DATA PROTECTION companies to stop usingpersonaldataorto handitover to thepersonuponrequest. kind ofdatahasbeencollected,andwhatdonewithit.Thelawalsoobliges are theownersoftheirownpersonaldata,givingthemrightto anoverview ofwhat residents. TheUnion’s newdataprotection regulation makes itclearthatindividuals company ororganization thatprocesses anykindofpersonaldataEuropean Union Come theendofMay 2018,life willbecomesignificantlymore complicatedforany investment compliance costsinto an GDPR —turnyour WHITE PAPER

nortal.com 4 things to make your eID project a success

By the end of 2018, 50% of companies affected by the General Data Protection Regulation (GDPR) will not be in full compliance with its requirements1. This means the EU has every right to sanction these companies with fines of up to 20 million euros or 4% of a company’s annual global turnover — whichever is bigger2. If the outlook of being on the receiving end of a 20 million euro fine does not seem appealing, we suggest you act today.

The GDPR brings big changes for nearly, if not, every company and public institution. It is predicted that, in some cases, the investments required for getting an institution to comply with the new rules exceed 10 million euros. If spent wisely, you can convert your compliance costs into business investments without additional expenses.

If you are getting ready to do this, here are ten things you should consider.

1. It’s not a project for the legal What will happen? division alone As of May 25 2018, European General As GDPR is a regulation set in place by the EU, it would be Data Protection Regulation will be natural to assume company’s legal division should take the applicable, imposing worldwide requirements for businesses processing lead in tackling this situation. However, legal teams focus on personal data of EU residents. getting your business in compliance with the law – which is their job and they are good at it – and as a result your business Impact on businesses will be severe. team may end up feeling that helping your customers and Companies will have to change the way data can be used for business analytics making money under this new, strict framework could prove to and existing processes will have to be be very complicated. Decision-making processes could slow redesigned; the same goes for IT down significantly, for example. systems and how they are implemented.

It also means business models will have to change — some models will no longer be sustainable and will discontinue. The right to be forgotten Besides businesses, the regulation will Individuals are entitled to require the era- have an impact on public authorities and sure of their personal data without undue bodies who will have to designate a Data Protection Officer, no matter what delay by the data controller. kind of data they process.

1 Focus on Five High-Priority Changes to Tackle the EU GDPR, Gartner, September 30 2016 2 European Commission fact sheet about GDPR WHITE PAPER BY NORTAL Don’t let it happen to you: The EU’s new 20 million euro fine 303

2. It’s not just an IT project either Your gut feeling may also tell you that this is a project you should assign to your IT division who probably has the best overview of what kind of data the company has and how it has been processed so far. While this is most likely true, the IT team will address this issue from their point of view – which may not make the best sense in legal or business terms. GDPR is focused on an organization’s business processes. Analysing and changing business processes is probably not your IT team’s strong-suit. Even if we just look at the technology aspect of this project, we cannot forget that many of the GDPR requirements can be interpreted in very different ways. It is not for IT to decide how to approach the requirements and how to adjust IT systems.

Data portability Individuals are entitled to obtain a copy of personal data in a structured and commonly used electronic format to allow further use.

3. It’s about cooperation Getting the best out of this change means all of your different 30,000 divisions must work together to understand each other’s needs and challenges. You need all the different players in your Data Protection Officers company to be on board — legal, IT, and business. They need will have to be employed in European to speak the same language to ensure the company tackles Union because of GDPR. this task in the best possible way. 04 Don’t let it happen to you: The EU’s new 20 million euro fine 4 things to make your eID project a success

4. Bring in an outside partner You need to institute a functional, knowledge-based data security policy. Bringing in an outside partner helps you improve you organizational reputation and boost your custom- ers’ confidence in your organization and services. Find a consultant to review and audit your business processes to perform a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA) to help you with gap analysis and building your compliance project roadmap.

5. Set a budget Depending on your company’s starting point, the costs to implement these regulations into a company’s processes can be significant, even up to 10 million euros1. In most cases the costs will, of course, be smaller, but nevertheless you need to be willing to invest. The good news is that if you approach the issue wisely, you can turn this cost into an investment that helps you generate new business.

CEO

Legal Business

GDPR

IT

1The EU data-protection regulation—compliance burden or foundation for digitization?, McKinsey, January 2017 WHITE PAPER BY NORTAL 5

6. There’s no quick fix Be prepared that getting your processes compliant will most likely take significantly more time than you assess in the beginning. Hofstadter’s Law states that it takes longer than you expect, even when you take into account Hofstadter’s Law. We predict that in the case of GDPR compliance, the difference to the underestimation could be as high as ten times. You may think that it will take you two months, but it could take you up to two years.

Data protection by design Data controllers will need to design GDPR-compliant systems at the outset of product development. They will also need to ensure that, by default, only relevant personal data will be processed. 06 Don’t let it happen to you: The EU’s new 20 million euro fine 4 things to make your eID project a success

COMPLY OR CHECKMATE

7. Invest in change management EUR Globally, 70% of large-scale transformations fail to achieve their goals in full and on time. This is mostly due to the human 20 Million factor — either managers are not successful in implementing or the change or employees resist. Company’s Successful change management doesn’t happen by global turnover chance, it’s a conscious strategy. Getting your enterprise in compliance with the GDPR is, above all, a change management project. Hence, there needs to be an allocated budget for that, too.

8. Appoint a Data Protection Officer sooner rather than later The GDPR requires many companies around to create a new position, a Data Protection Officer (DPO). The position should be autonomous from other company units, and operate directly under the managing board of a company — the DPO should not be a part of your legal, IT, or business unit. DPOs should be brought in as soon as possible, as this 20 million euros or 4% of company’s individual plays a key role in the communications that will global turnover (whichever is bigger) is the maximum fine a company can happen with the different parties contributing to the be charged in case of not complying transformation occurring under this regulation. with the new rules. WHITE PAPER BY NORTAL Don’t let it happen to you: The EU’s new 20 million euro fine 707

9. Be prepared to change your business model Your biggest challenge is that your business model will have to change. If done well, the budget you set for your company’s regulation compliance can also help you to create a new business model. If you allocate the money wisely, you’ll get a competitive edge over your competitors.

Mandatory breach notification Data controllers are required to notify the authorities and affected individuals about data breaches within 72 hours.

10. New business models will emerge Big data means an inevitable paradigm shift in any enterprise. Yet, at the same time, the pressure of the GDPR presents an opportunity to adopt these expense-reducing and business value–adding technologies ahead of the curve. Nortal can help your organization achieve top-level GDPR-compliance by combining unified data lake technologies with predictive analytics. A big data–based approach consoli- dates, cleans and enriches your data compared to the opera- tionally expensive, IT-silo or legal mitigation approaches to risk management. We can help you understand what your next business model needs to be for your maximum success. Nortal is building a seamless Nortal's approach to society globally Data Protection

Nortal is a multinational strategic change and Nortal’s approach to information security funnels technology company. Combining the unique scattered data streams into a unifi ed pool of data. experience of transforming into a digital leader This builds a holistic view of data characteristics and and creating change in businesses with a strategic interactions. Such a deep insight prescribes protective approach and data-driven technology, our vision is to measures and facilitates the formation of a functional build a seamless society. data protection policy.

Nortal works to build a seamless society that Nortal’s approach to tackling your data security stands on three pillars — enterprise, e-health, and challenges is not limited to the innovative use of e-government. In each of these three areas, Nortal has technology. It also covers change management and helped very influential customers achieve strategic country-specifi c legal support. change and build better experiences. Our approach to the GDPR compliance challenge Operating in Europe, the , , and North delivers cost savings, data consolidation and predictive America, Nortal doesn’t just provide IT services, but analytics. Our reference projects that have already actual structural reforms, focusing on the underlying been deployed are a proof that this will signifi cantly impact on the target organization, whether it be lower your operational expenditures to a fraction of the governments, hospitals or private enterprises. cost of the upcoming EU fi nes.

Get in touch with our expert

Nortal’s Head of Data Protection has been praised for his ability for seeing the bigger picture and communicating a vision, while at the same time having the capacity to take big projects through change. With more than ten years of experience in the tech industry, he is passionate about fi nding new ways to take full advantage of the data that organizations collect and store.

Artur Assor Nortal’s Head of Data Protection [email protected]

Learn more about Data Protection on Nortal's website: https://nortal.com/business/data-protection/