In this blog post
Almost every aspect of modern life revolves around data. At least 2.5 quintillion bytes of data are produced every day, and almost 90% of the world’s data has been generated in just the last two years! Service providers like healthcare, pharma, life science, social media companies, retail businesses, governments, etc. intelligently leverage these huge volumes of data collected, to understand user behavior and offer services accordingly.
However, this proliferation of data increases data security risks multi-fold. Malicious actors who gain illegal access to a pool of data can wreak havoc by causing a financial and reputational loss for the concerned organization. Companies may possess the personal information of millions of customers; that data needs to be kept private so that customer identities stay as safe and protected as possible. Having a comprehensive regulatory compliance strategy is a critical first step for organizations to protect their data and customers, while still benefitting from the digital economy. The GDPR is one of several regulations on data protection and privacy. Let’s take a deeper look at GDPR.
What is GDPR?
The General Data Protection Regulation (EU) 2016/679 (GDPR) is an important regulation on data protection and privacy in the Europen Union (EU) & European Economic Area (EEA), and the transfer of personal data outside the EU & EEA. Adopted on 14 April 2016 and enforced on 25 May 2018, it functions to enhance control and rights over any individual’s personal data.
GDPR ensures that organizations collect personal data legally and protect it from misuse. It respects and protects the rights of an individual and imposes penalties if data is exploited by any entity. GDPR holds legal obligations on processors to maintain records of personal data and keep a watch on how it is maintained and secured.
Personal data that GDPR aims to protect includes:
- Basic personal information like the person’s name, address, ID numbers
- Web data like location, IP address, cookie data, and RFID tags
- Health-related data including physical and mental health, medical treatment information, etc.
- Biometric data like facial images and fingerprints
- Racial and genetic data
- Data concerning political opinions
- Information about sexual orientation
The GDPR rights for individuals are:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right of data portability
- Right to object
- Right to automated decision making and profiling
An organization can be fined heavily for GDPR non-compliance like for instance if it processes any personal data without proper consent, or, doesn’t process an individual’s data securely, if it doesn’t have a data protection officer, or if there is a data breach. These fines can go up to $20 million or 4% of a firm’s turnover, whichever is higher. A well-known example of a GDPR breach is that of Google, where it was penalized for not providing relevant information to users about how it uses the personal data received from its host of services. Moreover, the search engine giant did not have the consent of its users for processing their data.
Given below are some steps to align your business with GDPR and be compliant:
1. Task Force
An in-house task force involving all the stakeholders, key organizational members, and decision-makers needs to be formed. This may include the marketing team, finance, sales, operations & other groups that make use of customer data. This team should be given intensive training on GDPR and should champion all GDPR awareness & compliance initiatives in the organization. The team would be responsible for percolating information down to their respective teams, managing permissions of internal & external members who have access to company data, and be accountable for implementing ongoing technical or process changes required for strong upkeep of data.
All existing processes for data collection, direct & indirect modes of collection, data retention, and utilization is to be precisely documented. Under Article 30 of GDPR, it is necessary to create Records of Processing Activities (RoPA) that take place within the organization, that include the purpose of the processing, the categories of data subjects, the categories of personal data, the categories of recipients of the data, data transfers that will be done, time limits for data erasure, data security measures, etc. Article 35 of the GDPR also requires the maintenance of the Data Protection Impact Assessment (DPIA) where an assessment on the impact caused by the data processing on personal data protection needs to be made. One assessment can cover multiple similar data processing activities.
3. Communication and Consent Management
Data subjects need to be made aware of and kept updated about privacy policies and how they will impact them. All information about the rights of data subjects and processes for consent management must be disseminated clearly, with no ambiguity, and made easily available. Consent should be obtained freely & fairly with mechanisms to withdraw consent or change clauses of a given consent at any time in a way that the data subject is always in full control of his/her data. IT processes and systems should be tightly integrated in such a way that all consent takes effect immediately and reflects everywhere. It should be strictly ensured that no data beyond the accepted limit and above the consent of the data subject is collected.
4. Data Protection Officer (DPO)
A DPO is mandated by GDPR specifically under certain conditions, although there needs to be someone in the organization who is responsible for GDPR compliance if the organization deals with the personal information of EU residents. The DPO does not have to be a full-time position and can be performed by an employee already in another role. Companies can appoint a virtual DPO or an external resource solely for this purpose. The DPO needs to have professional expertise & experience in the areas of data protection and data privacy law and practices and would be fully responsible for overseeing audit-related activities, data inventory management, data processing, awareness campaigns, continuous monitoring of compliance, and enforcement of practices for compliance.
5. Data Protection Policy
Having a structured data protection policy provides the framework for GDPR compliance practices. It helps break the complex, intricate GDPR requirements into actionable items relevant to the organization. The policy will only serve as a high-level guide on GDPR requirements, employee obligations, data subject rights, DPO details, etc., and does not need to cover the details of the actual implementation. Having such a policy provides the foundation on which to implement the GDPR practices, serves as a cheat sheet to the voluminous GDPR, explains in understandable terms the obligations and rights of employees, and helps demonstrate commitment towards data protection to regulatory authorities.
6. Data Breach Response Plan
In case of a breach, companies must inform the data protection supervisory authority within 72 hours, with details of the nature of the breach, the affected categories, the number of data subjects, and the number of personal records affected. The contact details of the DPO, possible consequences of the breach, and the mitigation measures that have been/are being taken are additional details that need to be communicated in a phased manner in case such information is not available immediately. This 72-hour mandate is a challenge because the organization is already scrambling to find the cause of the breach, and working on impact mitigation measures. That is why it is pertinent to have a response plan that outlines the actions that need to be taken to detect and respond quickly and in a coordinated manner. This should include in detail the process of identification of the incident, the causes, the objectives of the response for each type of data breach, determining the level of impact, the people who should be notified, etc. Periodic risk assessments enable continuous detection of current or new vulnerabilities and help establish steps for preventive risk mitigation to avert data breaches from happening in the first place.
Data privacy has always been an important part of data protection. Due to increasing data leakage and vulnerabilities, it is steadily gaining visibility in the market now. Protecting data and using it securely is central to a zero-trust strategy. To remain globally relevant and compliant in nature, businesses need to be adhering to local and international regulations.
GAVS has a robust data privacy practice and has extensive expertise and experience in ensuring GDPR compliance and data protection for its global customers. The steps explained above will not only help organizations to be GDPR compliant, but over time, it will streamline processes in a way that data privacy assurance becomes an integral part of everyday operations.
For more information on our data privacy practice, please click here.