AmCham Macedonia Winter 2018 (Issue 56) | Page 17

Winter 2018 / Issue 56 What are the implications? Until recently, the data protection regulation in the EU received only lim- ited attention. The fines for breach of regulations were limited and enforce- ment actions infrequent. With the GDPR, this will change. Three factors attribute to this. Huge fines: The GDPR intro- duces fines that can amount to EUR 20 million or 4 percent of the company’s global annual turnover, whichever is higher. This is a substantial change compared to the limited sanc- tioning possibility under the old regime. Real reputational risk: Enforce- ment activities by data protec- tion regulators will increase. Data protection breaches will be brought to light sooner. The risk of reputational consequences will therefore become all the more real. Large geographic reach: With the GDPR, the geographic reach of the legislation is increased to ‘all organizations offering goods or services to EU citizens’ and ‘organizations that monitor (online) behavior of EU citizens’. This means that both EU and non-EU organizations are in the scope of the EU data protection regulation. In order to meet the requirements of the new regulation, an organization should: Be aware of the privacy and data protection rules and reg- ulations with which it must comply. Ensure that the relevant stake- holders know which (personal) information the organization pro- cesses, where it is located and who manages it. Have adequate controls in place to ensure that data flows are secure and in compliance with privacy laws. Ensure that the information landscape permits privacy com- pliant outsourcing, offshoring, and use of cloud computing. Cover Story Have the adequate technical and organizational mea- sures in place to prevent, monitor, and follow up on data breaches. How can KPMG help? Generally said, good corporate governance and privacy risk management require collaboration and integration across compliance, legal, IT, HR, operations, business units and other functions in an organization. In order to manage privacy risks, organizations need a robust understanding of their data flows and restrictions/protections for various data elements. Benefits can be provided by a holistic approach to managing risks stemming from information breaches, internally and externally. At KPMG, we help our clients structure privacy in their organizations by means of 12 framework components. The components provide a pragmatic structure to assess, organize, and oversee privacy in an organization. The evolving landscape and public demands make it nec- essary for organizations to prepare and adapt for the new legislative changes in a timely manner. Having the end goal in mind, executive level buy-in and placement of the data protection compliance projects on a fast track is impera- tive. While only some Macedonian organizations may be affected by the GDPR, the new LPDP will be mandatory for all of them. Hence, they should be aware that this is a lengthy process that will affect the organization as a whole in order to achieve and maintain sustainable compliance and accountability. AmCham Macedonia Magazine 17