What is GDPR
The past decade has witnessed Internet based services changing the global economy and producing the billion dollar enterprises around the world; but the laws to address concerns around online services have not been up to the speed.
Across EU there is no uniform law to address the fundamental rights of privacy of EU citizens; every member state has their own interpretation and implementation of laws around data protection and privacy.
The existing Directive 95/46/EC was the point of reference for privacy issues and it was released in October’95; apparently the 20 years old directive was not enough to address the current online protection concerns thus there was a need to come up with new mechanism to address 20th centaury online issues.
General Data Protection Regulation (GDPR) was the answer to above concern, the first GDPR text was proposed in 2012, since then it has got huge attention and after multiple round of update the final version was released on 4th May 2016.
From 25th May 2018, the GDPR regulation will come in effect and will be the law across all EU member states.
Why organizations should care
All businesses, which process the Personal Data of EU citizens; irrespective of their physical location will be covered under the new GDPR law. The physical establishment of organization doesn’t matter, the companies which has no office in EU will still have to comply with GDPR.
If the organizations do not comply, the fines are huge enough for smaller organizations to make them bankrupt – the maximum fine amount could be 20 Million Euro or 4% of worldwide turnover.
Steps to comply
Based on the business models organizations will have to decide on their approach towards the journey to compliance. There are few common steps that all organization will have to takes –
Awareness: The decision makers should have clear understanding of what does GDPR means to their organizations. How it affects the business processes and what they need to do in order to ensure compliance.
Map Business Processes: Organizations should have clear understanding on what Personal Data they process. There should be a clear map, document or flow-chart showing the channels of acquiring, processing and destroying the personal data. It’s like life-cycle of data within the organizations control. The process should clearly document who all touches the personal data within the organization and via which medium.
Privacy Impact Assessment: Once the organizations has created awareness among key decision makers and have completed mapping the end-to-end process of Personal Data flow; they should conduct privacy impact assessment in order to identify the gaps within the process and what corrective actions needs to be taken to eliminate them. “Special Data”, should be checked, if being collected – there are different requirements to ensure protection of special data.
Review Current Process and Update : The current process of acquiring the Personal data should be reviewed to ensure that it addresses the requirement listed by GDPR like – Consent; organizations need to review how they are seeking, obtaining and recording the consent as it has to be a clear affirmative action. There may be situations where organization may have to produce that data subject has given the consent.
Access to Data: The data subject or individual may ask organizations to update their personal data record, or delete their personal data. Organizations need to enable process on how individuals may contact organizations and who will address their requests.
Privacy by Design: The security shouldn’t be after thought; it should be part of development life cycle for products and organizational culture for any 20th centaury business. Organizations may have to modify their current process of storing and transferring the personal data. Data in transit must be encrypted and where possible data at rest should also be encrypted.
Data Breach Notification: Organizations should setup a process to identify the breach and notifying the Data protection authorities. There should be a designated person who has authority to notify, as the notification has to be within 72hours of breach identification; and weekend is also covered within in. There can be multi step notification, initial as soon as the breach is identified, and later as more details are revealed.
Training: All employees who deal with personal data should received privacy awareness training. They should have clear understanding of their roles and responsibilities on how they are supposed to handle the “Personal Data” and if they suspect breach who should they contact.
Overall it is going to be significant change for organizations; it would require coordination among various departments within organizations and change in current business processes and solutions. 25th May 2018,when GDPR will come in effect, seems to be far but time will pass quickly and based on the size of organization the process should start sooner than later.