The EU’s General Data Protection Regulation commonly known as GDPR. So, the Entrepreneurs better buckle up with their strategies to makes their organization a GDPR compliant so that their business can evade the risk of incurring severe financial penalties.
A renowned research company has alleged that over 50% of the companies in EU may not be able to comply with the directives of GDPR and they may stand exposed in the years to come.
This article intends to guide the organizations to understand the necessities required to comply with the GDPR. Through this discussion you should be able to strategize your business plans to meet the toughest requirement of the GDPR.
Requirements of GDPR
To make the personal Data of EU citizens secure the European government has outlined a detailed report under the GDPR Act. This Act will monitor the entire process of Data Collection, Storage, Processes and also the way the Data is destroyed. The personal Data of a citizen includes a range of details of an individual such as Name, Address, Bank Details, Religion, Mental & Physical health, their mobile device IDs, web cookies and IP addresses.
Brace yourself for Cybersecurity Audit.
To meet the compliances of the GDPR it is imperative to understand the whole idea of GDPR. It should not be seen as another IT security project, on the contrary, it should be considered as a comprehensive business project. It is, in fact, a considerable undertaking for the company to ensure the public that their personal data will be utilized for the right purpose and that its safety will not be compromised.
"Any Data of the EU citizen whether it is used outside Europe or within Europe it will mandatory to comply with the GDPR guidelines."
The entire directives of GDPR have been scripted in detail and are very broad in nature. Any company that is dealing with personal data of anyone residing in EU will be under the jurisdiction of GDPR. Having a head office or a branch in EU will not be mandatory for such organizations.
GDPR compliance is not only the outcome of the deliberations of some European bureaucrats but is also a guideline for the companies who can introspect in their data models and understand that how well can they manage the data model throughout their business lifecycle. The GDPR compliance has used the automated technology an processes so that even the small-scale companies can also comply with the GDPR norms.
Despite all the good things, GDPR brings it actually consumes a considerable amount of IT time and resources. Moreover, it should also be borne in mind that GDPR compliance is not the standalone data regulation in town there are other compliance and data regulation policies which also apply to companies dealing with Public Data.
Assessment of GDPR compliance
There are certain tools which help in the GDPR assessment process such as GDPR checklist for data controllers, GDPR checklist for data processors. With the help of these tools, the companies can assess their compliance with data protection norms in the specific areas of cybersecurity and policies.
With a similar intent, Microsoft has also designed a new assessment tool to measure at what stage of your compliance effort has reached and what more you need to do to achieve the complete process.
Key steps to be GDPR compliant
Total 99 articles together form the GDPR which provides a detailed report on the regulation; however, it is practically difficult for all the organization to follow the direct prescription of the Law. Given to the varying nature of the companies, there is a general guideline set which will be easy for any type of company to follow.
The ICO has drafted a document which advocated 12 general steps that should be taken to achieve the GDPR compliance:
1. Ensure that every employee of the organization understands and acknowledges the importance of GDPR and its compliances.
2. Every source of the data should be well documented and to set this right the company must have it's inter information audit in place.
3. Make all the necessary changes in the company’s existing privacy policies if necessary
4. Make sure that the rights of the people are well secured in a commonly used format and any information should be deleted if requested.
5. All the company’s process should be up to date so that any request made can be attended at the appropriate time.
6. All the processing activity should have a legal basis and should be well documented and updated which can be well explained at the required time.
7. Evaluate the process of how you pursue, record and handle consent and add any changes to it if required.
8. Identify ways to verify individual’s ages and get consents on any Data processing activity.
9. A proper process should be in place to detect, report, and investigate a personal data breach.
10. Should be aware of the timelines of the Data Protection Impact Assessments.
11. Deploy a person as a DPO who is responsible for data protection compliance.
12. Determine your lead data protection supervisory authority in case the company is operating in more than one EU state
GDPR definitions and responsibilitiese
There are important terms and responsibilities laid out by GDPR which the companies need to understand if they intend to comply with the upcoming law. Below are the important sections that need to be complied with to align the company’s technologies and strategies.
GDPR data processor and data controller
The GDPR clearly outlines the difference between the Data processor and Data controller. The Data Processor is responsible for processing the Data whereas the Data controller is the one who decides the channel and intent of the Data usage. The Controllers are mandated to use the processors considering all types of appropriate technical and organizational measures.
DPO (Data Protection Officer)
GDPR mandates every organization to deploy a person responsible for monitoring all the core activities that involve a regular and systematic flow of Data subjects at a big scale. The prerequisite of the DPO should be the one who is an expert in knowledge of Data Protection Law and practices.
Data Protection Impact Assessment
DPIA (Data Protection Impact Assessment) is a tool that is used for handling all kinds of sensitive personal data. This tool helps to understand the possible impact of the processing activities that are taken place on people whose data is being processed.
It has been emphasized in Article 35"
"Where a type of processing, in particular, using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."
Right to Use, Alter and Eliminate
The most important task of GDPR is to provide “Data Subjects”. Data subjects are the people whose Data are being used. According to Article 15, they hold the right to access their data and request for any rectification if needed. They can give their consent on the accuracy of their data and can even raise a request to delete their data.
This is indeed an onerous task because the companies should be able to promptly respond to all the requests that the Data subjects make without any delay and latest by a months’ time.
Article 20 talks about Right to Data Portability, which is another ambitious requirement of GDPR. It provides the users the right to copy their data and share their data with another organization.
“Right to object” is another area where the Data subjects can enjoy their right at any time while their data are in process as stated in Article 21. The law further can undergo changes in the way the personal data is collected.
Safeguarding Customer Information under GDPR.
The basic objective of GDPR is to protect the users Data; however, it is not easy to spell out each and every term to protect the data. This is the reason that the main onus lies with the companies to work in the best interest of the users while handling their data. Recognizing the specific security recommendations may not be the best way to protect personal data.
Article 32 of the GDPR states: "In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
Encryption and pseudonymization
Data encryption is spreading like a myth that GDPR requires it; apparently, the consultants are pushing their sales for encryption products by suggesting that by encrypting the data will help the companies to achieve 90% of the GDPR requirements.
In fact, the GDPR does mention the word "encryption" – but it only appears four times:
"...implement measures to mitigate those risks, such as encryption."
"...appropriate safeguards, which may include encryption"
"...including inter alia as appropriate: (a) the pseudonymization and encryption of personal data."
"...unintelligible to any person who is not authorized to access it, such as encryption"
The GDPR does not specifically points out the use of encryption and not does it advocates as to what kind of encryption algorithm should be used.
So, one should not depend on encryption which clearly does not ensures to satisfy many of the security requirements of GDPR. However, any encryption initiative will certainly use an encryption product which for data encryption uses encryption keys, cloud encryption gateway to certify that data that is sent to the cloud for storage or processing is also encrypted.
Next important strategy is pseudonymization, which also means storing customer data which is immune to an individual’s data and this can be done by splitting the data into several files so that it can be guarded against the hackers to access any user’s full information. There are few pseudonymization technologies available in the market which is coming for greater demand for systems like CRM and other applications.
Other security Checklists
There are certain checklists which companies can refer to about different kinds of security measures that are considered “appropriate to the risk”.
- The capability to certify the constant confidentiality, integrity, availability, and resilience of systems and services that are processing personal data.
- The skill to reinstate the handiness and access to data in a timely manner at the time of the physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Data Controllers and Data processors comply with an approved code of conduct so that they can use these to demonstrate compliance.
The relationship between the controller/processor should be documented and managed with contracts that mandate privacy obligations. In the end, it is the controller who hasty to ensure that any processors used (including cloud processors) have suitable privacy capabilities.
Closing steps: Breach notification
Article 33 of the GDPR states that companies should inform the relevant supervisory authority in case of the personal data breach "without undue delay and, where feasible, it should not take more than 72 hours ever since the incidents come into notice."
Though it sounds little anomalous that on detection of breach the company is going to announce it.
To curtail the time between breach and detection, companies follow the below points:
- They can use breach detection tools for example intrusion detection and prevention systems and honeypots, decoy files or other deception technologies.
- They can monitor attack campaigns to find the clues to track any breach by using threat intelligence.
- Monitor logs and events to detect anomalous behavior.
- Provide staff training on how to detect breaches.
Article 34 of the GDPR mandates the companies to inform the Data Subject without wasting any time that their data has been compromised "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons."
Fines and penalties
There is a provision on severe Fines and penalties under the Article 83 of the GDPR wherein companies that are not aligned with the GDPR directives can face hefty fines and penalties.
Fines are calculated on the organization's global annual turnover of preceding financial year) of up to 4% or €20 million (whichever is greater) for non-compliance, and 2% or €10 million (whichever is greater) for less important infringements. It is even more for companies that are big in size and has very large global turnovers.