We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media. The growing adoption of the cloud, mobile devices and social media has resulted in an increase in incidents related to the theft of personal data.
As organizations begin the scramble to comply with the European Union (EU) General Data Protection Regulation (GDPR), there is a dire need to understand its scope and the privacy requirements mentioned in the standard. The regulation is applicable to all organizations that store, process and transmit any personal data related to an EU resident. The GDPR will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The regulation will apply to even those organizations that may not have a presence in the EU, but are processing or accessing the personal data of EU data subjects.
There are an overwhelming amount of privacy requirements that an organization has to consider to enhance its privacy management program, mitigate privacy risk and demonstrate adherence to the GDPR. The following should be considered when developing policy to comply with the privacy requirements of the GDPR program:
- Organizations must have commitment and support from the leadership and a consensus to successfully implement the GDPR compliance.
- Conduct an awareness campaign so that everyone understands the seriousness and importance of the new privacy law, which will be become enforceable in May 2018.
- Resources and budget will be required to develop the complete roadmap to achieve compliance with the GDPR.
- Noncompliance with the GDPR results in enormous fines for both the data controller and the data processor.
- There are strict conditions for privacy notices and obtaining consent.
- Pseudonymisation of data, which involves processing personal data without identification of the subject, is necessary.
- Understand and implement the new privacy requirements, such as privacy by design, right to erasure, right to portability, mandatory privacy impact assessments, data breach notification and appointment of a data protection officer (DPO).
- There are enhanced obligations for data processors.
It is imperative for organizations to proactively determine their current state of data protection and benchmark it with GDPR requirements to understand whether they are GDPR compliant and identify which gaps must be filled. To bring themselves in line with the GDPR, companies both inside and outside the EU will be required to consider the changes required in the way they interact with customers and the transfer of data. It also means organizations have to invest more on the tools and technologies required to ensure adherence to stringent privacy requirements of GDPR.
Tarun Verma is a senior consultant with Infosys-Information and Cyber Risk Management (iCRM) practice. He has experience in the domains of security governance, IT risk management, regulatory compliances, privacy, cyber security and cloud security. He is responsible for delivering governance, risk and compliance consulting and advisory services to Fortune 500 clients.