GDPR:

DRIVING
DIGITAL
TRUST
EXECUTIVE SUMMARY
DIGITAL TRUST = BUSINESS VALUE
Digital Trust is the new frontier driving business value forward. It reflects a customers belief
that an organisation collects, stores and uses customer information (data) in an ethical and
responsible way. The greater a customers Digital Trust, the more willing they are to share
their data. In turn, the more we know about our customers, citizens and employees, the
more relevant and valuable we can become. Creating a virtuous cycle of customer loyalty,
this trust means we can extend the interactions we have for the benefit of both consumers
and the business.
It seems simple, but trust can be lost in an they can use their enhanced credibility to
instant. For example, Sarah (a millennial), seek new business opportunities and clients.
was talking to her sister through a social
media channel about buying a toy Gruffalo The GDPR aims to increase harmonisation
for her young niece as a birthday present. in data protection regulation across the
She only mentioned this once during a long EU. Its a win-win for consumers (as data
conversation back-and-forth with her sister, subjects) and organisations (as sole or joint
but the next day, in another social media data controllers or processors). Consumers
channel twice removed from the original will see their rights strengthened, and
conversation, Sarah started receiving gain confidence in how their data is being
targeted Gruffalo toy adverts. She felt that collected and processed by organisations.
a private conversation had been mined for In turn, GDPR-compliant companies
selling opportunities and closed her account can use digital and data transformation
after losing trust in the company. initiatives, enabling opportunities for
revenue generation, risk/cost reduction, and
Social media is a free service and the privacy ultimately achieve growth and increased
notice will likely state that the data might competition through improved trust. This has
be used across several channels. While already been observed in the market and the
companies must exist to make money, Digital competitive advantage window is shrinking
Trust is a balancing act between ensuring as time passes.
the security of personal data and enabling With this new regulation, companies will be
the ethical use of data in a way that provides re-evaluating the personal data they collect,
value to the consumer, the company and whilst individuals will have new insight into
the marketplace, all while providing full how their data is used.
transparency to the consumer.
If organisations get it right, there will be new
As a result of the increased focus on data data-driven business opportunities waiting
privacy and security, the GDPR (General to be developed. If they get it wrong, they
Data Protection Regulation) is set to come could be liable for fines of up to 4% of global
into force in May 2018 and will impact all revenues, as well as significantly damaging
companies trading in the EU or processing consumer and market trust in the brand.
the personal data of data subjects residing in
the EU. Moving forward, organisations are faced
with a simple choice: to view GDPR as a
The upcoming GDPR shouldnt be viewed as compliance exercise or to consider it as an
another wave of bureaucratic tape, but as an opportunity to build Digital Trust. Through
opportunity to enhance trust with customers this paper we present an outline of the
and stakeholders. As well as providing typical GDPR challenges and opportunities,
organisations with the chance to retain and as well as the key critical success factors for
extend connections with existing consumers, GDPR programmes.

2
GDPRS
KEY BUSINESS CHALLENGES
AND OPPORTUNITIES
WHAT NEW CHALLENGES ARE DRIVEN BY GDPR?
The GDPR maintains and extends the key fundamental objectives of the EU Data Protection
Directive to govern and strengthen the protection and processing of European citizens
personal data. It also repositions data protection as a board-level issue and an area of
strategic importance. This is because of the impact on the organisations wider data
strategy, its ability to monetise such data and the increase in visible compliance risk, which
will have a similar impact to anti-trust and anti-corruption legislation.

SOME KEY GDPR AREAS TO CONSIDER INCLUDE:

A) HARMONISATION AND TERRITORIAL SCOPE:
GDPR will apply to any data controller or data processor providing goods and service to, or monitor-
ing / processing data from data subjects in the EU. The rules will apply to all such companies, whether
established inside or outside the EU.

B) OBLIGATIONS ON DATA CONTROLLERS AND PROCESSORS:

Processors liability will increase significantly as they will now also be subject to direct statutory
obligations and penalties, rather than only being subject to obligations imposed on them by
contractual agreements with the controller. At best this will drive a principle-based, risk-sharing
conversation or at worst a positional-based, risk-shifting discussion.

C) ENFORCEMENT:
There will be maximum penalties of 20 Million or 4% of annual worldwide turnover, whichever is
greater given the nature of non-compliance or breach. The regulation also introduces data breach
notification obligations on data controllers within 72 hours of discovering the breach. However, the
real financial concern will be the impact of customer and market reactions if trust in the organisation is
damaged.

D) TRANSPARENCY, ACCOUNTABILITY AND DATA MINIMISATION:

These factors must be evidenced as part of the implementation of data protection measures. This
includes (but it is not limited to): appointing Data Protection Officers (DPOs), conducting Data
Protection Impact Assessments (DPIAs), maintaining a data inventory and data processing records
(particularly retention, archiving, disposal and audit trail of consent), implementing privacy by design/
default principles, and regulating the use of automated decision making/profiling.

E) ENHANCED DATA SUBJECTS RIGHTS:

Personal data clearly belongs to the individual, not the organisation. This includes subject access
requests, the right to rectification, the right to erasure (including the right to be forgotten), the right
to data portability, the right to object to data processing, as well as more stringent consent rules.
Subjects can lodge a complaint if their data processing doesnt comply with the regulation.

Its a big challenge, requiring several different parties to collaborate to drive necessary
changes in the areas of legal, strategy, technology, security, governance, organisation,
communications and risk. Our clients are recognising that what may begin as a
compliance exercise in the legal and risk departments can quickly become an
integrated, organisation-wide transformation programme.

3
WHAT ARE THE KEY
REQUIREMENTS AND COMPLEXITIES?
Based upon our client experience, the following are typical challenges faced by
organisations aligned to key themes in the regulation in Figure 1.

THEMES CUSTOMER TYPICAL ORGANISATIONAL

EXPECTATIONS ISSUES

NEW CATEGORIES Definition now specifies We dont fully understand the new
OF DATA physical, physiological, sensitive and personal information
economic, mental, genetic, were collecting through our digital
cultural and social identity. channels and services.

STRICTER Tighter restrictions around We capture customer consent but

CONSENT consent and legitimate interests we dont have the right processes
for using the data for different in place to be certain we follow it.
purposes.

DETAILED Inventory of personal We dont really know where it all is

RECORDS ON data processing activities, or who has access to it.
DATA understanding the risks and
PROCESSING adhering to new standards.

PRIVACY BY Access and minimise data We dont know how to develop

DESIGN & processing risk in design of new products or systems and
MINIMISATION processes and systems. integrate GDPR requirements
OF DATA throughout the product or systems
lifecycle.

DATA BREACH Need to report an incident We have some processes in place

NOTIFICATION without undue delay to the but will be unlikely to be able to
Supervisory Authority, no more respond in practice. Our ability
than 72 hours after finding it. to proactively detect incidents is
limited.

3RD PARTY RISK Controllers and processors share We dont have sufficient
MANAGEMENT accountability on protection of operational controls in place to
data processing. prevent our suppliers doing things
they shouldnt.

INCREASED Ability to demonstrate We have no plan to respond to an

DATA compliance and provide audit, nor resources to create and
GOVERNANCE & assurance to customers and implement one.
ACCOUNTABILITY data protection authorities.

NEW DATA Need to be able to provide, We cant be sure what information

SUBJECT rectify, restrict and erase an we have, how to stop using it
RIGHTS individuals personal data. or how to erase, because it is
dispersed across the organisation.
How do we deal with legacy
systems?
4
BURDEN OR OPPORTUNITY?
The investment in GDPR can be viewed from two perspectives burden or opportunity.
Leading organisations turn these challenges into opportunities for revenue generation and
cost and risk reduction. For example, it may be possible to identify opportunities to reduce
the footprint of personal data, and consequently the cost of data storage and processing.
Such savings can be re-invested in revenue generating data transformation opportunities.
Figure 2.

In general, organisations who are able to get GDPR right will strengthen their Digital Trust,
and also increase competitiveness.

BURDEN to OPPORTUNITY

NEW CATEGORIES OF Treat digital shadow as MORE COMPREHENSIVE

PERSONAL DATA customer data CUSTOMER PROFILES

STRICTER CONSENT Optimise Consent Model/ MAXIMISE MARKETING

Value Exchange OPT-IN & ROI

DETAILED RECORDS Enterprise wide Customer VISIBILITY OF DATA FOR

ON DATA PROCESSING Data Mapping PROPOSITIONS

PRIVACY BY DESIGN Cleanse data lakes from REDUCTION OF COST

& MINIMISATION no-value records AND DATA NOISE
OF DATA

DATA BREACH Build customer trust into GREATER TRUST DRIVES

NOTIFICATION value proposition RETENTION

THIRD PARTY RISK Define third party data MORE VALUE FROM DATA
MANAGEMENT sharing strategy SHARING

INCREASED DATA Put customer data into VALUE-BASED DATA

GOVERNANCE & business ownership INVESTMENTS
ACCOUNTABILITY

NEW DATA New controls and MORE EFFICIENT DATA

SUBJECT RIGHTS processes OPERATIONS

Figure 2: GDPR Opportunity Areas (Not Exhaustive)

While introducing a strategy for business development, organisations also need

to factor in revised levels of risk as a result of increased exposure to potential data
breaches, and the consequential direct and indirect costs. This exposure is driven by
the pervasive nature of personal data across the value chain, the breach and threat
landscape, as well as the regulators historic evidence of enforcement actions and new
enforcement powers.

Accenture models cost of data breach in three tiers: Tier 1: Hit on profit before tax, when aggregating the costs of a data breach, including litigation, notification, remediation plus
potential fines. Tier 2: Cost of data subject exercising their rights as consequence of publicised breach Tier 3: Negative impact on share price, customer and investor confidence with
longer effects compared to those today.

5
PREPARING FOR A SUCCESSFUL GDPR
PROGRAMME
GDPR JOURNEY:
WHERE ARE YOU GOING?
We believe GDPR compliance is far from being a single one-off remediation effort.
We encourage companies to consider it as a journey and transition period, that will
increase optimisation across the organisation and encourage adherence to new
regulations and practices over time. While the journey may vary across different
organisations, several distinct stages will apply. Figure 3.

6
JOURNEY TYPICAL
STAGE CHARACTERISTICS

OPTIMISING - Leverage of secure personal data

- Increasing trust with your
customers
- Breach rehearsal feedback loop

SUSTAINABLY - DPO and team in place

COMPLYING - Privacy by design in all projects
- Clear breach roles and
responsibilities

REMEDIATING - Integrated roadmap in place

- Teams and projects delivering

STARTING - Programme of scoped activities

developed
- Estimates and budget approval

AWAKENING - GDPR on the risk register

- Some understanding of gaps

Figure 3. GDPR Journey Stage

LEAD TIME BETWEEN STAGES, AS WELL AS OVERALL TIMELINE, IS DEPENDENT ON::

A) The breadth and depth of existing data protection practices.

B) The risk and complexity of personal data processing for the organisation in
question. For example, the number of business units, geographies, third party
processors, etc.

C) The approach and strategy defined to achieve compliance.

D) Dynamic pace of the regulatory guidelines and industry groups expected

over the next 12 months.

We recognise that readiness may vary across different GDPR capability areas. This is
due to different levels of maturity within organisations business functions, as well as
the complexity or legal clarity of specific requirements. (For example, data subject
access rights.)

7
APPROACH:
HOW TO GET STARTED?
Regardless of maturity, organisations need to ensure they have the foundations in
place from the outset.

To help businesses progress through the first three stages of the journey towards
sustainable compliance, Accenture has outlined a programme, focusing on the key
outcomes needed to move from one stage to the next with pace and certainty.
Figure 4.

INITIAL JOURNEY STAGES

AWAKENING STARTING REMEDIATING

PROGRAMME APPROACH PHASES

1. SCOPE 2. MOBILISE 3. IMPLEMENT

Understand the specific
gaps and required
activities by conducting
a factual assessment. Be
clear on what needs to be
done and the prioritisation.
Take the requirements Manage the business
and structure the GDPR to deliver remediation
programme. Estimate the activities across work
scope and complexity in streams and projects. Work
order to develop a high- to the set of requirements
level roadmap, the effort defined through the
and capabilities needed, scoping phase.
and a business case to
move forward.

KEY OUTCOME: KEY OUTCOME: KEY OUTCOME:

Prioritised set of activities
with traceability to GDPR
requirements as defined by
legal advisors.
Integrated programme Documentation which
plan and terms of provides clear explanation
reference. of the activities
undertaken, delivery
decisions and outcomes
achieved.

Figure 4. GDPR Programme Approach

8
SUCCESS FACTORS:
WHAT ARE WE SEEING?
In order to achieve GDPR-readiness, reduce cost and unlock new value, we encourage
businesses to focus on the following important factors:
1. GDPR IS A CROSS-FUNCTIONAL
ENDEAVOUR, NOT JUST A LEGAL, RISK
OR IT PROGRAMME
Successful organisations position GDPR
as a cross-functional partnership. This
is because many areas need to work
together to achieve compliance and the
impact of GDPR is business wide. Such
partnership will typically be supported by:
A representative accountable for GDPR
at a level of seniority with enough
gravitas to empower collaboration
and action across business functions
(expected to be at board-level).
A cross-functional steering committee
with clear vision and mandate to direct
efforts, but also with the ability to
take risk-driven decisions as required,
supported by working groups.
2. A BUSINESS-PROCESS APPROACH
HELPS TO ENSURE FOCUS AND DRIVES
CHANGES THROUGH AREAS OF HIGH
RISK AND VALUE
The overwhelming scope and complexity
of GDPR may induce organisations into
a state of analysis paralysis before
they get started. Organisations that
frame the analysis through business
processes loaded with personal data are
able to make progress more quickly. This
includes:
Identify the critical processes which
deal with personal data as the starting
point for analysis.
Using the business process to address
items such as what type and volume
of data is being processed, for what
purpose, by which parties, where
it would reside (structured and
unstructured repositories), under
which jurisdiction it is stored, or
accessed from, and how it is being
owned and managed.
Gradually expanding the view, giving
priority to the processes with highest
exposure of data processing, and
complementing other top-down and
bottom-up approaches.
3. EMBRACE A RISK-DRIVEN APPROACH
TO GDPR COMPLIANCE
A risk-driven approach is openly
advocated, and is at the core of the
accountability principle. This helps
organisations to:
Gain risk reduction whilst moving
towards compliance.
Guide practical decisions to get to a
target state of GDPR readiness by May
2018.
Calibrate investments on security
controls based on the likelihood and
severity of risks to individuals whilst
processing their personal data.
Embed privacy as part of their
overall risk management and cultural
framework, leveraging existing
compliance initiatives and tools
and processes for reporting where
possible.
4. LEVERAGE EXISTING PROJECTS TO
SCALE
Organisations should think about where
they can drive GDPR changes through
existing projects, as data privacy should
be an integral part of them all and not
something for a dedicated programme
to drive. Security and privacy should be
considered as a prerequisite for all future
projects:
9
 Leveraging synergies with other
compliance initiatives, but also
with group-wide digital and data
transformation programmes, which
will be impacted and potentially
benefited by GDPR.
Emphasis should be placed on training
and general awareness.
Failing to embed security and privacy
at the design stage may severely
impact the business case of those
initiatives.
5. UNDERSTAND WHERE TOOLS MIGHT BE
LEVERAGED
Data discovery or privacy tools are not a
silver bullet and wont replace document
review and discussion as a means to
identify areas of risk. It is worth thinking
about how they can be used in the
organisation moving forwards to support
compliance and new ways of working.
GDPR requires deep investigation
within the organisation. Whilst tools
can help, they are limited in identifying
the obscure cases of high risk, e.g:
copies of personal data being used for
proof of concepts on personal devices
or servers.
Use tools to reduce the total cost
of operationalising compliance. For
example, by considering automated
solutions (where possible) or
considering broader seals and
certifications by third parties.
6. BE HONEST ABOUT BALANCING
THE RISK WITH THE AMOUNT OF
RESOURCES THAT CAN BE FOCUSED
ON THESE CHANGES
GDPR should not be looked at as a one-off
exercise. Organisations should be honest
about the objective: is it just to ensure
compliance, or are they going to leverage
the investment to drive opportunity?
It is unlikely that large organisations
who are just starting on the journey
will be fully compliant by May 2018.
Clearly understanding and assessing
residual risk will likely be an important
part of the conversation with the
regulator.
Looking for opportunities by
streamlining data processing and
reducing cost. For example, identifying
cost saving opportunities by reducing
your personal data footprint where
there is no/limited business value in
continuing to process and store the
data.
Taking the opportunity to design the
right solution for the business, for
example, designing consent models
that maximise opt-in and improve the
marketing return on investment.
Moving towards a model of sustainable
compliance, rather than solely
focusing on producing one-off
documentation.
7. PLAN TO DELIVER GDPR ITERATIVELY
AND AT PACE
The scope and complexity of GDPR
means that there is a danger that
companies will end up building a massive
programme, or trying to conjoin many
data initiatives to drive compliance. This
becomes especially impractical for highly
matrixed organisations, those with data
processing across different jurisdictions,
or those heavily dependent on third party
processing.
By contrast, leading GDPR programmes
have been set up to:
Deliver iteratively and at pace,
focused on their risk prioritisation and
milestone-driven benefits realisation
plans.
Manage interdependencies proactively
to achieve compliance across different
streams.
Govern outcomes and any relevant
risks (both delivery and compliance)
via the steering committee.
Maintain active and consistent
communication plans to those
involved with or impacted by GDPR.
10
KEY ANALYSIS: WHAT TO ASK?
We believe the logical first step is a personal data flow analysis of critical
business processes. This is easier said than done, as opinions on what should
be defined as critical may vary throughout the organisation. To start, a simple
scoring based on the personal data touch points should be enough to find the
first areas to tackle. As well as being a means to understand how data is used
within the organisation, it also gives companies the opportunity to get a head
start over competitors.
GDPR requires comprehensive investigation, and a typical data flow analysis
may consist of the following:

What does the business process map look like, including business area,
organisation, ownership, systems, etc?
How does customer data flow throughout the business process?
What kind of data is collected? (sensitive PII, standard PII or non-PII).
On what grounds has the data been collected? (Consent from the customer or
data subject, agreement with third party or a vendor, legal requirements.)
What is the data used for? (For example, profiling, marketing, research and
development, responding to customer requests and HR purpose.)
Are there third parties involved with the process that will now be considered as
data processors?
Where is it stored and does it cross geographic boundaries? (data centre in
EU, cloud service (US or EU headquarter, headquarters in local country of
jurisdiction, subsidiary outside EU).
Who has access? (Need to know basis, HR, cloud-service provider, subsidiaries,
etc.).
For how long is it stored? (retention, how long and who has right to delete?)
What are the data protection controls in place at each stage of data flow in the
business process?

WHAT NEXT?
At Accenture we have been driving our own internal GDPR programme, developing
and testing the approaches, tools and partnerships that are required to build this
Digital Trust.

For more insight, please connect with:

GDPR.connect@accenture.com

15
11
ABOUT ACCENTURE

Accenture is a leading global professional

services company, providing a broad
range of services and solutions in
strategy, consulting, digital, technology
and operations. Combining unmatched
experience and specialized skills across
more than 40 industries and all business
functions underpinned by the worlds
largest delivery networkAccenture works at
the intersection of business and technology
to help clients improve their performance
and create sustainable value for their
stakeholders. With approximately 373,000
people serving clients in more than 120
countries, Accenture drives innovation to
improve the way the world works and lives.

AUTHORS:

NICK TAYLOR
nick.j.s.taylor@accenture.com
Managing Director,
UKI Accenture Strategy Lead

PIYUSH JAIN
p.n.jain@accenture.com
Managing Director,
UKI Cyber Security Lead

CONTRIBUTERS:

ANDREW J. DOYLE
ULF GROSSKOPF
RACHAEL KIM
DARY PENA

Visit us at
www.accenture.com

Copyright 2017 Accenture

All rights reserved.

Accenture, its logo, and

High Performance Delivered
are trademarks of Accenture.