General Data Protection Regulation is about to be applicable as from 25 May 2018. Its long-arm teritorrial reach brings obligations not only to EU establishements, but to US based companies as well. Global connection through internet especially underlines the likelihood of such broad application and it will impact US businesses.One of the prerequisits for safe transfer of data between the EU and US is already accomplished by the EU-US Privacy Shield agreement. The European Commission has considered this agreement as providing adequate guarantees for transfer of data. Under Privacy Shield scheme companies may self-certify and adhere to principles stated therein. Yet, there is still less then 3000 companies in the US participating in the Privacy Shield. But GDPR safeguards have still to be followed. Below, we shall look at some of the most profound aspects of compliance with GDPR for the US (non-EU) based companies.
Data protection officer
Although it is not obligatory pursuant the GDPR, it is advisable that a company appoints a data protection officer (‘DPO’) or designate that role to a specific position in the company. DPOcan also be externally appointed. There may be a single DPO for several companies or several persons designated with DPO role in one company. The position needs not necessarily to follow such a title, but it may be a privacy officer, compliance officer, etc. Such person should possess expert knowledge about the GDPR and data privacy, and may have legal, technical or similar background. GDPR was not specific as to requirements of that person, apart from possesing expert knowledge. Role of DPO is toinform, monitor, advise, the controller, processor or employees, to cooperate with supervisory authority, provide training of staff, help in performing data protection impact assesment.
Data Protection Impact Assesment
The further step that companies affected by the GDPR including US companies should do in order to evaluate the risk of data breach is to perform a data protection impact assesment (‘DPIA’). DPIA is a thorough overview of the processes of the company, and can be done with the help of data protection officer. It may include a form or a template with a series of questions, which have to be answered for each processing activity. DPIA has to be detailed and cover all operations in the company. The function of DPIA is to predict situations in which data breaches may occur, and which include processing of private data. DPIA should contain, pursuant to Article 35 of the GDPR, a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph, the measures envisaged to address the risks, including safeguards and security measures. DPIA is a very useful way of showing compliance and it is also a tool that would help to company at the first place, to have an overview of processing activities and an indication of where a breach could happen.
A US company (non-EU based company) has to appoint an EU representative if its businessrelates to offering of goods or services to natural persons in the EU, including even free goods or services, or when processing is related to monitoring of behaviour of data subjects in the EU. Behaviour may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes. EU representative is not obligatory when the processing is occasional or does not include processing on a large scale of special categories of data such as genetic data, biometric data, data concerning health, ethnic origin, political opinions, etc. and when it is unlikely to result in a risk to the rights and freedoms of natural persons. However, given that the exceptions from the duty of designation of EU representative are pretty vague, in most cases companies whose operations are not neglectable towards persons in the EU would have to appoint a reprsentative. Location of such representative would be in one of the EU Member states where the data subjects are located. Representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation, and he/she is also liable and subject to enforcement in case of non-compliance.
GDPR is overwhelmed with one key word of respect the privacy:consent. If companies wish to process data of natural persons that are in the EU, they must first obtain consent to do that. Consent must be freely given, informed, specific and unambigous.
Freely givenconsent presupposes that data subject must not feel pressured, or urged to consent, or subjected to non-negotiable terms. Consent is not considered as freely given if the data subject has no genuine or free choice.Data subject must not feel reluctant to refuse consent fearing that such refusal will bring detrimental effect to him/her. If the consent is preformulated by the controller, which is usually the case, the language of the consent must be clear and plain and easily understandable for the data subject. Further, if there are several purposes for the processing of certain data, consent must be given for every purpose separately. Consent must be specific and not abstract or vague. Silence, pre-ticked boxes or inactivity is not to be considered as consent under GDPR.
Informed consent means that data subject must know what the consent is for. He/she must be informed about what the consent will bring and there must not be any unknown or undeterminedissues. It is a duty of controller to inform data subject about scope and purpose of consent, and such information must be in clear and plain language. But, one must be careful that, as today in the world of fast moving technologies we face overflow of consentsa person has to give in short period of time, there may be an occurrence of ‘click fatigue 1’, which would result in persons not reading the information about the consent and clicking routinely without any thorough thinking. So, the controllers would have to make, by their technical design, such form of a consent, that would make the person read and understand his or her consent. It could be a combination of yes and no questions, changing of place of ticking boxes, visually appealing text accompanying consent, etc.
Consent must be unambiguous, or clearly given. There must not be space for interpretation whether consent is given for certain purpose or not. As to the form of the consent, it may be by ticking a box, choosing technical settings and similar (Recital 32 GDPR).
Data subject gives his consent for the processing of his personal data. However, companies have to bear in mind that data concept in the EU is broadly understood, and that it includes all personally identifiable information (PII), ranging from obvious data such as name and postal address, to less obvious data, but still PII covered by GDPR, such as IP address . On the other hand the IP address is not that clearly considered as PII in the US. In that regard, the protection in the US must be stricter, obliging US based companies to also apply broader EU standards.
Privacy by design implemented
Privacy by design is a concept which brings together the legal requirements and technical measures. It is a nice and smooth way of incorporating law into technical structure of business. Privacy by design, if applied properly at the outset, shall ensure the compliance with the GDPR requirements. It should point out to principles of data minimisation, where only data which is necesssary should be processed, storage limitation, which would provide for a periodic overview of storage and automatic erasure of data no longer necessary.
One of the ways of showing compliance through the privacy by design is ‘pseudonymisation’. Pseudonymization is, according to GDPR, referred to as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information must be kept separately, so that it cannot be connected to identified or identifiable natural person.Pseudonymisation is not anonymisation and should not be mixed with it. Anonymisation is a technique which results in irreversible deidentification, and since it completely disables identification it is not subject of data protection under GDPR. Pseudonymisation only reduces the likability of a dataset with the original identity of a data subject, and is accordingly a useful security measure .
Binding corporate rules
Binding corporate rules (‘BCR’) include set of principles, procedures andpersonal data protection policies as well as a binding clause adopted by the company and approved by competent supervisory authority. Adopting binding corporate rules is not a simple process but means being on a safe track. It is one of the safeguards envisaged by the GDPR. BCR should include according to Article 47 of the GDPR, the structure and contact details of company, categories of personal data, the type of processing and its purposes, application of general data protection principles (such as purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, ..), rights of data subjects, the tasks of data protection officer, complaint procedures, mechanisms for reporting to the competent supervisory authority, appropriate data protection training to personnel, indication that BCR are legally binding. BCR should additionally be accompanied with privacy policies, guidelines for employees, data protection audit plan, examples of the training program, description of the internal complaint system, security policy, certification process to make sure that all new IT applications processing data are compliant with BCR, job description of data protection officers or other persons in charge of data protection in the company.
Make your compliance visible
Well, if your company has performed all of the above, it has to make it visible. Companies, that are covered with the GDPR, not only do they have to comply, they have to show that they comply. GDPR puts an obligation on controllers to demonstrate their compliance.
From the first contact with the controller, the website must give the impression of compliance. BCR, privacy policies,DPO contact details must be visible in order that data subject may address him in case of data risk or breach. EU representative’s name and contact must be put forward in order to be accessible by the supervisory authority in the EU. Contact form for data subjects with options for access, right to object, erasure, rectification, restriction, should be there.Organisational chart of the company, flow of data transfer demonstrated by data flow mapp.These are only some of the most imporant features that have to be followed.
Non-compliance is a very costly adventure. The adventure that businesses will try to avoid. With systematic planning and duly analysing the necessity of compliance with GDPR, and with clearly defined processes, US companies can put many benefits for the business and attract and encourage data subjects in the EU to freely entrust their datato them. This is a thorough process, but worth accomplishing.
 Article 29 Working Party Guidelines on consent,p. 17
 According to judgment of the Court of Justice of the EU of 19 October 2016,in case C 582/14,
 Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques adopted on 10 April 2014 p. 3
How Strategy, Technology, and Operations Come Together in “The Symphonic Enterprise”
New Report shares how leading companies are looking beyond traditional domains to leverage technology broadly across the enterprise.
Deloitte’s Tech Trends 2018 spotlights eight key trends that could potentially impact business strategies and outcomes. This year’s theme, “The symphonic enterprise,” is an idea that describes strategy, technology, and operations working together, in harmony, across domains and boundaries.
Among the trends featured in this year’s report are:
- Digital reality: represents the next phase in the augmented reality and virtual reality revolution;
- No-collar workforce: discusses HR strategies for managing environments in which humans and machines work together as equals; and
- The new core: examines how core systems and the information they contain are driving digital convergence and breaking down traditional operational boundaries.
Tech Trends 2018 features the “Exponential technology watch list” which discusses strategies for exploring and harnessing innovation ideas that may not manifest for five years or more. It also explores two longer-term technology trends: artificial general intelligence and quantum encryption.
“Technology trends are no longer just the CIO’s or CTO’s responsibility. It’s become a CxO, CEO and even board-level conversation,” said Bill Briggs, chief technology officer and principal, Deloitte Consulting LLP. “We now see many forward-thinking organizations approach disruptive change more strategically. Instead of launching separate, domain-specific initiatives, they are thinking about exploration, use cases and deployment more holistically. Increasingly, they are focusing on how multiple disruptive technologies can work together to drive meaningful and measurable impact across the enterprise.”
Here is a closer look at some of the trends that could offer opportunities and challenges across industries during the next 18 to 24 months:
No-collar workforce: The rise of automation, artificial intelligence and cognitive technologies will impact jobs and job families. The organization of the future must rewire talent management for the new hybrid human-machine workforce—simultaneously retraining augmented workers and pioneering new HR processes for managing virtual workers.
Blockchain to blockchains: Blockchain is moving rapidly from exploration into mission-critical production scenarios. Advanced use cases and increased adoption drives the need to coordinate, integrate and orchestrate multiple blockchains across a value chain.
Digital reality: In the next phase of augmented reality and virtual reality’s evolution, companies are focusing less on the novelty of cool devices, and are focusing instead on developing strategies and innovative use cases. As this trend unfolds, IT leaders will work to tackle persistent challenges in core integration, cloud deployment, connectivity and access.
“The old lines are blurring,” Briggs continued. “Instead of thinking within industry and business line verticals, and business process or technology platform horizontals, we’re entering a world of diagonals – transcending technical scope and traditional organizational boundaries. These technology trends are enabling an entirely new way of solving problems and uncovering business opportunities. The symphonic enterprise is unified; it’s the controlled collision of trends, with strategy, technology and operations working in harmony to imagine tomorrow, and get there from the realities of today.”
The report features case studies, perspectives from industry luminaries, and insights from Deloitte practitioners. As in prior years, it provides an 18-24 month outlook on technology trends.
The full Tech Trends 2018 report can be found here.
Digital Controllership: Finance and Accounting Robotic Process Automation a Priority
In a recent Deloitte Center for Controllership™ poll of more than 1,700 finance, accounting and other professionals, 52.8 percent say their organizations plan digital controllership improvements—leveraging process automation, analytics and other technologies for financial and accounting processes—in the year ahead. Using finance and accounting robotic process automation (RPA) to increase efficiency and internal controls is the top priority for such efforts (34.7 percent).
“Finance and accounting process automation can really run the gamut. Simpler, enhanced finance automation can address common, industry agnostic accounting issues. RPA can build momentum by performing repetitive, manual financial and accounting processes. And, cognitive computing can be configured to adapt to non-routine, industry and organizationally specific needs,” said Kyle Cheney, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP. “No matter the level of process automation complexity, it’s easy to see how efficiency and controls can be improved by well-executed programs.”
Poll respondents report that the biggest benefits of implementing a digital controllership strategy include: Improved talent resource allocation toward higher value, strategic work by reducing manual, repetitive work (40.5 percent); improved internal controls by testing wider sets of data and reducing human error (23.5 percent); and, improved visibility into future risks and opportunities by testing wider data sets and enabling talent to analyze trends and anomalies (16.9 percent).
“Because bots can work 24/7/365, well-honed RPA programs can help organizations improve the quality of their governance, risk mediation, predictive insights, working capital management and financial reporting,” said Dave Stahler, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP. “However, digital controllership efforts leveraging process automation really need to start with a good foundation in risk management to keep errors and inefficiencies to a minimum.”
Teams starting or expanding finance and accounting robotic process automation programs typically work to manage common risks in areas including:
- Technology – Improper bot design may impact existing IT infrastructure. Conversely, routine IT platform changes may impact automation solutions.
- Regulatory compliance – Automation errors can reduce accuracy of regulatory reports, risking fines and sanctions as well as legal violations.
- Operations – Increased processing errors can be caused by badly designed automation solutions. Lack of effective oversight procedures can lead to increased operational inefficiencies.
- Talent – In times of organizational transformation, morale may suffer if communications to employees don’t focus on the higher level work they’ll be able to perform with RPA results. Further, access to and oversight of automated processes must be carefully managed to prevent and detect abuse.
- Financial reporting – Poorly implemented finance and accounting robotic process automation can result in inaccurate or incomplete financial reports, financial restatements and reputational damage.
Cheney concluded, “Without strong internal controls, thoughtful change management, consistent oversight monitoring, and well-built bots in production, finance and accounting robotic process automation efforts can cause more harm than good. As with any strategic initiative, trying to find shortcuts is unwise. Investing time and attention to honing RPA is essential to realizing its full potential.”
Consumer Trust in Autonomous Vehicles on the Rise
Consumers are warming up to the concept of fully self-driving vehicles, but some roadblocks may lay ahead for automakers, according to the “2018 Deloitte Global Automotive Consumer Study.”
Consumers have a brighter outlook on the safety of autonomous vehicles, though concerns remain. Significantly fewer people in the 2018 study feel that autonomous cars will not be safe, with less than half (47 percent) of U.S. consumers holding this view — a dramatic decrease from 2017, when 74 percent felt autonomous vehicles would not be safe.
This view is consistent with other countries covered in the study, including: South Korea (54 percent this year vs. 81 percent last year), Germany (45 percent vs. 72 percent), and France (37 percent vs. 65 percent) who feel driverless cars may not be safe. The most notable change comes from China, where the percentage of people who think autonomous cars will not be safe dropped from 62 percent in 2017 to only 26 percent in this year’s study.
“Overall acceptance of autonomous technology has grown rapidly in just a short time,” said Craig Giffi, vice chairman, Deloitte LLP, and U.S automotive leader. “However, driverless cars are still in an experimental stage, and the industry is at the front-end of a long capital investment cycle required to bring autonomous vehicle technology to the mainstream market. To complicate that cycle, automakers recognize an immediate need to invest in areas including electrified powertrains, advanced light-weight materials, connectivity and mobility services. While the returns will be farther out, it’s important that automakers continue allocating resources to autonomous driving technology. Those who settle for a reactive mindset rather than preparing for the long term will be at greater risk as consumer acceptance for autonomous technology further accelerates.”
Many people agree they would trust autonomous vehicles with a proven track record for safety. Almost three-quarters (71 percent) of U.S. respondents said they would be more likely to ride in an autonomous vehicle if they had an established safety record, up just slightly from 68 percent in the 2017 study. Other markets appear to be accelerating, however, with 83 percent of South Korean consumers (up from 70 percent in 2017), and 63 percent of German consumers (up from 47 percent in 2017) holding the same view.
Taking that a step farther, more consumers are turning to trusted brands for reassurance around the safety of autonomous technologies. Nearly two-thirds of U.S. consumers (63 percent) report they would be more likely to ride in an autonomous vehicle if it was from a brand they trust, compared to 54 percent in 2017. Consumers’ faith in brands appears to strengthen with younger consumers, as 70 percent of the Gen Y/Z population reported they would be more likely to accept a self-driving vehicle from a trusted brand, compared to 62 percent of Gen X and 56 percent of Boomer/Pre-Boomer consumers. “The auto industry battle between brands for consumers’ trust is on in a new and heightened way,” said Giffi.
In most regions, consumers favor traditional car manufacturers to bring fully autonomous vehicles to market. In the U.S., nearly half of consumers (47 percent) would put their trust in a traditional car manufacturer, compared to roughly one-quarter each that would trust a technology company (25 percent) or a new-to-market autonomous vehicle maker (28 percent). Consumers across Asia hold widely different views: In Japan, 76 percent trust a traditional car manufacturer to bring the technology to market, compared with 28 percent in China and 13 percent of consumers in Southeast Asia.
Not completely trusting the industry, many consumers would put their trust in federal regulation. More than half of U.S. consumers (54 percent) reported they would feel better about riding in self-driving cars if governments would implement standards and regulations.
While consumers appear more apt to embrace emerging technology in the form of autonomous vehicles, many are brushing off newer powertrain options in favor of traditional engines. Most U.S. consumers (80 percent) still favor either a gasoline or diesel engine, up slightly from 76 percent in 2017, and only 15 percent said they would choose a hybrid engine in their next vehicle.
International consumers show a growing preference for alternative powertrains. More than one-third (38 percent) of Japanese consumers and 36 percent of Italian consumers would prefer a hybrid engine in their next vehicle, and 40 percent of Chinese consumers hold the same view.
“The economics of electric vehicles compared to traditional powertrains are presently not favorable enough for either consumers or automotive companies,” said Joe Vitale, global automotive leader, Deloitte Touche Tohmatsu Limited. “However, two significant trends could move us closer to the tipping point: battery cost reduction and government regulation. The trend toward mandating electrified powertrains — not merely demanding increased fuel efficiency or better carbon footprints, especially in Europe and China — lays out a ‘must-do’ path for global car makers. Also, as automakers simultaneously begin to broadly partner on building out the electric charging infrastructure and developing other value-added services that increase the convenience factor for consumers, electric vehicles can become a desirable alterative for most consumers.”
Deloitte’s research also finds that consumers are not willing to pay much more for autonomous vehicles. Deloitte’s most recent consumer survey data on the topic found that in countries such as Germany (50 percent), the U.S. (38 percent) and Japan (31 percent) consumers were unwilling to pay extra money for these vehicles. The findings were similar for electric vehicles, where 42 percent of German consumers and just over one-third of people in Japan and the U.S. said they are unwilling to cover additional costs to get alternative powertrain technology.
Giffi notes, however: “As exciting as autonomous-vehicle technology looks to be, and despite the current higher interest and acceptance of autonomous technology versus electric vehicles in consumers’ minds, government regulations look to be forcing the investment in electrified vehicle technology. At the same time, consumers around the world are consistent in saying they do not want to pay anything extra for either electrified or autonomous vehicles, leaving automakers with some difficult capital allocation and business model decisions if they expect to make any money at all.”
Deloitte’s study suggests that auto manufacturers developing and bringing advanced vehicle technology to market, such as autonomous vehicles, should simultaneously create new business models that can sustain an appropriate return on investment. Finally, given the over 1 billion conventional vehicles on roads around the world today, and the tens of millions that continue to be sold on an annual basis which are all expected to last well over a decade, the transformation to greater adoption of autonomous driving and electric powertrains will take quite some time to reach a tipping point. Automakers must balance ongoing innovation and new business models with the need to sell, service and delight today’s consumers with improved technology they are most willing to pay for in the near term, such as safety.
Russiagate-Trump Gets Solved by Giant of American Investigative Journalism
Lucy Komisar, who is perhaps the greatest living investigative journalist, has discovered — and has documented in detail — that...
Artificial intelligence and intelligence
As was also clearly stated by Vladimir Putin on September 4, 2017: “whichever country leads the way in Artificial Intelligence...
How Strategy, Technology, and Operations Come Together in “The Symphonic Enterprise”
New Report shares how leading companies are looking beyond traditional domains to leverage technology broadly across the enterprise. Deloitte’s Tech...
Higher Shares of Renewable Energy Central to Sustainable Development Across Southeast Asia
Southeast Asian countries are on course to meet their aspirational renewable energy target of a 23 per cent share of...
Can Azerbaijan fall into the Turkish pitfall?
In July 1974, the 10,000-strong Turkish army, choosing the name of the gang leader Attila the Hun as the operation...
Digital Controllership: Finance and Accounting Robotic Process Automation a Priority
In a recent Deloitte Center for Controllership™ poll of more than 1,700 finance, accounting and other professionals, 52.8 percent say their...
Why US not trustworthy ally for Turkey
Just weeks after failure of the ISIL terrorist group in Iraq and Syria, the United States announced that it is...
Intelligence4 days ago
How security decisions go wrong?
Middle East1 day ago
The war in the Golan Heights and in the Lebanon
South Asia13 hours ago
Why India won’t intervene militarily in Maldives
East Asia4 days ago
China’s soft power and its Lunar New Year’s Culture
Economy3 days ago
Agriculture Is Creating Higher Income Jobs in Half of EU Member States but Others Are Struggling
Newsdesk2 days ago
Helping Armenia Thrive
South Asia4 days ago
Into the Sea: Nepal in International Waters
Urban Development4 days ago
UNESCO demonstrates multi-pronged approach to resilient cities