Pragmatic Approach to GDPR Compliance
What is GDPR in nutshell?
Privacy is one of the biggest problems in this new digital age. At the heart of the internet culture is a force that wants to find out everything about individuals. Once data draw conclusion about individuals, people will be tempted to trade and do commerce with that data asset. This was not the purpose when social media or information age was founded. Thus people living in the digital age are faced with a dichotomy. Digital age is ever evolving.
European strong regulation came to rescue for individuals privacy rights. General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements.
GDPR has 11 chapters, 99 articles and 187 recitals and details can be found on https://ec.europa.eu/justice/data-protection/reform/index_en.htm
GDPR is driven by two serious threats; Reputational damage and Hugh monetary fines.
Time to be compliant to GDPR is before 18th May 2018.
Do I need to be compliant?
The GDPR will apply to EU and non-EU companies that
(i) process personal data in relation to the offering of goods or services to EU data subjects or
(ii) monitor individuals’ behaviours that are conducted within the EU. The concepts of personal data and processing remain very broad. Personal data include any kind of information (i.e., location data, online identifier) that allows a person to be identified—even indirectly.
Few Challenges in GDPR
Age Gate in GDPR ensures parents consent is mandatory while processing data of 16 yrs below age. This is important because in most of the situation portal will lack age verification system and some control mechanism should be in place to record and store these consent securely. Secondly the Consent language should be clearer and should be communicative. Hence Privacy control framework Integration with legal framework is a must.
Right to know furthermore gives Data control rights to EU individuals. As per the clause every Individual should, therefore, have the right to know and obtain communication in particular with regard to
(i) The Purposes for which the personal data are processed,
(ii) Where possible the period for which the personal data are processed,
(iii) The recipients of the personal data, the logic involved in any automatic personal data processing.
Allowing individual to Erasure of personal data will need a careful implementation since forensic might need to have traces of user data. Legal Consent framework need carefully address these issues in conjunction with technology.
Security of privacy data processing demands the pseudonymisation and encryption of personal data. However there are different algorithms to mask data such as Secure Substitution, Key Masking, Randomizer, Shuffling, Simulation, Encryption and Mathematical Formula Based.
Privacy by Design Privacy need to be addressed in the system or process during design phase, it should not be restricted to new systems but also include legacy systems and change management process.
Few IT Challenges in implementing GDPR
Data Identification – Data growing out of control, PII data can be held on any endpoint, how to identify and categorise will be an ongoing challenge.
Initial Cleanup – Making data retention policy as per different regulation and initial cleanup from systems will need enormous amount of efforts right from choosing technology till Implementing and executing policies on interdependent systems.
Inventorying Data, Data categorisation and ongoing cleanup needs to be part of the policy framework and also should be practical.
Structured Approach to Privacy Management – Lack of Business aware data management will encumber Privacy data management.
Technology Evolution – Bar Code / RFID based solution reveals privacy information and need to be protected. E.g. on Bar code printed Flight Boarding pass reveals privacy information of passenger.
Skilled Resources – The main challenge most companies are facing now is the lack of skilled cyber security resources, which is addressed by commitment towards raising awareness of the cyber security skills shortage.
Opportunities to C’Level Executive
1. Data rationalisation – There could be duplication in data management which can be normalised which can directly help to optimisation cost. Cost reduction in Backup solution, increase in cloud solution effectiveness.
2. Effective control of Information Management – With Privacy data management program CISO’s and CRO will be able to proactively identify risk and address data leakage in effective ways.
3. Effective IT management Software Engineering practices/Documentation – Compliance Implementation needs very comprehensive records of data processing documentation which should have detailed data mapping to determine what data is collected, how and why, where it is stored, who has access to it and whether approach is integrated legal framework etc.
4. Business driven approach - As the business design data strategy, Privacy Office needs to ensure Policy and framework are up-to-date and relevant which intern demand collaboration with Business, Risk Legal and IT.
5. Robust Information Security management – Compliance to privacy framework will help C-suit to build strong Technological and process control framework which can be also easily integrated with Security Operation management for privacy breaches and opportunity to get more Budgets.