With merely a little more than a month left for the European Union (EU) General Data Protection Regulation (GDPR) to come into effect, it is high time for Indian organisations to look at ways that help them comply with the regulation in the shortest possible time. Many Indian Information Technology & ITeS, pharmaceutical and financial services firms have presence in the EU market. They need to take the speedy lane to comply with the GDPR to avoid fines which regulators will be entitled to as per the unprecedented powers provided to them.
The crux of the GDPR is to strengthen and unify data protection laws for individuals within the EU and address the export of personal data outside the European Union. Thus, it protects the misuse of any kind of personal identifiable information (PII) of EU citizens.
The PwC’s third GDPR pulse survey finds that one-quarter (28 percent) say their organisations have only started operationalising preparations and just about one in 10 say they have finished that work.
Here are the top 10 priorities that organisations need to focus on for speedy compliance:
1) Spread awareness within the organisation The first step in embracing the GDPR is to ensure key stakeholders and decision makers in the organisation are aware of the GDPR and its impact so that resources to be allocated are identified in the right time frame. Organisations are required to train staff on key GDPR requirements and at the same need to issue instructions to them on handling personal data appropriately.
2) Maintain records of personal data processing activities:
Organisations should conduct data discovery exercises to identify where and how personal data and special categories of personal data, as defined under the GDPR, are processed within the organisation.
The data discovery exercise can be performed by:
-- Conducting interviews with key individuals in business units and functions
-- Running workshops with staff who handlepersonal data
-- Using self-assessment questionnaires
-- Automated scanning of business applications and technical infrastructure by leveraging existing IT services that may identify personal data or data flows (e.g. e-discovery tools, data classification tools and data loss prevention [DLP] tools)
Based on the output of the data discovery exercise, organisations need to maintain records of personal data processing as described under the GDPR depending on whether the organisation is a controller or processor of personal data. The organisation shall also look to create and maintain data flow diagrams to supplement the records of processing activities followed.
3) Determine the legal basis for processing personal and special categories of data in the EU:
Organisations should identify the legal basis for processing personal data for each processing activity and assess its validity.
If special categories of personal data are processed by the organisation, then it needs to ensure a valid exception that allows the processing of special categories of personal data. Some examples of ‘valid exceptions’ for processing data include:
-- The data subject has given explicit consent
-- Due to an obligation on, or a specific right of, the controller
-- The personal data has been clearly made public by the data subject
4. Create/review privacy notices and consent:
At the time of collecting the data from the data subject, or when the personal data is not collected directly from the data subject, communicate information about the processing of personal data to the relevant data subjects in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.
Privacy notices have to be drafted or updated as per the GDPR requirements to include the range of information that controllers must communicate to data subjects.
Since under the GDPR, consent must be freely given, specific, informed and unambiguous, the organisation shall review how it seeks, records and manages consent to process data and implement mechanisms to obtain and record consent (where applicable) both retrospectively and for new personal data processing activities.
5. Uphold data subject rights:
Organisations must implement processes and mechanisms to uphold the rights of data subjects (individuals) by responding to requests appropriately and in a timely manner. The following data subject rights are to be considered to be fulfilled under valid conditions:
-- Respond to subject access requests
-- Support rectification of personal data
-- Handle objections to processing of personal data
-- Enable personal data portability
-- Erase personal data as requested by data subjects
-- Investigate objections to automated decision making
6. Manage privacy incidents:
In order to comply with the GDPR, it is important for organisation to update the existing security incident management processes to cover the identification and initial handling of suspected personal data breaches.
They also need to use automated security tools to detect suspected data breaches that may involve personal data, for example:
-- Intrusion detection systems (IDS)
-- Security information and event management (SIEM)
Besides, they need to maintain an incident response strategy and identify and plan specific roles for an incident response team to execute the strategy, or an operational incident detection team such as a security operations centre (SOC).
Under the GDPR, all organisations will have to report specific types of data breaches to the Supervisory Authority and, in some cases, to the individuals affected. Reporting of breaches to individuals is critical in the case of high-risk data where the breach could typically result in discrimination, damage to reputation, financial loss or loss of confidentiality to the individuals affected.
7. Manage data protection impact assessment (DPIA):
Organisations need to define the circumstances under which a DPIA is required as per the GDPR. They need to perform DPIA for any personal data processing likely to pose a high risk to the rights and freedoms of natural persons and managing the potential impact on data subjects from processing such personal data. The DPIA should assess the following:
-- Necessity and proportionality of the personal data processing
-- Risks to the rights and freedoms of data subjects (also known as the impact on data subjects)
-- Measures that will address the risks to the rights and freedoms of data subjects and other persons concerned, including security measures and safeguards for cross-border transfers
8. Appoint a data protection officer (DPO)
Like the CIO or CISO, many organisations will be required to appoint a DPO under the GDPR. This will be essential when an organisation is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities, or when a member state law specifies the appointment of a DPO.
9. Meet data transfer requirements:
Organisations have to establish a process for managing personal data transfers and adequately protect the rights and freedoms of data subjects when transferring personal data to internal or external parties. They can perform cross-border transfers of personal data to third countries (either inside or outside the organisation) only when the processing is protected by a mechanism recognised by the GDPR.
10. Establish data processor accountability:
The GDPR requires organisations to perform due diligence before establishing a relationship with a third party and ensure contracts with them to process personal data, including the following:
-- Nature and purpose of the processing type of personal data and categories of data subjects,
-- Contractual assurance of compliance with the company’s privacy policies
-- Requirement of written approval from the organisation if the third party processor plans to use or further disclose personal data/information
-- Requirement in the contract that if the processor enlists another third party they are held to the same privacy policies as the company (i.e. controller)
-- Requirement that data will not be processed unless instructed by the controller
-- Transfers of data outside of territories approved by the Commission are subject to an approved cross-border mechanism
Organisations are advised to consider the above steps in order to ensure their compliance with the data regulation and save themselves from hefty fines and penalties.
The author is Leader – Cyber Security, PwC India