The EU General Data Protection Regulation (GDPR), was approved by the EU Parliament on 14 April 2016.  This regulation is set to significantly change the Privacy landscape in Europe and beyond once it comes into force on 25 May 2018.

Regulators will be given the power to fine organisations up to 4% of global annual turnover. This alone is set to escalate Privacy and Data Protection to being a top ten risk for most organisations.

In addition to increased fines, the GDPR also introduces a range of complex requirements that organisations will need to adhere to.  Time is running out for the implementation of potentially significant changes and organisations need to act now.

What is Privacy and why is it important?

  • Privacy laws protect the rights of individuals, specifying how organisations can lawfully collect, use, retain and disclose Personal Information (PI) – i.e. information that can identify a living person.
  • Leveraging PI enables organisations to create significant value; delivering more tailored and timely services to customers. It is the lifeblood of businesses and its protection is key.
  • Ongoing digitisation increases the volume of PI processed within an organisation; there is more at stake than ever before.
  • Organisations rely on the trust placed in them by customers and partners, if they are to achieve their objectives the processing and protection of PI, in the right way, is crucial.

What questions should organisations be asking?

  • Do we understand the Privacy risks we face?
  • Do we fully understand the current and future Privacy regulations and what we need to do to manage the risks these introduce?
  • Do we know what PI we hold, where it is stored and what it is used for?
  • Are we building Privacy controls into our digitisation programmes from the ground up?
  • Do we have the resources and capability to implement the Privacy controls?

How can KPMG help?

Our Privacy Management Framework is used as the foundation for delivering a range of services, including:

Assessment: Performing a Privacy Maturity Assessment to understand the effectiveness of existing Privacy controls.

Design: Defining the desired state Privacy maturity and building a roadmap to enable the organisation to reach it.

Implementation: Supporting the implementation of pragmatic, robust and fit- for-purpose Privacy controls.

Monitoring: Performing recurring reviews to verify that the defined Privacy controls continue to operate as designed.


Read more about key differences between Malta Data Protection Act and the GDPR changes here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.