What is GDPR? The European Union (EU) General Data Protection Regulation (GDPR) is a law designed to update and unify the EU approach to privacy and data protection. Full text is available at the European Commission Web site (http://ec.europa.eu).
Where to start? There is already enough material on GDPR to fill a local library. Most of this information speaks to the onerous nature of the regulation and the investment needed to comply with its many articles and expectations. There is one critical item, however, that this material does not address, which is, “What do I do first?”
The simple answer is that impacted organizations must address the five most critical GDPR required actions. These include developing, implementing, and governing the following:
It’s all about data, isn’t it? Although it may seem counterintuitive to privacy practitioners, organizations are too focused on and distracted by data when it comes to privacy compliance. In order to sustain privacy compliance and risk management efforts over time, organizations should instead start with an intimate understanding of business processes. With GDPR, the Privacy Office must be familiar with how (and why) high-risk business processes gather, use, manage, and store personal data. Armed with this understanding, the Privacy Office can make better risk-based determinations of where to focus privacy governance investments.
How can KPMG help? KPMG is different. We work alongside our clients to design, implement, and govern a self-service, on-demand, and solutions-focused approach to privacy compliance that will demonstrably deliver real business value by materially lowering the cost of compliance, lowering the cost of control, and increasing the confidence that executives have with regards to protecting at-risk personal data assets. Our approach to GDPR readiness is organized via the phases listed below.
RSA Archer and GDPR
GDPR compliance efforts are similar to complying to other regulatory mandates. Like other compliance management efforts, technology implementation is an integral component of GDPR enablement. It is KPMG’s belief that RSA Archer can be an effective enabler to automate GDPR compliance processes by using RSA Archer’s out of the box applications and questionnaire capabilities.
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.