This is a follow up to my article on GDPR (please see the above link)
Here’s where I talk about the GDPR strategy and present a working template for its implementation. The first of these templates deal with personal data.
1. GDPR and Personal Data
Identify personal data definitions for your business.
a. Questions like what kind of personal data are you most likely to collect and what is the purpose, duration. Remember, personal data is purpose-driven. It’s best not to combine the purposes.
b. Identify under which heads you like to collect this data
c. Duration of this data collected. For how long? Frequency of update. There should be a mechanism to update which must be verifiable.
d. Departments and people who will be gathering and processing this data.
e. Are there any data transformations that will take place? For example, aggregations, etc., needs to be noted.
2. Data Processing
a. Data workflow. How does it flow into the system? The objective here is to identify any leakages in the flow of data into the system through human handling or any unauthorized person handling personal data. Accidental or intentional data loss is also covered here. Solutions deployed can range from Data Leakage Protection solutions, Rights and Identity Management (DRM, IM).
b. Data security measures that are in place. Several organizations can rely on the International Standard for Data Safety (ISO/IEC 27000) to ensure they are up-to-speed with the best info and data safety practices. Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory.
c. Data handling – intra-company (is there an authentication mechanism beyond single sign-on to authenticate inter-company data flow?). Safeguards in place to authenticate third-party data transfers and data connections to the system.
d. Storage. Is there a separate database that stores personal data? How often is it updated? Database connections to internal or third-party systems. Database protection system. The sensitive data stored in databases are typically protected and monitored using Data Masking and Database Monitoring Solutions (DAM). These solutions are good to have.
e. Database backups.
f. Documentation of dataflow and authentication process.
3. Information security
4. Compliance with business partners
It’s important to note that your GDPR liability does not end with your organization’s compliance. If there is a data transfer to a third party or a business partner, they have to be compliant, too, as you are responsible for the personal data collected.
5. GDPR – Culture and Training
GDPR implementation cannot be looked at in isolation. It has to be embedded in the culture of the organization. Therefore, employee training (not only for processing and handling data) and awareness about data protection becomes paramount.
6. Communication
Templates for Incident Reporting, Data breach reporting (to all stakeholders), Data Collection and Purpose – how and why, objective, purpose, and communication templates for third-party or business partners for GDPR or Data Protection compliance.
7. Role of a Data Protection Officer
a. Inform and advise the firm and its employees about its GDPR obligations and other data protection laws.
b. Ensure and monitor compliance.
c. Foster a compliant data protection culture through proactive employee communication, training, and assessment.
d. Serves as a single point of contact (primary contact) and liaison for all data protection-related matters under the GDPR.
e. Take cognizance of any relevant legislation or developments and assess the impact of the same on the business from a data protection perspective.
f. Reviewing the data privacy and security SLAs in supplier/third-party/data-sharing arrangements.
g. Incident management planning and risk mitigation.
h. Data asset management. For example, documentary evidence of consent is required as per GDPR.
i. Responding to and advising on requests.
GDPR Penalties
GDPR imposes high severe fines for infringement of provisions under it. It can attract administrative fines up to 10,000,000 EUR or 2% of the total worldwide turnover of the preceding financial year, whichever is higher. Articles 83 and 84 put this in perspective.
Data Protection in the Indian context
In the Indian context, the Information Technology Act, 2000 (IT Act) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 govern data protection and security.
GDPR and the IT Act, 2000 are not the same, the Indian IT Act of 2000 and the Security Rules of 2011. For example, several aspects are different from the way GDPR operates. For example, controllers and processors as an entity and the hierarchal nature of the roles are not explicitly defined. But the inspiration behind the Rules of 2011 seems to be in sync with GDPR to facilitate business from the countries in European Union and other countries having similar data protection laws.
Conclusion
According to the UN, Global e-commerce jumped to $26.7 trillion, largely fuelled by COVID-19. This was a 19% rise from 16% in 2020. Positively correlated with this metric is the concomitant rise in data transfer between servers, which in all probability must have increased in a similar magnitude. In the years to come, these transactions are only going to increase. A significant part of companies increasing their fortunes online is partly due to their customer intelligence. Thanks to GDPR, you have the right to accept or reject the amount of information you pass on to these companies.
Clearly, Data Protection laws go beyond just data. There are business dynamics involved. More specifically, the economy of nations and the dynamics of wealth creation are tied up to data. There is an industry around it churning out billions in revenues based on the data we provide. Analytic models, CRM systems, for one, depend on customer data to improve acquisition, engagement, and retention. So, yes, you must have control over the data that you provide.
If data is the new oil, then this is one field that needs to stay protected. Not long ago, data was endangered, but today an increasing number of governments are waking up to the fact that personal data must be protected.
Needless to say, protection is in our hands, provided there is a framework that respects and enforces privacy, transparency, fairness, and lawfulness.
FAQs
- What is GDPR?
The General Data Protection Regulation (“GDPR”) is a legal framework that requires businesses/corporations to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states.
2. When was GDPR introduced?
GDPR was put into effect on May 25, 2018.
3. What are the principles of GDPR?
GDPR principles include Lawfulness, Fairness, Transparency, Purpose limitation, Data minimization, Storage limitation, Integrity, and Confidentiality.
4. Who are Controllers?
A Controller is a natural or legal person; it can be a public authority or agency (jointly or with others) that determines the purpose and the means (the why and how) of processing personal data.
5. Who are Processors?
A Processor is a natural or legal person who processes the personal data on behalf of the controller. From a hierarchy point of view, the Controller is responsible for personal data.
6. What is the data minimization principle?
The data minimization principle ensures that the data collecting organization does not gather data that is divergent from the purpose, i.e., the organization only collects that’s sufficient and in line with its purpose.
7. What is the right to be forgotten?
Allows a person to have their personal data erased and no longer processed in cases where this data is no longer required for the purposes it was captured.
What is the minimum timeframe in which a breach must be communicated/reported?
All breaches are expected to be addressed promptly by the Controller and must notify the supervisory authority within 72 hours after becoming aware of the breach.
Important GDPR Articles
- Article 4 – Definitions
- Article 5 – Principles relating to the processing of personal data
- Article 6 – Lawfulness of Processing
- Article 7 – Conditions for Consent
- Article 13 – Information to be provided where personal data are collected from the data subject
- Article 15 – Right of access by the data subject
- Article 16 – Right to Rectification
- Article 17 – Right to be Forgotten
- Article 20 – Right to Data Portability
- Article 24 – Responsibility of the controller
- Article 28 – Processor
- Article 33 – Notification of a personal data breach to the supervisory authority
- Article 37 – Designation of the Data Protection Officer
Note: This is not an exhaustive piece on GDPR. But it serves as a starting point. Implementations have to be executed through professionals to ensure comprehensive compliance.
Thank you for reading!