21 October 2019

SECURITY GYAN Bytes : October 2020 : 21st October 2019

Privacy is one of the top concerns around the world for organization and
governments. New regulations are coming all over the world like GDPR, CCPA or
draft Indian Data Protection Act – all is done to ensure that privacy of data is
enforced, and organizations are held accountable.
GDPR is very compressive privacy law and most others new laws are just trying
to model it in their own way. This article will detail various aspects of GDPR and
what organizations need to take care of in order to comply with it.
Please remember GDPR is not something good to have like various ISO
certification, it’s a law and must be adhered to.
What is GDPR
The past decade has witnessed Internet based services changing the global
economy and producing the billion-dollar enterprises around the world; but the
laws to address concerns around online services have not been up to the
Before GDPR across EU there was no uniform law to address the fundamental
rights of privacy of EU citizens; every member state has their own interpretation
and implementation of laws around data protection and privacy.
The Directive 95/46/EC was the point of reference for privacy issues and it was
released in October’95; apparently the 20 years old directive was not enough to
address the current online protection concerns thus there was a need to come
up with new mechanism to address legacy provisions.
General Data Protection Regulation (GDPR) was the answer to above concern,
the first GDPR text was proposed in 2012, since then it has got huge attention
and after multiple round of update the final version was released on 4th May
From 25th May 2018, the GDPR regulation came into effect and became the
uniform law across all EU member states.
Why organizations should care
All businesses, which process the Personal Data of EU citizens; irrespective of
their physical location will be covered under the new GDPR law. The physical
establishment of organization doesn’t matter, the companies which has no
office in EU will still have to comply with GDPR.
If the organizations do not comply, the fines are huge enough for smaller
organizations to make them bankrupt – the maximum fine amount could be 20
SECURITY GYAN Bytes : October 2019 : 21st October 2019
Million Euro or 4% of worldwide turnover.
Steps to comply
Based on the business models’ organizations will have to decide on their
approach towards the journey to compliance. You’ll certainly need an expert in
privacy to manage GDPR but here are some very basic and common steps that
all organization will have to takes –
Awareness: The decision makers should have clear understanding of what
does GDPR means to their organizations. How it affects the business
processes and what they need to do in order to ensure compliance.
Map Business Processes: Organizations should have clear understanding
on what Personal Data they process. There should be a clear map, document
or flow-chart showing the channels of acquiring, processing and destroying the
personal data. It’s like lifecycle of data within the organizations control. The
process should clearly document who all touches the personal data within the
organization and via which medium. Organization must also have data retention
and deletion policies. Don’t retain data beyond the point it is required.
Privacy Impact Assessment: Once the organizations has created
awareness among key decision makers and have completed mapping the end-
to-end process of Personal Data flow; they should conduct privacy impact
assessment in order to identify the gaps within the process and what corrective
actions needs to be taken to eliminate them. “Special Data”, should be
checked, if being collected – there are different requirements to ensure
protection of special data.
Review Current Process and Update : The current process of acquiring
the Personal data should be reviewed to ensure that it addresses the
requirement listed by GDPR like – Consent; organizations need to review how
they are seeking, obtaining and recording the consent as it has to be a clear
affirmative action. There may be situations where organization may have to
produce that data subject has given the consent.
Access to Data: Subject Access Requests (SAR) is the process where data
subject or individuals may ask organizations to update their personal data
record or delete their personal data. Organizations need to enable process on
how individuals may contact organizations and who will address their requests.
Organizations are required to respond to any SAR within a defined period.
Privacy by Design: GDPR demands that privacy is embedded within the
product and shouldn’t be an afterthought. Privacy by design is a concept which
developers need to adopt during the design phase of any new
product/application. It is the most overlooked requirement of GDPR; you may
find more details on this subject here -
Data Breach Notification: Organizations should setup a process to identify
the breach and notifying the Data protection authorities. There should be a
designated person who has authority to notify, as the notification must be
within 72hours of breach identification; and weekend is also covered within in.
There can be multi step notification, initial as soon as the breach is identified,
and later as more details are revealed. Please remember, even if you have
millions of customers you are required to notify each customer based on the
“kind of” data breach – and the cost to manage such notification have forced
organization to file for bankruptcy filing.
Training: All employees who deal with personal data should receive privacy
awareness training. They should have clear understanding of their roles and
responsibilities on how they are supposed to handle the “Personal Data” and if
they suspect breach who should they contact.
Overall it is a significant change for organizations who have not taken care of
privacy previously; it would require coordination among various departments
within organizations and change in current business processes and solutions.