MIND THE GAP - GDPR AHEAD
The regulatory Environment is becoming more and more complex with new regulations being introduced across the world. Off late there has been renewed focus on strengthening regulations around data and reporting and cyber security. One of the most significant regulations affecting all companies in possession of European citizens’ personal data is the EU General Data Protection Regulation (EU GDPR) coming into effect in May 2018.
GDPR Regulation which was adopted in May 2016, imposes a radical, much tougher data protection regulatory framework across the EU over the processing of personal data. It covers every processing operation that can be done on personal data, irrespective of whether it is undertaken by automated or non-automated means or whether done actively or passively.
It defines the increased rights of EU citizens (also known as Data Subjects) around the privacy and protection of their personal data. The regulation also specifies the increased responsibility for any organisation or individual that is responsible (also known as Data Controllers) for storage and processing of EU Citizen's personal data while hiring, buying, selling, surveying, marketing etc. Controllers have to stick to the purpose for which they acquired the data, minimize the amount of data held, keep it accurate, up to date and secure and confidential at all times, they then must delete it or destroy it when the purpose for which it was obtained or created is fulfilled, or if consent to use the data has been withdrawn. Failure to comply with this regulation can result in fines of up to 4% of global revenue.
At High level GDPR regulation and key focus areas can be explained as
- Personal Data Assessment
- Organisational Data Classification
- Compliant Data identification
2. Protect Personally Identifiable Information
- Protect data in use, in transit and at rest
- Ensuring 'privacy by design’- Rethink the way PII, PHI, ePHI, PCI data is handled
- Requirements of GDPR compliance needs to be addressed in a methodical and modular fashion
3. Data Protection Officer
- Appointment of Data Protection Officer (DPO) at controller/Processor level
4. Enable the right to be forgotten
- Data Erasure once purpose is completed and cease its dissemination
- Develop interoperable format that enables Data Portability
5. Notify breaches within 72 hours
- Data breach notification within 72 hours
- Data Protection Impact Assessments (DPIA)
- When the high risks are identified, the Regulator expects that an organization formulates measures to address them.
Below are 4 key Building Blocks and GDPR Impacted solution tenets for any Data Driven organisation.
As per a recent global survey over 90% of organizations believe that the GDPR will impact the way they collect use and process personal data. Just 46% of organizations are highly confident that they’ll be ready by the implementation date and most importantly 88% highlighted that GDPR has exposed holes in their IT architecture and considers this as an opportunity to overcome some of their technological challenges and will contribute towards their IT transformation programs.
In Summary, Companies are finding it difficult to find right path for fulfilling complex regulatory demands such as GDPR and in parallel manage data deluge & technology disruption. They are looking out for help in driving efficient risk management across value chain of their business landscape and continue to move upwards in the technology maturity continuum.
In my next article, I would like to focus more on How do we address this regulatory compliance and most importantly How companies can bring synergy within their organisation to minimize their efforts and maximise value creation. stay tuned.