-
Financial statements audits
Financial statements audits
-
Financial statement reviews
Financial statement reviews
-
Financial statements compilations
Financial statements compilations
-
IFRS
IFRS
-
Audit quality monitoring
Audit quality monitoring
-
Global audit technology
Global audit technology
-
Systems and risk assurance
Systems and risk assurance
-
General business consulting
General business consulting
-
Market research
Market research
-
Sustainability
Sustainability is indeed a broad concept. Aside from mitigating the environmental changes caused by…
-
Business planning and performance improvement
Business planning and performance improvement
-
Change and program management
Change and program management
-
Business intelligence and analytics
Business intelligence and analytics
-
Business valuation and litigation support
Business valuation and litigation support
-
Business process outsourcing and consulting
Business process outsourcing and consulting
-
Family business consulting
Our business solutions for family businesses center on alignment of all aspects of the family and business,…
-
Quantitative small caps
Grant Thornton has a wide professional network with a vast array of technical skills that is…
-
Data analytics
Data analytics is the process through which businesses leverage data to gain actionable insights and…
-
Bookkeeping & financial accounting
Bookkeeping & financial accounting
-
Payroll and personnel administration
Payroll and personnel administration
-
Direct and Indirect tax compliance
Tax compliance within outsourcing
-
Compilation of financial statements
Compilation of financial statements
-
Business process outsourcing
Business process outsourcing including back office and secretarial
-
Family business consulting
Family business consulting
-
Startups
Startups
-
Company formation
Company formation
-
BOR
Entities in Malta, including companies, partnerships, foundations, trusts and…
-
Internal audit
Internal audit
-
Risk management and internal controls consulting
Risk management and internal controls consulting
-
Governance and risk management
Governance and risk management
-
Regulatory services
Regulatory services
-
Risk modelling services
Risk modelling services
-
Forensic and investigation
Forensic and investigation
-
Compliance audit
A compliance audit is a detailed review which focuses on whether an organisation is in conformity with…
-
Citizenship by naturalisation
The Maltese Citizenship Act (Cap 188) establishes who may become a citizen of Malta by naturalisation,…
-
Citizenship for Exceptional Services by Direct Investment
With the continuously changing global dynamics and evolving geopolitics, there is an…
-
Grant of Citizenship for Exceptional Services
Malta has enacted legislation which extends to individuals providing excellent or manifestly superior…
-
Acquisition of citizenship by registration
The Maltese Citizenship Act (Cap 188) establishes who can register as a citizens of Malta. The Act was…
-
Maltese Family Businesses Resource Centre
For over 30 years Grant Thornton’s advisory teams have assisted family businesses in navigating the…
-
Grooming
Preparing the next generation for leadership and ownership is an integral part of any succession…
-
Tax services
Using a combination of reason and instinct, we can work with clients to develop a strategy that helps them…
-
Governance
Having a proper governance structure is essential to ensure that the family and business strategies…
-
Ownership succession
Letting go of your family business is difficult for all owners and even more so for founders; however, in a…
-
Exit strategies
There are many 'exit strategies' that need to be considered to minimise the risk of conflict. They can arise…
-
Management succession
By implementing our family business guidelines to family succession and a proper governance structure, the…
-
DORA Consultancy
Firms within the financial sector face a critical imperative to fortify their operational resilience in the digital…
-
Cyber security Consultancy
Whether you are a multinational corporation, a small business, or an individual, the digital realm holds…
-
Digital Transformation
Build a solid foundation to fuel business reinvention and gain the flexibility you need to succeed…
-
IT Audit and Assurance
Information systems procedures have evolved drastically, but so have hacking techniques. Assess your IT…
-
Fintech and Innovation
Are you ready to explore the fintech space? Grant Thornton is able to guide you from start to finish.
-
Case Studies
Digital transformation has transitioned from being an option to a necessity. The race is on... The…
-
Operational and financial restructuring and reorganisation
Operational and financial restructuring and reorganisation
-
Recovery
Recovery
-
Financial regulatory services
Financial regulatory services
-
GDPR consultancy
The General Data Protection Regulations (GDPR) have transformed the way we handle…
-
Ship and aircraft registration
Ship and aircraft registration
-
Medical cannabis licensing in Malta
A study published in 2018 by market intelligence and strategic consultancy firm Prohibition…
-
Trust and trustee services
As an entrepreneur, business owner, parent or guardian, you will want to ensure that whatever happens in…
-
Family trusts
The law establishes the requirement of a license for one to be able to act as a trustee subject to certain…
-
Programmes
Grant Thornton is authorised and regulated by the Government of Malta to handle and submit applications for both citizenship applications as well as residence…
-
Ordinary residency in Malta
Any EU, EEA or third country national who resides in Malta for more than 3 months is obliged to apply for a Residence Permit. There are various grounds upon which an…
-
Qualifying Employment in Aviation Rule
Malta provides qualified persons employed in the field of aviation with an opportunity to enjoy a 15% flat personal tax rate on income generated from their direct…
-
Qualifying Employment in Innovation and Creativity (Personal Tax) (Amendment) Rules, 2019
These Rules allows persons employed in a role directly engaged in carrying out, or management of research, development, design, analytical or innovation activities,…
-
Qualifying Employment in Maritime and Offshore Oil & Gas Industry Rule
Malta provides qualified persons employed in the field of aviation, with an opportunity to enjoy a 15% flat personal tax rate on income generated from their direct…
-
Nomad Residence Permit
The NOMAD residence permit, which was launched in June 2021, allows third-country nationals who would normally require a Visa to travel to Malta, to retain their current…

-
Direct international tax
Direct international tax
-
Indirect international tax
Indirect international tax
-
Global mobility services
Global mobility services
-
Transfer pricing
Transfer pricing
-
Estate planning
Estate planning
-
Wealth advisory
Wealth advisory
-
Regulatory and legal
Regulatory and legal
-
Corporate tax services
Corporate services
-
VAT
At its simplest, VAT is a tax on consumption and is a multi-stage tax (ie applied at every stage of the…
-
2018 Amendments of the Income Tax Act
The following is a brief overview of the new tax provisions introduced in 2018 by the Budget…
-
Mergers and acquisitions
Mergers and acquisitions
-
ESEF Reporting
Our ESEF reporting service is tailored to assist listed companies in complying with the European…
-
Prospects MTF
As of 2016, small and medium-sized enterprises in Malta can access the capital markets through Prospects -…
-
Project financing
Project financing
-
Due diligence
Due diligence
-
Valuations
Valuations
-
Foreign direct investment
Foreign direct investment (FDI) is the category of international investment that echoes the objective of…
-
Wholesale Securities Market
WSM is a joint venture between the Malta Stock Exchange and the Irish Stock Exchange, combining the…
-
Aviation
The Maltese Government is constantly remaining to improve the position as the best place to do…
-
Maritime
For Maritime, Grant Thornton provide direction with regards to VAT guidelines for yacht leasing, as well…
-
Automotive
We offer a broad range of services relating to automotive, ranging from Transaction advisory, access to…
-
Gaming Regulations
Malta recently overhauled the framework regulating the iGaming sector. Going forward operators will…
-
Licensing Process
Prior to submission all applicants are advised to go through a pre-application process with one of the…
-
Malta Real Estate Investment Trust (REIT)
As part of the 2019 budget, the government has pledged to introduce a Real Estate Investment…
-
The Markets in Financial Instruments Directive (MiFID) II
MiFID II aims to protect investors and make sure that financial markets operate in the fairest and most…
-
Fintech and Innovation
At Grant Thornton we help innovative firms and entities operating in the fintech space launch new…
-
Asset Management
At Grant Thornton we help innovative firms and entities operating in the fintech space launch new…
-
Banking
Grant Thornton combines local insight with global scale to help banks meet regulatory…
When it comes to the way companies handle and protect data, things are soon going to change thanks to a new set of rules that are coming into force as of May 2018. Better known as the General Data Protection Regulation (GDPR), the new legal framework is meant to harmonise data protection standards across the 28 EU member states and is expected to ultimately reduce compliance costs, complexity, risks and uncertainty, ensuring that people’s data is adequately protected.
Here are the top ten key features that the new rules will bring about.
1. Significant penalties
The penalties for businesses or organisations that do not comply are hefty. Any company holding the personal data of EU individuals (commonly referred to as data subjects in the GDPR) will have to ensure they are compliant.
The penalties for breaching the legislation can be high, with fines of up to €20M or up to four percent of a company’s annual revenue, whichever is higher, depending on the circumstances.
2. The right to be forgotten
Thanks to very restrictive data handling guides, the GDPR puts additional emphasis on the right of an individual to request that unnecessary personal data is deleted, which necessitates that the organisation ensures it has the processes and technologies in place to tackle such requests efficiently.
Organisations are also required not to hold data for any longer than required, and not to change the use of the data from the purpose for which it was originally collected.
3. Enhanced obligations for organisations
Data subjects need to have access to more information on how their data is being processed and where requests are specifically made, these have to be fulfilled within one month of receipt of the request. Where requests to access data are manifestly unfounded or excessive, organisations will be able to charge a fee for providing access.
Subject access requests must also give all the information relating to purposes that should have been provided upon collection, such as publishing detailed fair processing notices to inform individuals of their data protection rights, the way their information is used and for how long.
4. Stringent consent requirements
For marketers in particular there has been much debate about the type of consent that might be required under this new regulation. The GDPR require that consent must be explicit, freely given for a specific purpose and easy to retract. The purpose for which the consent is obtained needs to be obvious to the data subject, including what their data is going to be used for at the point of data collection.
Furthermore, the GDPR stipulate that consent should be demonstrable – in other words organisations need to be able to show clearly how consent was obtained and when.
Consent must also be freely given; the controller cannot insist on data that is not required for the performance of a contract as a pre-requisite for that contract.
5. Stricter breach reporting
The GDPR is meant to bring into line various data breach notification laws in Europe and is aimed at ensuring organisations constantly monitor for breaches of personal data.
Significant data breaches will need to be notified to the local data protection authority within 72 hours and sometimes also to the individual. For many businesses, this may require quite a bit of training. It may require making changes to internal data security policies and how this is promoted in the organisation to ensure data breaches are properly understood and will be recognised easily.
6. Increased privacy impact assessments
The GDPR requires organisations to carry out privacy impact assessments and formally identify emerging privacy risks, particularly for new projects. This means before organisations can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO to ensure they are in compliance as projects progress.
7. Thinking of privacy in advance
Termed as Privacy by Design, data protection safeguards must be designed into products and services from the earliest stage of development. Data controllers already need to implement appropriate technical and organisational processes to protect data against unlawful treatment. This, however, leaves room for privacy considerations to be reduced to a mere afterthought in the development process. The GDPR requires organisations to consider privacy from the very beginning of the planning process.
8. Increased record keeping
Organisations must maintain registers of the processing activities they carry out, with mandatory DPIAs for high-risk data processing. This applies to all organisations with more than 250 employees as well as smaller enterprises where the data processing is likely to result in a risk to the rights of affected employees, the processing is not occasional or the processing includes special categories of data (e.g. health data, biometric data, data related to political or philosophical beliefs) or personal data relating to criminal convictions and offences. Therefore, in practise, most small and medium size enterprises will be obliged to keep a record.
Extensive detailed information needs to be recorded covering the controller, data processes, categorisation of data and data subjects, erasure periods and data protection measurements.
9. Appointing DPOs
Any business that depends on processing personal information will have to appoint a Data Protection Officer (DPO), who will be an extension of the data protection authority to ensure personal data processes, activities and systems conform to the law by design. According to a study by the International Association of Privacy Professionals (IAPP), this requirement means that, in Europe alone, 28,000 DPOs will have to be appointed in the next two years.
10. Wider regulatory scope
The GDPR allows any European data protection authority to take action against organisations, regardless of where in the world the company is based. In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that process personal data. What’s more, the controller processor relationships must be documented and managed with contracts that mandate privacy obligations.
Properly implementing a data security policy will help your organisation prepare for the upcoming regulation.
How can we help?
Our GDPR experts can help identify the impact of the GDPR on your organisation and shape, mobilise and assist in delivering transformation programmes to achieve compliance, embed privacy within your organisation and ultimately generate business benefits.
We boast of a multi-disciplinary team of specialists covering data protection, cyber security, regulation and compliance, risk management and business change who can help design and implement a sustainable privacy and data protection programme.
Contact us today for to find out more.