GDPR! This isn’t a mere a tick box exercise for the businesses of today! To be GDPR complaint is not just fixing the company website; it should be a part of the ‘complete organization.’
For achieving the GDPR compliance in the organization, we would require carrying out a Data audit and an understanding of the GDPR technical terms like Data Controller, Data processor, Data Subject. The level of access provided for every team member for each department of the organization must be checked. The organization should be aware of legal and technical implications in relation to GDPR. The organization needs to ensure that their website is updated with the privacy notice and should have a cookie policy which should be accepted by the users. We need to ensure that data processors will ask for the approval when they intend to transfer the data outside EU/EEA.
- A Data Protection Officer must be appointed.
- The adequate process must be followed for processing the children/secondary data.
- The organization must be reporting the data breaches taken place.
- Data Protection Impact Assessment needs to be performed, and an updated privacy policy would be some of the steps to become compliant.
GDPR applies to:
The changes apply to all EU citizens, as well as all businesses and organizations operating within the EU and or dealing with EU residents and citizens PII data.
If you hold any personal data (such as names, addresses, email addresses, or bank details) belonging to an EU citizen, you can be held accountable under these new rules for how you handle this information.
The GDPR effect on businesses:
As a business, it is the responsibility of the organization to protect the PII data of customers, employees, and anyone else’s information is held. Explicit consent from the data owner must be taken before their data is used in specific ways, especially for marketing purposes. The threat of massive fines or penalty is always on the minds of the Chief Information Security Officer (CISO).
Making website forms GDPR Compliant:
A significant part of GDPR is to gain valid consent to use personal data. What this means is when a visitor fills a form on your website, you cannot use it for anything else other than what it was meant for. To make the website GDPR compliant, we need to update the forms to give the visitors of the website the chance to make their preferences known.
The right place to start checking GDPR is by doing the Data Audit.
- What is the data that is getting collected and why it is collected?
- Where and how is the collected data stored?
- How would you use this stored data and with whom it is shared?
- Is the stored data with any third parties?
- Who is responsible for the data and the processing of it?
- Do you have data retention and data deletion plan in place?
- Do you have all the technology you need to process the data and correctly manage it?
We must consider the aspects that are covered by GDPR, which are:
- Legitimate interests
- Consent
- Information provisions
- 3rd party data
- Legacy data
Companies need to review their risks and mitigate the high risks from the risk register. They should have a Data breach mechanism in place and what to do when they receive an access request.
Organizations need to do for minimizing the risks:
- Create awareness among employees such that they report suspicious emails, so they do not compromise your network. Make staff aware of information security and its importance.
- Conduct GDPR awareness training in organizations.
- Recognize that GDPR isn’t wholly a technology problem and that it is an ongoing commitment across the whole company.
- Make staff aware of not only what GDPR is, but also why they have a responsibility to protect the personal data of customers and other employees.
- Need to be mindful of the principle of data minimization. Minimize the data you have, the lower the risk.
- Tracking of the employees who has access to what information and review the access rights regularly.
Another change in GDPR include the 7 Major user rights
These include the following:
- Users have the right to be informed,
- The power of access,
- The right to rectification,
- Users also have the right to erase,
- There is a right to restrict processing,
- Users have the right to data portability, and
- Finally, the right to object.
All data collection points, like the sign-up forms, should be verified to confirm they meet the requirements of GDPR. We should note that we must be clear about where and what data is collected, as well as what it is used for.
No pre-ticked boxes should be encouraged as it should be an affirmative opt-in.
When collecting the data, organizations must have mechanisms in place that help you record when and how you got consent and record precisely who was informed at the time.
Make it easy for individuals to access their data and option to update/rectify it when required and check that we are collecting only the minimum necessary amount of data, deleting the records after the use of data.
Data Subject should have the appropriate means to refresh consent at specific intervals.
Data Subject must be provided with a privacy policy/notice. Check whether we need to carry out a Data Privacy Impact Assessment to fully understand and document all your data processes and policies.
If you are profiling individuals via an automated decision-making process, check that you have provided explicit consent via a non-ticked opt-in with clear copy explaining the implications.
What does the GDPR say about the checkboxes?
GDPR Recital 32 states the following:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral report. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple uses, permission should be given for all of them.
A.M.Subramanya has 19+ years of experience in IT industry. Apart from his technical education and post graduate in executive management, Subramanya also hold certificate in EU-GDPR, DPO, COBIT 5 foundation, PCI-DSS, SSAE16, Prince2 Foundation, MSP Foundation, BS25999 Lead Implementer, ISO20000 LA, ISO27001 Lead Implementer, ISO 27001 Lead Auditor, ITIL V3 foundation, ISO 20000 LA and Archer certified consultant. Subramanya is associated with Happiest Minds Technologies Pvt., Ltd, Bangalore as Senior Practice Manager and Practice Lead for GDPR for data IMSS consulting services handling business and leading the team and also official DPO handling GDPR.
Has worked extensively on IT Processes, IT Security, ISMS, IT Governance Risk and Compliance, Project Management and IT Infrastructure Security across key domains such as Banking, Energy & Utility, Infrastructure, BPO and Insurance.
