
Fusion Centre)
• Security incident response solution
for notifying breaches to authorities
and affected parties (FusionX LLC
Incident Response Services)
• Identification of stolen personal data
via open/dark web sources (iDefense®
Security Intelligence Services)