General Data Protection Regulation

(GDPR) Readiness Report

December 2018

Presented on Behalf of:

TABLE OF CONTENTS
Section 1 – Executive Summary ……………………………………………………………… 3
Section 2 – Detailed GDPR Gaps & Recommendations
1. Legal Basis ……………………………………………………………………………. 6
2. Consent………………………………………………………………………………… 7
3. Cross-Border Data Transfers………………………………………………………... 8
4. Third Party Due Diligence……………………………………………………………. 9
5. Privacy Notice…………………………………………………………………………. 10
6. Data Protection Officer (DPO)……………………………………………………….. 12
7. Record of Processing Activities (ROPA)……………………………………………. 13
8. Data Protection Impact Assessment (DPIA)……………………………………….. 14
9. Privacy by Design and by Default…………………………………………………… 15
10. Data Subject Rights…………………………………………………………………. 16
11. Data Security………………………………………………………………………… 18
12. Breach Notification………………………………………………………………….. 19
Section 3 – Country Observations ……………………………………………………………. 21
Section 4 – Compliance Roadmap ……………………………………………………………. 25
Section 5 – Appendices
Appendix A: Project Participants ……………………………………………………… 28
Appendix B: Key Terms ……………………………………………………………….. 29
Appendix C: High Risk Processing …………………………………………………… 31
Appendix D: Priority Ranking …………………………………………………………. 32
Appendix E: Cookie Consent Scan Results …………………………………………. 33
Appendix F: Privacy Policy Analysis …………………………………………………. 39
Appendix G: GDPR vs. CCPA ………………………………………………………… 41

2 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
SECTION 1
EXECUTIVE SUMMARY

BACKGROUND

The General Data Protection Regulation (GDPR) was adopted on April 27, 2016, to replace the
European Union’s (EU) Data Protection Directive (DPD). GDPR went into effect May 25, 2018, after a
two-year transition period. It is immediately enforceable as law in all member states of the European
Union. This updated legislation provides a unified set of rules designed to give data subjects more
control over their private information across all digital forms. The key driver for this change is
increased risk of exposing an EU resident’s data through increased use of mobile devices, adoption of
big data analytics, and increased volumes of personal data being digitally generated, processed and
shared across the globe.
Due to the scope of GDPR extending to all organizations collecting and processing personal data of
EU residents, regardless of the company’s physical location, CLIENT has acknowledged GDPR
compliances efforts are required given external business (i.e. customers) processing activity as well
as internal employee processing activities of personal data. GDPR defines personal data as any
information relating to any person (data subject) who can be identified, directly or indirectly, in
particular by reference to an identifier. Below are some examples of GDPR personal data, including
publicly available information (name and address) and common technical data (MAC addresses and
Cookies) which could be considered online identifiers of data subjects.
• Name • IP Address (static or dynamic) • Date of Birth
• Address • Mac Address • Healthcare Data
• Phone Number • Cookies • Biometric Data
• Email Address • GPS Data • Employee ID
• Passport Number • Financial & Bank Account Info

Fines for non-compliance are up to €20 million, or 4% of the worldwide annual revenue of the prior
financial year, whichever is higher. This does not include reputational damage and individual law suits
from data subjects for mishandling of personal data.
CLIENT engaged Protiviti to assess the current ability to comply with GDPR, to include developing a
gap assessment to include prioritized recommendations for compliance with GDPR. As part of this
assessment, Protiviti was able to review procedures on-site at the US corporate HQ and remotely.

OBJECTIVES AND APPROACH

CLIENT engaged Protiviti in July 2018 to assess its current ability to comply with the newly revised
EU Data Privacy law, referred to as the General Data Protection Regulation (GDPR), which took
effect on May 25th, 2018.
To achieve this, a GDPR Readiness Assessment was performed with the objectives of identifying
any gaps against the new compliance requirements (over and above existing data protection
requirements) coming out from the GDPR. It is specifically focused around those changes which are
being introduced over and above the current EU data protection laws. The ability to comply with
unchanged data protection requirements was not verified.
To assess the current compliance gaps and to provide guidance on how to remediate them, Protiviti
has performed the following high-level tasks:

• Document Discovery: Within this preparatory activity, all existing documentation relevant to
assess CLIENT compliance was collected, consolidated and reviewed.
• Information Gathering: In October 2018, Protiviti conducted 22 interviews with 30
stakeholders to collect documentation and information (see Appendix A for the full list of
interviewees), which was used to identify processing activities, information systems and
GDPR gaps.
• GDPR Readiness Gap Assessment: This phase aimed to identify the ability of the
organisation to comply with the new requirements introduced by the GDPR, resulting from the
analysis of the submitted documentation and from personnel interviews. It includes

3 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 descriptions of the compliance gaps for each requirement, related risk exposure, and high-
level recommendations for remediation activities to evaluate and undertake.
• Remediation Planning and Roadmap: This phase provides CLIENT with the foundation to
support the planning of its GDPR compliance activities and global privacy initiatives. The
resulting roadmap to compliance includes the work streams required to close the identified
gaps, their logical sequence, a desirable and realistic timeline, the teams which should lead or
contribute to the remediation effort and the suitability to outsource the work, in full or in part.

GDPR ASSESSMENT

Based upon inquiry and review of available documentation, we understand CLIENT in not yet
compliant with GDPR requirements nor ready for upcoming regulations such as CCPA since
management is still in progress with performing GDPR readiness activities. Core GDPR requirements
of personal data flows, data protection, data retention/erasure, data breach response, international
data transfers, third-party disclosures and data subject access requests have not been considered for
corporate adoption. European operations have been adopting localized approaches to address the
GDPR regulation with the United Kingdom, Belgium and Germany demonstrating independent
progress towards compliance. However, adherence to the GDPR and other privacy regulations
represents a global liability that should be addressed through a corporate sponsored global approach.

The table below illustrates the 12 areas inspected as part of the GDPR gap readiness assessment.
For each area, the corresponding number of observations and the priority associated with those
observations is noted. In total, 53 recommendations to meet or improve GDPR compliance were
identified across 12 of the GDPR areas. Of the 53 recommendations, 37 are considered core
activities to demonstrate compliance with the GDPR. Estimated level of effort to address these 37
core GDPR activities is approximately 3,000 hours.

GDPR Area Recommendations Priority Page #

1. Legal Basis 4 High 5
2. Consent 7 High 6
3. Cross-Border Data
Legal 4 Medium 7
Transfers
4. Third Party Due Diligence 3 High 8
5. Privacy Notice 3 High 9
6. Data Protection Officer
4 Medium 11
(DPO)
7. Record of Processing
5 Medium 12
Activities (ROPA)
Data Processing 8. Data Protection Impact
3 Low 13
Assessment (DPIA)
9. Privacy by Design and by
6 High 14
Default
10. Data Subject Rights 5 Low 15
11. Data Security 2 Medium 17
Data Protection
12. Breach Notification 7 Medium 18

Note: Considerable professional judgment is required in determining the observation priority ranking.
Accordingly, others could evaluate the results differently and draw different conclusions. Please refer
to Appendix D for additional explanation regarding the priority ranking.

4 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 d
g

fau an
itie ssin

ts
nt

n
De ign

gh

ti o
n
me
As ectio

lt
e
en u e

er n

ca
Ri
s
Ac roc

b y D es
ss
e

o
sfe er

y
ti c
D

tifi
O f ecti

ct
ce

se

rit
P
is

t
rs
Tr Bord

tiv
D i r ty

ro

bje
No

No
by

cu
as

of
ot
fic

I m ta P
nt

Pa

Su

Se
lig
lB

cy

cy
Pr

rd

ch
ct
s-
an
e

ird
ns

i va

i va
co

Da
ga

pa
os

ea
ta

ta

ta
Co

Da

Re

Da

Da
Th
Le

Cr

Br
Pr

Pr
Legal Data Processing Security

Optimized

Managed

Defined

Repeatable

Initial

This assessment includes a proposed implementation plan to address the recommendations between
January and October 2019 (see file attached on page 25) at a defined or managed state. The GDPR
compliance path involves multiple areas within the company, requiring strong executive support and
would benefit from a centralized project management that would allow for proper coordination and
monitoring of activities.

5 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 SECTION 2
DETAILED GDPR GAPS AND RECOMMENDATIONS

As part of the interview process, Protiviti worked through the 12 GDPR requirements to determine the current state and documented the results within the Readiness
Assessment, along with the gaps and recommendations to ensure compliance. The Readiness Assessment can be used from a regulatory perspective, if called on by
a supervisory authority. It shows the current state of the environment and refers to the gaps and recommendations as well. However, the master copy of the gaps and
recommendations are within this section of the report. The Readiness Assessment should be continually maintained by CLIENT as the GDPR program continues to
progress. The gaps are described within each of the 12 GDPR Requirements below.

1. LEGAL BASIS FOR PROCESSING HIGH

Relevant GDPR Standards & Citations: Article 6, 9, Recitals 40-55 Processing of personal data of customers should be based on one of the
following lawful bases:

- Consent of the data subject – Art. 6 (a)

- The necessity to perform a contract – Art. 6 (b)
- The necessity to comply with laws and regulations of EU Member States – Art. 6 (c)
- The legitimate interests pursued by a company and its EU subsidiaries – Art. 6 (f)

Article 6 provides the legal grounds on which personal data can be processed, as well as how to determine when further processing is
compatible with the original purposes for processing. Such grounds for processing are: with the data subject's consent; for contract performance;
GDPR STANDARD to comply with legal obligations under Union or Member State law; to protect the vital interests of a natural person; to perform a task in the public
interest set out by Union or Member State law; or for the purposes of legitimate interests pursued by the data controller or a third party. The
overarching principle of the GDPR specifies that anything used to identify a natural personal is considered "personal data". Identifiers include the
name of data subjects, but also their id number, online identifiers(s), or factors pertaining to their physical, physiological makeup, location, mental
condition, economic status, genetic composition, cultural heritage, religion, trade union involvement, or social identity. It may also include various
photographs, biometric data, voice recording, finger prints, and online computer identification.

Article 9 sets out a general prohibition on the processing of sensitive data, followed by legal grounds on which sensitive personal data can be
processed. Sensitive data includes: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade–union membership; genetic
data; biometric data; data concerning health or sex life; and sexual orientation. If special categories of personal data exist, refer to additional
guidance from Legal or Data Privacy office for grounds upon which sensitive data can be processed.
According to Article 6 of the GDPR, all processing of any personal data must be grounded in opt-in consent, related to compliance with a legal
OBSERVATION
obligation, for a legitimate business purpose, to fulfil a contract performance, to protect the vital interest of a natural person, or to perform a task
DESCRIPTION
in the best interest of the public.

6 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 Failure to establish appropriate contractual agreements with third parties may result in unlawful processing. In addition, in the event of a data
breach, failure to properly vet third party vendors place CLIENT in a vulnerable position. Studies show, most data breaches occur because of a
RISK / IMPACT
vulnerability with a third-party vendor. While expensive and time consuming, the vendor risk assessment program is one of the most important
preventative steps CLIENT may implement.

5. PRIVACY NOTICE HIGH

The “Principle of Transparency” found in Article 12, requires Privacy Notices be conspicuous (e.g. not part of the Terms of Use), concise, easily
accessible, easy to understand (clear and plain language), could be provided in electronic form (e.g. via website). Consent policies cannot be
bundled into one overarching policy but must be addressed within their individual work streams.
Article 13 provides that where personal data relating to data subjects are collected, controllers must provide certain minimum information to
those data subjects through an information notice. It also sets out requirements for timing of the notice and identifies when exemptions may
apply.

GDPR STANDARD Controllers are governed by Article 24. Article 24 requires controllers maintain a record of processing activity, the name and contact information
of their privacy team or DPO, the purpose of the data processing, a description of the categories of data subjects and the categories of personal
data, a record of transfers of personal data to third countries, an envisioned time for the erasure of personal data, a general description of
technical and operational security measures, and they must demonstrate that processing is performed in accordance with the GDPR.
Processors, governed by Article 28, must also provide a name and contact information of each processor and a list of all cohort controllers the
processor is working on behalf of. Categories of processing carried out on behalf of each controller, a list of categories of processing being
carried out, a list containing transfer of data to third countries, a general description of technical and organizational security measures.
Information must be easily available to supervisory authority upon request. Moreover, the processor must process data in accordance with
documented instructions from the controller and has certain legal obligations to controller (see Article 32).
• CLIENT should update its Privacy Statement to reflect GDPR requirements. Additionally, internal policies do not sufficiently document the
organization's personal data handling practice as it relates to GDPR. See Appendix E for recommendations to improve current Privacy
Policy.
OBSERVATION
• CLIENT does not have an annual policy review process to ensure GDPR relevant policies and procedures are updated, reviewed and
DESCRIPTION
republished annually.
• CLIENT has an internal employee Privacy Statement located in the Employee Handbook. Recommend developing an employee Privacy
Statement to be executed by employees annually.
5.1 Privacy Statement should be updated and posted to reflect:
o Additional details regarding the “appropriate and reasonable measures to safeguard” personal data.
o Details of cross-border transfers and mechanism to protect the transfer.
RECOMMENDATIONS
o Retention period or criteria used to determine the retention period.
o The existence of data subject’s rights.
See Appendix E for additional direction.

11 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 5.2 Management should ensure that privacy statements and procedures are being updated, reviewed, and republished annually. This will assist
CLIENT as they respond to vendor risk management letters and data subject requests. (i.e., as vendors send their GDPR Processor letters
to CLIENT, CLIENT can direct the vendor to the privacy statement located on the web.) This will not eliminate the responsibilities CLIENT
may have in responding to the Vendor or Processor. However, it will greatly reduce the amount of effort necessary to fulfil the task.
5.3 Update internal employee Privacy Statement to reflect GDPR requirements.
RISK / IMPACT Failure to provide transparent notice to individuals about collection/use of personal data may result in unlawful processing.

6. DATA PROTECTION OFFICER (DPO) MEDIUM

The GDPR (Art. 37) requires the designation of a DPO in three specific cases:
a) where the processing is carried out by a public authority or body;
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring
of data subjects on a large scale; or
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal
GDPR STANDARD data relating to criminal convictions and offences.

The WP Opinion 2 1 issued interpretive guidance in which it defined “core activities” as those activities that are “necessary to achieve the
controller’s or processor’s goals.” The data processing must be “an inextricable part of the Controller’s or Processor’s Activity.” The WP Opinion
also defines “large scale processing” with reference to the number of data subjects being processed. It is not based upon the size of the business
entity.
• CLIENT has appointed a Data Protection Officer (DPO), however, documentation has not yet been developed to formalize the role,
responsibilities, or reporting structure for the DPO. The role of the DPO is primarily focused on the European (German) operation of the
business and does not yet include visibility or involvement in CLIENT’s global operation. German GDPR member state operations require a
OBSERVATION local German DPO. DPO has not yet been communicated to the German DPA.
DESCRIPTION • CLIENT does not require an enterprise Data Protection Officer (DPO) as the “core activities” CLIENT participates in do not include: “the
large-scale monitoring of data subjects” or the “large scale” processing of “special categories of personal data.” Although a DPO is not
required for CLIENT, an interdisciplinary team has not yet been identified, to include explicit roles and responsibilities, to implement and
sustain CLIENT’s GDPR program.
6.1 CLIENT should document the DPO role, responsibilities and reporting structure. The process should include when the DPO should be
RECOMMENDATIONS engaged on issues involving processing of personal data. DPO responsibilities include but are not limited to:
- Providing advice and guidance on high risk processing

1
Guidelines on Data Protection Officer’s, Article 29 Working Party Opinion, December 13, 2016, ://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf, (Accessed
May 1, 2018).

12 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 • CLIENT does not currently have a data retention policy or records retention schedule which would explain why most core business
applications containing personal data responded that personal data is retained indefinitely.
11.1 Develop documentation detailing adequate data considerations, including data security and privacy documentation to support the GDPR
program as well as the integration of these new policies, procedures, or other supporting documentation into the existing information
security program. CLIENT must consider the nature, scope, context and purposes of the processing to determine the proportionate
RECOMMENDATIONS technical and organizational controls to be implemented to adequately minimize risk to the data subject. Compliance can be demonstrated
by developing and adhering to an internal data protection policy, or an approved code of conduct or certification mechanism.
11.2 Develop data retention policy and records retention schedule to be communicated to business units collecting, processing or storing
personal data.
Accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise
RISK / IMPACT processed may result in physical, material or non-material damages (e.g., discrimination, identity theft or fraud, or any other significant economic
or social disadvantage).

12. BREACH NOTIFICATION MEDIUM

Relevant Citations:
- Article 33 & Recitals 75, 85, 87, & 88 | Notification of a breach to the DPA and Chief Privacy Officer
- Article 34 & Recitals 75, 84, 89-93 | Communication of a data breach to the data subject
- In the event of a data breach, CLIENT must inform regulators of the breach within 72 hours. At a minimum, the notification must inform
regulators of the following facts:
GDPR STANDARD - categories and number of data subjects concerned;
- contact person (or DPO if appointed);
- consequences of the breach
- remediation measures taken or proposed
In the event a data breach places the data subject into a position where there is a “high risk” of damage to their rights and freedoms, CLIENT
must also inform the data subjects of the data breach.
• CLIENT does not currently have a formal Incident Response or Breach Notification procedure in place. Additionally, the informal breach
notification procedures followed differ between each of CLIENT’s business units (U.S., APAC, and EMEA). However, an informal process is
OBSERVATION
followed by CLIENT employees in the event that information security or privacy incidents are identified, which includes reporting issues to the
DESCRIPTION
Help Desk and an informal escalation process to notify appropriate CLIENT management. Procedures are not currently in place to report
potential data breaches to the Supervisory Authorities within 72 hours.
12.1 Develop an Incident Response Plan (IRP) so that it aligns with the GDPR requirement and is incorporated into the overall business
RECOMMENDATIONS
continuity management, IT disaster recovery and crisis management strategy. The IRP should include at a minimum the following

19 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 elements: 1) a directory, 2) identification of key personnel, 3) identification of external stakeholders 4) breach assessment protocol
(workflow depending on type of breach, nature and volume of the personal data, impact severity, etc. and 5) vendor responsibilities.
ROPA should be incorporated into CLIENT’s breach notification protocol or incident response plan. Understanding the critical data within
breached systems will help management respond to regulatory authorities and customers within 72 hours.
12.2 Polices should be developed to include a process for notification to the supervisory authority that must be made within 72 hours of
becoming aware of a data breach. Notification must be made to individual data subjects when the breach could result in risks to the rights
and freedoms of the data subjects. However, notification to data subjects may not be required if the compromised data was encrypted or
otherwise rendered unintelligible.
12.3 Develop communication templates and assign roles and responsibilities for notifying Supervisory Authorities and data subjects in the event
of a data breach. At a minimum, notification to supervisory authorities must include:
- A description of the nature of the data breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of data records involved
- Contact information of DPO or other point of contact where more information can be obtained
- Description of the likely consequences of the data breach
- Description of what is being done to address the breach, including any mitigation efforts
At a minimum, notification to data subjects must include:
- Contact information of DPO or other point of contact where more information can be obtained
- Description of the likely consequences of the data breach
- Description of what is being done to address the breach, including any mitigation efforts
Another option may be to secure outside counsel to handle breach notification.
12.4 Ensure that employees and contractors are properly trained to identify a data breach, as defined by the GDPR. Communications should be
made frequently to remind employees about what constitutes a data breach under the GDPR and the proper way to report a data breach
within the organization. This will help to ensure that any required notification is made within the 72-hour timeframe.
12.5 Contracts with third parties that process personal data should specify the proper procedure for reporting a suspected or confirmed data
breach to your organization in a timely manner.
12.6 Conduct table top exercises of the IRP to train staff and assess CLIENT’s capabilities of responding within 72 hours requirements.
12.7 Maintain a log of all data breaches should be kept demonstrating compliance with Article 33. The log should include the facts surrounding
the data breach, any effects, and the remediation efforts implemented as a result.
Lack of a timely breach notification may result in a significant impact to the rights and freedoms of data subjects. In addition, the cost of
responding to a data breach increases substantially when there is a delayed response. According to a recent survey published by Ponemon2,
when a company implements a robust data security and breach notification program, the cost of a data breach is reduced from $149.00 a record
RISK / IMPACT
to $19.00 a record. In addition to the financial consequences, corporations should consider the reputational harm, lost business, and the
disruption a data breach may have on their bottom line factors. While data breach notification programs can be costly, preventative measures
can ensure the resiliency of the corporate structure and ensure senior management is prepared to deal with the incident in a timely fashion.

2 Poneman Cost of Breach Study, November 2017, IBM, https://www.ibm.com/security/data-breach, Accessed May 1, 2018

20 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
SECTION 3
COUNTRY OBSERVATIONS
Protiviti conducted discovery interviews with North America (US and Canada), Europe and South America offices to evaluate data privacy measures and their current
state of compliance with the GDPR. It was discovered that each European country manage GDPR compliance efforts independently without direction from the US-
based corporate offices. Protiviti strongly encourages that CLIENT develop a global privacy program that international offices adhere to. Although regulations may
vary slightly by member state, a centralized approach will ensure that CLIENT international operations are considering privacy and data protection in all functions of the
business. Efforts underway in Germany and the United Kingdom should be considered for adoption to expedite standing up a global approach.

COUNTRY SPECIFIC ASSESSMENT

GDPR Area North Belgium France Germany Greece Netherlands U.K. Brazil
America
1. Legal Basis In Process Addressed In Process In Process Not Started Addressed Not Started Not Started
2. Consent Addressed Addressed In Process In Process Addressed Addressed Addressed Not Started
Legal Not Started
3. Cross-Border Data Transfers In Process In Process In Process In Process In Process In Process In Process
4. Third Party Due Diligence In Process In Process In Process In Process Addressed In Process Addressed Not Started
5. Privacy Notice Addressed Addressed Addressed Addressed Addressed Addressed Addressed Not Started
6. Data Protection Officer (DPO) In Process N/A N/A In Process N/A N/A In Process N/A
7. Record of Processing Activities In Process In Process In Process In Process Not Started In Process Not Started Not Started
Data Not Started
8. Data Protection Impact Assessment Not Started Not Started Not Started Not Started Not Started Not Started Not Started
Processing
9. Privacy by Design and by Default In Process Addressed In Process In Process In Process Addressed In Process Not Started
10. Data Subject Rights Not Started In Process In Process In Process In Process In Process In Process Not Started

Data 11. Data Security In Process In Process In Process In Process In Process In Process In Process Not Started
Protection 12. Breach Notification Not Started In Process In Process In Process In Process In Process In Process Not Started

Addressed: CLIENT is demonstrating adherence to the GDPR.

In Process: Assessment area is currently being developed or is on a roadmap.
Not Started: Remediation steps have not yet been started.

21 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
SECTION 4
COMPLIANCE ROADMAP
The GDPR compliance roadmap provides additional analysis, prioritisation and proposed
implementation activities to support the recommendation identified within the gap assessment. The
remediation strategies are meant as high level recommendations for CLIENT based on our experience
assessing other organisations of comparable size and business context. They must be viewed as a
starting point for the definition of CLIENT GDPR compliance strategy. This can only be finalised by
CLIENT management after conducting technical and organisational feasibility studies, obtaining reliable
cost estimates and gauging its risk appetite for data protection compliance. The final GDPR compliance
strategy will select a preferred course of action for remediating the gaps reported that CLIENT
management decides to remediate and with a timeline that will reflect all the known constraints
(resourcing in particular) emerging during the technical and organisational feasibility studies. If a Data
Protection Officer is appointed, we strongly recommend the involvement of this individual (or firm) in a
leader role to drive the initiative, as this role must be involved in all the issues which relate to the
protection of personal data according to Art. 38 of the GDPR.

The roadmap provides a possible course of action toward GDPR compliance aimed at closing all the
gaps identified by this report before the GDPR becomes enforceable. It specifies work streams; range
estimates of their duration; their logical sequence based on all the dependencies identifiable at this
stage; and an indication of which team should lead each work stream.

For all work streams, we specify an expected range of elapsed duration to complete. The actual
remediation timelines may vary and so we have provided a range within our estimate (early and late
finish date). As an example, the work stream to remediate the Data Protection Officer gap should not
take more than a week if a decision not to appoint a DPO is taken and documented: conversely, if the
decision to appoint a DPO is taken, the gap can take easily up to 14 weeks until a suitable candidate is
found internally or in the market or until an agreement with an outsourcing firm of DPO services is
reached.

Some tasks (or even entire work streams) are easier to outsource to third parties. This should be
considered when internal resources are not available (or with limited availability impacting in a negative
way the expected duration of the remediation effort) or when skills are lacking or deemed not as mature
as the ones that a third party can provide.

EMBEDDED REMEDIATION ROADMAP

25 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 REMEDIATION WORKSTREAM
The workstream below identifies remediation activities based on priority and recommended start date
to demonstrate compliance with the GDPR. Department responsibilities and estimated level of effort
are included in the remediation roadmap located on page 25.

Assessment Area ID Workstream Action Priority Maturity

1. Legal Basis for Processing 1.1 Consent High Not Started
1. Legal Basis for Processing 1.2 Legal High Not Started
2. Consent 2.1 Website Update High In Process
7. Records of Processing 7.1 ROPA High Not Started
3. Cross-border mechanism 3.2 Policy Creation/Revisions High Not Started
11. Data Security 11.2 Policy Creation/Revisions High In Process
2. Consent 2.2 Website Update High In Process
2. Consent 2.3 Website Update High In Process
2. Consent 2.5 Record Keeping High Not Started
5. Privacy Notice 5.1 Policy Creation/Revisions Privacy Statement High In Process
6. DPO 6.1 Policy Creation/Revisions High Not Started
6. DPO 6.2 Policy Creation/Revisions DPO justification High Not Started
Developing Roles and
7. Records of Processing 7.3 High Not Started
Responsibilities
2. Consent 2.4 Inventory Review High Not Started
3. Cross-border mechanism 3.1 Inventory Review High Not Started
1. Legal Basis for Processing 1.3 ROPA High Not Started
7. Records of Processing 7.2 ROPA High Not Started

4. Third Party Due Diligence 4.3 Data Security Framework High In Process

8. Data Protection Impact

8.1 Policy Creation/Revisions High Not Started
Assessment
10. Data Subject Rights 10.1 Data Subject Rights High Not Started
10. Data Subject Rights 10.2 Record Keeping High Not Started
2. Consent 2.6 Review Medium Not Started
4. Third Party Due Diligence 4.2 Policy Creation/Revisions Medium Not Started
12. Breach Notification 12.1 Policy Creation/Revisions Incident Response Plan Medium Not Started
12. Breach Notification 12.5 Legal Contract review Medium Not Started
12. Breach Notification 12.7 Record Keeping Data Breach Log Medium Not Started
Developing Roles and
6. DPO 6.4 Medium Not Started
Responsibilities
10. Data Subject Rights 10.4 Data Subject Rights Medium Not Started
3. Cross-border mechanism 3.3 Record Keeping Medium Not Started
3. Cross-border mechanism 3.4 Legal Medium Not Started
2. Consent 2.7 Data Subject Rights Medium Not Started
4. Third Party Due Diligence 4.1 Legal Medium Not Started
12. Breach Notification 12.2 Policy Creation/Revisions Incident notification procedures Medium Not Started
Developing Roles and
6. DPO 6.3 Medium Not Started
Responsibilities
8. Data Protection Impact
8.2 ROPA Medium Not Started
Assessment
9. Privacy By Design 9.5 Data Security Framework Medium Not Started
8. Data Protection Impact
8.3 ROPA Medium Not Started
Assessment
9. Privacy By Design 9.6 Awareness Training Medium In Process
11. Data Security 11.1 Policy Creation/Revisions Medium In Process
12. Breach Notification 12.3 Policy Creation/Revisions Incident communication workflow Medium Not Started

26 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Assessment Area ID Workstream Action Priority Maturity
12. Breach Notification 12.4 Awareness Training Incident training Medium Not Started
12. Breach Notification 12.6 Data Security Framework Table top exercises Medium Not Started
9. Privacy By Design 9.2 Awareness Training Medium Not Started
9. Privacy By Design 9.3 Data Security Framework Medium Not Started
5. Privacy Notice 5.2 Review Privacy Statement refresh Medium Not Started
9. Privacy By Design 9.4 Policy Creation/Revisions Medium Not Started
Risk
1. Legal Basis for Processing 1.4 Policy Creation/Revisions Low
Accepted
5. Privacy Notice 5.3 Policy Creation/Revisions Employee Privacy Statement Low In Process
7. Records of Processing 7.5 GDPR tools Low Not Started
9. Privacy By Design 9.1 Policy Creation/Revisions Low Not Started
7. Records of Processing 7.4 Review Low Not Started
Risk
10. Data Subject Rights 10.3 Data Subject Rights Low
Accepted
10. Data Subject Rights 10.5 Data Subject Rights Low Not Started

27 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
SECTION 5
APPENDICES
Appendix A: Project Participants

Name Department Location

Internal Audit Corporate
IT Corporate
IT Corporate
IT Corporate
Finance Corporate
Finance Corporate
Finance Corporate
Finance Corporate
Sales Corporate
Sales Corporate
IT Corporate
Legal Corporate
Marketing Corporate
Quality Corporate
Operations Corporate
PCMS Corporate
Sales Corporate
Human Resources Corporate
Operations Germany
Finance Germany
Operations Greece
Operations Brazil
Finance Brazil
Engineering Corporate
Human Resources France
Finance France
Human Resources UK
Operations Netherlands
Finance Netherlands
Operations Belgium

28 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Appendix B: Key Terms

Term GDPR Definition

Controller means the natural or legal person, public authority, agency or any other body
which alone or jointly with others determines the purposes and means of the
processing of personal data; where the purposes and means of processing are
determined by EU or Member State laws, the controller may be designated by those
laws.”
As a controller, CLIENT has the responsibility to maintain records of all the processing
activities which take place within the organization. These records (which need to be in
writing, as well as in electronic form) must contain all the following information:
The name and contact details of the controller and where applicable, the data
protection office;
• The purposes of the processing;
• A description of the categories of data subjects and of the categories of
personal data;
Data Controller
• The categories of recipients to whom the personal data have been or will be
disclosed including recipients in third countries or international organizations;
• The transfers of personal data to a third country or an international
organization, including the documentation of suitable safeguards;
• The envisaged time limits for erasure of the different categories of data; and
• A general description of the applied technical and organizational security
measures.
Please note that the obligation does not apply to organizations employing fewer than
250 persons, unless the processing is of a high-risk nature, including processing of
special categories of personal data such as ethnic or health information, or data about
criminal behavior.
The controller needs to make the records available to the supervisory authority upon
request.
A natural or legal person, public authority, agency or other body which processes
personal data on behalf of the controller.
Data Processor
The processor needs to make records available to the supervisory authority upon
request.
Any information relating to an identified or identifiable natural person; an identifiable
person is one who can be identified, directly or indirectly, by reference to an identifier:
Personal Data
ID number, location data, online identifier, or factors specific to physical, physiological,
genetic, mental, economic, cultural or social identity of that person.
Data Subject A natural person.
Any operation or set of operations performed upon personal data, or sets of it, be it by
Data Processing
automated systems or not.
Any form of automated processing of personal data using it to evaluate, analyse or
predict certain personal aspects of a natural person. Examples of profiling explicitly
Profiling
listed in the text of the GDPR are: performance at work, economic situation, health,
personal preferences, interests, reliability, behaviour, location or movements.

The processing of personal data so that it can no longer be attributed to a specific data
subject without the use of additional information, as long as such additional information
Pseudonymisation
is kept separately and technical and organisational measures are used to ensure non-
attribution to an identified or identifiable person.
Any freely given, specific, informed, unambiguous indication of the data subjects'
Explicit Consent
agreement to personal data relating to them being processed.
Security breach leading to the accidental or unlawful destruction, loss, alteration,
Personal Data
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
Breach
processed.
Personal data protection policies which are adhered to by a controller or processor
Binding Corporate established on the territory of a Member State for transfers or a set of transfers of
Rules personal data to a controller or processor in one or more third countries within a group
of undertakings or group of enterprises engaged in a joint economic activity.
Personal data can only be processed only on the basis of one of the legal grounds
Legality Principle
specified by the GDPR.
Any information the data controller (organisation) gives to the data subject (individual)
Transparency
about its data processing practices must be concise, transparent, intelligible and in
Principle
easily accessible form.

29 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Term GDPR Definition
Fairness is achieved when the Data Controller has put in place working procedures for
Fairness Principle
the Data Subject to exercise their rights as specified by the GDPR.
Purpose Limitation Personal data must be collected for specified, explicit, legitimate purposes and not
Principle further processed in a way incompatible with those purposes.
Minimisation Personal data must be adequate, relevant and limited to what is necessary in relation
Principle to the purposes for which it is processed.
Personal data must be accurate and kept up to date and every reasonable step must
Accuracy Principle
be taken to ensure that inaccurate personal data is erased or rectified without delay.
Personal data must be kept in a form which permits identification of data subjects for
Storage Limitation no longer than necessary for the processing purposes. Data may be stored for longer
Principle periods only for public interest archiving, scientific, historical or statistical research
purposes.
Integrity and Personal data must be processed using appropriate technical and organisational
Confidentiality security measures, including protection against unauthorised or unlawful processing
Principles and against accidental loss, destruction or damage.
Accountability The Controller has responsibility for and must be able to demonstrate compliance with
Principle all the principles listed above.
‘Main establishment’ for controllers and processors refers to:
(a) the place of its central administration or the
Main Establishment (b) the place where the decisions on the purposes and means of the processing of
personal data are taken if different from (a).

This is personal data revealing racial or ethnic origin, political opinions, religious or
Sensitive Personal philosophical beliefs, or trade union membership, and the processing of genetic data,
Data biometric data for the purpose of uniquely identifying a natural person, data concerning
health or data concerning a natural person's sex life or sexual orientation.
Privacy by Design (PbD) is an approach to protecting privacy by embedding it into the
design specifications of technologies, business practices, and physical infrastructures.
Privacy by Design
That means building in privacy up front – right into the design specifications and
architecture of new systems and processes.
Privacy impact assessment is a process which helps an organisation to identify and
reduce the privacy risks of a project. An effective PIA will be used throughout the
Privacy Impact
development and implementation of a project, using existing project management
Assessment
processes. A PIA enables an organisation to systematically and thoroughly analyse
how a particular project or system will affect the privacy of the individuals involved.
The lead supervisory authority will be the main data protection regulator that the
organisation deals with, provided that it has a main establishment within the EU; also
referred as the "one-stop-shop". The selection of the lead supervisory authority is
Lead Supervisory
uniquely driven by the location of the main establishment in the EU. Main
Authority
establishment’ for a controller will usually be determined by looking to where the
organisation’s central administration is in the EU. The central administration is the
place where decisions about the purposes and means of processing are taken.
Countries that belong to the Extended European Area (EEA) are: Austria, Belgium,
Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany,
Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg,
Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
EEA Sweden, United Kingdom.
Countries that are EEA member countries but NOT part of the European Union are:
Norway, Iceland, Liechtenstein.

Switzerland, while a member of EFTA, is neither in the EU nor in the EEA.

30 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Appendix C: High Risk Processing

Processing activities covered under the GDPR Article 35 (as listed below) are defined as High-Risk
and require implementation of additional GDPR obligations, including completion of the Data
Protection Impact Analysis (DPIA) and consultation with the Data Protection Authorities (DPA’s).
Protiviti concluded that CLIENT does currently engage in High-Risk processing.

GDPR Defined “High Risk Processing Activities

As defined by the GDPR Article 35, the following processing activities are considered High Risk:
(a) a systematic and extensive evaluation of personal data which is based on automated
processing, including profiling, and on which decisions are based that affect the natural
person;

(b) processing on a large scale of special categories of data (e.g. health, biometric, sexual
orientation, etc.) referred to in Article 9, or of personal data relating to criminal convictions and
offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

GDPR Gap Assessment

Activities not covered under the GDPR Article 35 must be evaluated to determine the level of risk
presented to EU individuals by processing their personal data. The primary objective of this gap
assessment is to help organizations prioritize compliance efforts by focusing their resources
on protection of personal data with the highest risk to individuals’ rights and freedoms.

Protiviti determined that 81 applications evaluated as part of this assessment are in scope for GDPR.
In-scope applications were further prioritized based on the type of personal data processed (e.g.,
health, credit cards, bank accounts, etc.) and the number of EU individuals that may be impacted
(the volume of records processed).

Protiviti Recommended “High Priority” Processing Activities

High Priority – Applications that meet ONE of the following three criteria were identified as high
priority:
• Processing of any Special Categories of Personal Data (e.g. health, biometric, sexual
orientation, etc.)

• Processing Restricted Personal Data (e.g., credit cards, bank accounts, SSN, etc.)

• Processing High Volumes of Confidential Personal Data, where unique number of individuals
is more or equal to 10 million.

Medium Priority – Applications that process Medium Volumes of Confidential Personal Data, where
unique number of individuals is less than 10 million.

Low Priority – Applications that process a combination of customer or employee identifier (e.g.,
name, customer ID, user ID, etc.) and non-personal data elements (e.g., policy details, product
details, etc.).

31 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Appendix D: Priority Ranking

Based upon inquiry and review of available documentation, we understand management is still in
progress with performing GDPR readiness activities. Protiviti assessed 12 areas as part of the GDPR gap
readiness assessment. For each area, a priority ranking was provided. This priority ranking is determine
based on a combination of the level of effort, duration, and urgency to meet or improve GDPR
compliance.

A ranking that results in a high priority may be assigned due to one or

more of the following factors:
- A strong sense of urgency to address the issue before other lower
priority items
High - A large cost associated with the issue
- The significant value that will be added after addressing the issue
- The timing to address the issue in order to address subsequent
issues

A ranking that results in a medium priority may be assigned due to one or

more of the following factors:
- A less sense of urgency to address the issue before other low
priority items
Medium - A significant cost associated with the issue, but other issues with a
higher cost needed to be addressed first
- The value that will be added after addressing the issue
- The timing to address the issue may follow a high priority item

A ranking that results in a low priority may be assigned due to one or more
of the following factors:
- A small sense of urgency to address the issue, due to other issues
ranking at a higher priority
Low - A small cost associated with the issue
- The value that will be added after addressing the issue
- The timing to address the issue may follow a high or medium
priority item

Note: Considerable professional judgment is required in determining the observation priority ranking.
Accordingly, others could evaluate the results differently and draw different conclusions.

32 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Appendix E: Cookie Consent Scan Results

Cookies Summary
Strictly Necessary means the cookies are essential for the provision of the site and any requested
services, but do not perform any additional or secondary function.

Performance Cookies are those that provide statistical information on site usage, i.e. web analytics.

Functionality Cookies These cookies allow the provision of enhanced functionality and personalization,
such as videos and live chat. They may be set by us or by third-party providers whose services we have
added to our pages. If you do not allow these cookies, then some or all of these functions may not work
properly.

Targeting/Advertising Cookies are used to create profiles or personalize content. Third parties often set
them and these cookies present the highest privacy risks to visitors.

CLIENT.com
Privacy Policy = Yes
Cookie Policy = No
Cookie Notice = Yes

Embedded webscan
CLIENT.co.uk
Privacy Policy = Yes
Cookie Policy = No
Cookie Notice = Yes

Embedded webscan

33 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
CLIENT.fr
Privacy Policy = Yes
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENT.gr
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENT.nl
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

34 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
CLIENT.ca
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENTa.com/en/
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENTb.com
Privacy Policy = Yes
Cookie Policy = No
Cookie Notice = No

Embedded webscan

35 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
CLIENT.net
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENT.com.br
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENTc.com
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

36 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
CLIENTd.com
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENTe.com
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

Embedded webscan

CLIENTf.com
Privacy Policy = No
Cookie Policy = No
Cookie Notice = No

37 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
CLIENTg.com
Privacy Policy = Yes
Cookie Policy = No
Cookie Notice = No

Embedded webscan

38 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Appendix F: Privacy Policy Analysis

Data Protection Policy

URL: https://CLIENT.com/company/ CLIENT_Group_Data_Protection_Policy.pdf

Requirement
GDPR Requirement Current State Analysis
Met
1. The identity and contact details of The CLIENT policy states that a DPO has been
the controller and where applicable, appointed and all questions should be directed to the
the controller’s representative and DPO. However, there is no contact details around how
the data protection officer. to reach the DPO.
2. The purpose of the processing and The CLIENT policy does NOT explicitly state the legal
the legal basis for the processing. basis for processing personal data.
3. The legitimate interests of the The CLIENT policy explicitly states that all personal
controller or third-party, where data retained must be necessary for the purposes of
applicable. legitimate interest pursued by a third party.
The CLIENT policy defines personal data and provides
minimal examples, but does NOT explicitly states the
4. The categories of personal data.
categories of personal data that may be
collected/processed/stored.
The CLIENT policy does NOT explicitly state the
5. Any recipient or categories of
recipients or category of recipients who receive the
recipients of the personal data.
personal data.
The CLIENT policy does NOT explicitly the details of
6. The details of transfers to third
transfers to third countries and the corresponding
country and safeguards.
safeguards.
The CLIENT policy explicitly states that “the data must
7. The retention period or criteria used be kept for only as long as truly necessary to
to determine the retention period. accomplish whatever reason the data was being used
for in the first place."
The CLIENT policy explicitly states that the data
subjects have the right to (1) be informed when the
personal data is being used and processed, to (2)
access the data being used, free of cost, upon request
8. The existence of each of data
at any time, to (3) request that his or her data be
subject’s rights.
deleted from all computers, servers and backups, to
(4) change or correct any data that is inaccurate or
incorrect, and to (5) restrict the processing or retention
of his or her data.
9. The right to withdraw consent at The CLIENT policy does NOT explicitly state that a
any time, where relevant. data subject can withdraw consent at any time.
The CLIENT policy includes a “Reporting Violations”
10. The right to lodge a complaint with
section, which explicitly states that all violations should
a supervisory authority.
be reported to the DPO.
11. The source the personal data
The CLIENT policy does NOT explicitly state where the
originates from and whether it came
source of personal data originates from.
from publicly accessible sources.
12. Whether the provision of personal
data part of a statutory or The CLIENT policy does NOT explicitly state whether
contractual requirement or the provision of personal data is part of a statutory or
obligation and possible contractual requirement, or consequences of failure to
consequences of failing to provide provide personal data.
the personal data.
13. The existence of automated
decision making, including profiling The CLIENT policy does NOT explicitly state the
and information about how existence of automated decision making, including
decisions are made, the profiling.
significance and the consequences.

39 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Privacy Policy
URL: https://CLIENTgroup.com/company/ /CLIENT_Group_Privacy_Policy.pdf

Requirement
GDPR Requirement Current State Analysis
Met
1. The identity and contact details of
the controller and where applicable, The CLIENT policy does not provide contact details of
the controller’s representative and the controller, controller’s representative, nor DPO.
the data protection officer.
The CLIENT policy identifies the purpose for
2. The purpose of the processing and
processing personal data. However, it does not
the legal basis for the processing.
explicitly state the legal basis for processing.
The CLIENT policy explicitly states that they do not
sell, trade, or otherwise transfer personal data to
3. The legitimate interests of the
outside parties. However, this does not include trusted
controller or third-party, where
third parties who assist us in operating our website or
applicable.
conducting business, so long as those parties agree to
keep this information confidential.
The CLIENT policy explicitly states the two types of
information collected: personal information a data
4. The categories of personal data.
subject chooses to provide and the web site use
information.
The CLIENT policy does NOT explicitly state the
5. Any recipient or categories of
recipients or category of recipients who receive the
recipients of the personal data.
personal data.
The CLIENT policy does NOT explicitly the details of
6. The details of transfers to third
transfers to third countries and the corresponding
country and safeguards.
safeguards.
7. The retention period or criteria used The CLIENT policy does NOT explicitly states the
to determine the retention period. retention period of personal data.
8. The existence of each of data The CLIENT policy does NOT explicitly state the
subject’s rights. existence of each data subject’s rights.
9. The right to withdraw consent at The CLIENT policy does NOT explicitly state that a
any time, where relevant. data subject can withdraw consent at any time.
10. The right to lodge a complaint with The CLIENT policy does NOT explicitly explain the
a supervisory authority. right to lodge a complaint with a supervisor authority.
11. The source the personal data
The CLIENT policy does NOT explicitly state where the
originates from and whether it came
source of personal data originates from.
from publicly accessible sources.
12. Whether the provision of personal
data part of a statutory or The CLIENT policy does NOT explicitly state whether
contractual requirement or the provision of personal data is part of a statutory or
obligation and possible contractual requirement, or consequences of failure to
consequences of failing to provide provide personal data.
the personal data.
13. The existence of automated
decision making, including profiling The CLIENT policy does NOT explicitly state the
and information about how existence of automated decision making, including
decisions are made, the profiling.
significance and the consequences.

40 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
Appendix G: GDPR vs. CCPA

Does California Consumer Protection Act (CCPA) apply to CLIENT?

Organizations that do business with California Residents and meet one or more of the following criteria
are in-scope.
Transacts personal information of 50,000 or more consumers, households or devices for
commercial purposes
Earns $25M or more a year in revenue
Derives 50% or more of their annual revenue by selling personal information related to
consumers, households or devices

Based on annual revenue, CLIENT is in scope for the CCPA.

Note: The law does not apply to information already regulated under the Health Insurance Portability and
Accountability Act, the Graham-Leach Bliley Act, the Fair Credit Reporting Act, or the Drivers’ Privacy
Protection Act – it still applies to entities covered by these laws to the extent they collect and process
other personal information about California consumers.

Regulatory Requirements

Individual Privacy Rights

Privacy Right GDPR CCPA

Right to be Informed
Right to Access
Right to Portability
Right to Correction
Right to be given information about
how personal data is being
processed and why
Right to access all personal data in
a user-friendly, readable format
Must export personal data
processed in a machine readable file
format
Right to correct personal data
Right to be given information about
the categories of personal data that
is being collected, prior to collection
taking place
Right to access personal data
collected in the last 12 months,
delineated between sold and
transferred
Must export personal data collected
in the last 12 months in a machine
readable file format
Not included with CCPA

41 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.
 Right to opt-out of selling personal
Right to Stop Right to withdraw consent and stop data only; but there is no
Processing processing personal data requirement to stop
collection/processing
Right to Stop Automated Right to require a human to make
Not included with CCPA
Decision-Making decisions that have a legal effect
Right to erase personal data Right to erase personal data
Right to Erasure
collected, under certain conditions collected, under certain conditions
Right to Equal Services
Implicitly required Explicitly required
& Price
Private Right of Action Liability is limited from $100 to $750
No limitation of liability
Damages per individual per incident
Limited to 20 million or 4% of global No limitation - $7,500 per individual
Regulator Penalties
revenue violation

Compliance Assessment Areas

42 © 2018 Protiviti Inc. This material is the confidential property of CLIENT. Copying or reproducing this material is strictly prohibited.