Winter 2018 / Issue 56
What are the implications?
Until recently, the data protection
regulation in the EU received only lim-
ited attention. The fines for breach of
regulations were limited and enforce-
ment actions infrequent. With the
GDPR, this will change. Three factors
attribute to this.
Huge fines: The GDPR intro-
duces fines that can amount
to EUR 20 million or 4 percent
of the company’s global annual
turnover, whichever is higher.
This is a substantial change
compared to the limited sanc-
tioning possibility under the old
regime.
Real reputational risk: Enforce-
ment activities by data protec-
tion regulators will increase.
Data protection breaches will be
brought to light sooner. The risk
of reputational consequences
will therefore become all the
more real.
Large geographic reach: With
the GDPR, the geographic
reach of the legislation is
increased to ‘all organizations
offering goods or services to EU
citizens’ and ‘organizations that
monitor (online) behavior of EU
citizens’. This means that both
EU and non-EU organizations
are in the scope of the EU data
protection regulation.
In order to meet the requirements
of the new regulation, an organization
should:
Be aware of the privacy and
data protection rules and reg-
ulations with which it must
comply.
Ensure that the relevant stake-
holders know which (personal)
information the organization pro-
cesses, where it is located and
who manages it.
Have adequate controls in place
to ensure that data flows are
secure and in compliance with
privacy laws.
Ensure that the information
landscape permits privacy com-
pliant outsourcing, offshoring,
and use of cloud computing.
Cover Story
Have the adequate technical and organizational mea-
sures in place to prevent, monitor, and follow up on
data breaches.
How can KPMG help?
Generally said, good corporate governance and privacy
risk management require collaboration and integration
across compliance, legal, IT, HR, operations, business units
and other functions in an organization. In order to manage
privacy risks, organizations need a robust understanding of
their data flows and restrictions/protections for various data
elements. Benefits can be provided by a holistic approach
to managing risks stemming from information breaches,
internally and externally.
At KPMG, we help our clients structure privacy in their
organizations by means of 12 framework components.
The components provide a pragmatic structure to assess,
organize, and oversee privacy in an organization.
The evolving landscape and public demands make it nec-
essary for organizations to prepare and adapt for the new
legislative changes in a timely manner. Having the end goal
in mind, executive level buy-in and placement of the data
protection compliance projects on a fast track is impera-
tive. While only some Macedonian organizations may be
affected by the GDPR, the new LPDP will be mandatory
for all of them. Hence, they should be aware that this is a
lengthy process that will affect the organization as a whole
in order to achieve and maintain sustainable compliance
and accountability.
AmCham Macedonia Magazine
17