GDPR Compliance - A Move towards championing the right to privacy
- April 18, 2019
- Compliance, Consulting, Shield
- Pratik Mehta
Introduction to GDPR
European Union has introduced GDPR Regulation to protect the fundamental right to privacy for every EU citizen. In simple words, the data subject (EU citizen) will be made aware of on the 5 ‘W’s’ of When, Where, What, Who, Why and also the ‘H’ for ‘How’ their personal data is being used, processed, stored and disposed.
GDPR extends and transcends beyond the EU - meaning any collection / usage of anEU citizen’s personal data handled outside of the union by any entity has to adhere to GDPR. GDPR regulation has been in effect since 25th May 2018 and hence any organisation that works with EU citizen’s personal data in any manner, irrespective of location, is under the obligation to protect the personal data.
So that brings us to two basic words that covers the whole GDPR
- Personal Data
- Protect
Inclusions in "Personal Data"
The ambit of ‘personal data’ now extends to physical, physiological, genetic, mental, economic, cultural or social identity of a person.
'Protect'
Besides confidentiality, the ambit of ‘Protection’ now extends to maintaining privacy of personal data.
The regulation outlines the various principles based on which personal data can be collected, stored, used and retained. The application of these principles provides for many things in relation to upholding a citizen’s right to privacy
- Protect from unlawful access
- Report breach
- Allows citizen to access what data about them has been collected and used.
- Allows citizen to correct the data about them
- Honour their request of not to use their data for marketing
- Honour their request to permanently delete data or transfer their data to another service provider
- And above all most importantly, obtain their consent to store, process or transmit or transfer their data
Important Questions that GDPR requires us to ANSWER
- Are we storing personal data?
- If Yes WHERE are we storing personal data?
- For WHAT is that data being used ?
- WHEN do we use it ?
- WHY do we need it?
- WHO all in the company internally/externally has access to the data?
- HOW long do we retain it?
- Did we get consent from the data subject for dealing with their personal data?
- Have we clearly communicated to Data Subjects that we are storing this data?
- Do we give them a clear choice to opt in or out at any time?
- Can any of it be eliminated?
- Do we audit access to this data?
- Do we encrypt/ mask any of the personal data
- Do users have an easy way to access, correct, copy or get it deleted ?
Key players in GDPR
An Individual person who is the subject of personal data
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determine the purpose and means of the processing of personal data.
A natural or legal person, public authority, agency or other body which process personal data on behalf of the controller
A natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data
Independent public authority which is established by a member state to monitor consistent application of the laws
GDPR Responsibility Matrix
Stakeholders to be involved
- Marketing and Sales Team
- Product Engineering & Product Management Team
- Legal, Privacy and Compliance Team
- Senior Management & Board
Checklist to make your company GDPR Compliance ready
- Raise awareness on GDPR and establish a dedicated GDPR internal implementation team
- Review current data security and privacy processes in place & where applicable, revise the contracts with third parties & customers to meet the requirements of GDPR
- Scope exercise to identify Personally Identifiable Information (PII) that is being collected
- Analyse the end to end methods on how the information is being collected, processed, stored, retained and deleted.
- Assess the third parties with whom you disclose customer data
- Establish and Conduct Privacy Impact Assessment (PIA)
- Create processes for data breach notification activities
- Establish procedures to respond to data subjects when they exercise their rights
- Continuous employee awareness is vital to ensure continual compliance to the GDPR
Crossbow Labs Approach to Managing Privacy of Personal Data
At CBL, we believe in having a holistic approach towards regulatory compliance.
Our approach is a 5 step readiness program to bring organisation’s up to speed with the regulatory requirements of GDPR
Step 1 : Provide GDPR awareness session
- To set the context of this regulation
- To provide insights on the nitty-gritty of the regulation that are specific to the organisation’s service / product.
Step 2 : Conduct a Data Inventory Audit
- To identify the lifecycle of personally identifiable data within the organisation
Step 3: Conduct a GDPR Assessment
- Conduct walkthroughs, stakeholder interviews and review existing set up to identify GDPR touch points.
Step 4 : Provide GDPR Implementation Assistance
- Provide assistance with designing data protection policy, consent policy, subject access request policy, privacy notice and related procedures and forms.
- Provide assistance with setting up Data Protection Office, Data breach incident management desk and Consent management desk along with related workflows.
Step 5 : Conduct Data Protection Impact Assessment
- Conduct a post implementation audit to assess the level of implementation and the organisation’s readiness to respond to privacy related queries.
