By: Sivarama Krishnan, Leader – Cyber Security, PwC India
On 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into effect. It will usher in a totally new data and privacy protection regime. The GDPR gives regulators unprecedented power to impose fines, requiring large-scale privacy changes across organisations, including India-based companies, if they conduct business in Europe. Because many IT & ITeS, pharma and financial services companies, among others, have increased their presence in the EU market in the last few years, the GDPR assumes tremendous importance.
The crux of the GDPR is to strengthen and unify data protection laws for individuals within the EU as well as address the export of personal data outside the EU. Thus, it protects the misuse of any kind of personal identifiable information (PII) of EU citizens.
The key findings from our Global State of Information Security Survey (GSISS) 2018 highlight that many organisations are not doing all that they can to protect privacy. 
With less than two months remaining for the GDPR to come into force, it is important for organisations to assess their readiness for the new regime and prioritise key areas in order to avoid heavy penalties. We discuss the top 10 priorities that organisations need to focus on:
Spread awareness within the organisation:
- Ensure key stakeholders and decision makers in the organisation are aware of the GDPR and its impact so that resources to be allocated are identified in the right time frame.
- Train staff on key GDPR requirements and issue instructions to them on handling personal data appropriately.
Maintain records of personal data processing activities:
- Conduct data discovery exercises to identify where and how personal data and special categories of personal data, as defined under the GDPR, are processed within the organisation.
- The data discovery exercise can be performed by: (a) conducting interviews with key individuals in business units and functions; (b) running workshops with staff who handle personal data; (c) using self-assessment questionnaires; (d) automated scanning of business applications and technical infrastructure by leveraging existing IT services that may identify personal data or data flows (e.g. e-discovery tools, data classification tools and data loss prevention [DLP] tools)
- Based on the output of the data discovery exercise, maintain records of personal data processing as described under the GDPR depending on whether the organisation is a controller or processor of personal data.
- The organisation shall also look to create and maintain data flow diagrams to supplement the records of processing activities followed.
Determine the legal basis for processing personal and special categories of data in the EU:
- Identify the legal basis for processing personal data for each processing activity and assess its validity. Some examples of ‘lawful basis’ for processing data include:
- Contractual necessity: Personal data may be processed on the basis that such processing is necessary in order to perform or to enter into a contract with the individual.
- Consent: Personal data may be processed on the basis that the individual has consented to such processing. If the organisation uses an individual’s consent as a lawful basis, then the individual will have stronger rights under the GDPR to withdraw that consent.
- Compliance with legal obligations: Personal data may be processed on the basis that the data controller has a legal obligation to perform such processing. Such obligations must be set out in the EU or national law, must meet an objective of public interest and be proportionate.
- If special categories of personal data are processed by the organisation, then it needs to ensure a valid exception that allows the processing of special categories of personal data. Some examples of ‘valid exceptions’ for processing data include:
- the data subject has given explicit consent
- due to an obligation on, or a specific right of, the controller
- the personal data has been clearly made public by the data subject
Create/review privacy notices and consent:
- At the time of collecting the data from the data subject, or when the personal data is not collected directly from the data subject, communicate information about the processing of personal data to the relevant data subjects in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.
- Privacy notices have to be drafted or updated as per the GDPR requirements to include the range of information that controllers must communicate to data subjects. Some examples are given below:
– the purpose of the processing
– categories of personal data concerned
– recipients or categories of recipients of personal data
– reference to appropriate safeguards if data is going to be transferred to a third country
– period for which data will be stored
– right to lodge a complaint
– source of personal data and, if applicable, whether it came from publicly accessible sources (when data is not directly obtained from individuals)
- Since under the GDPR, consent must be freely given, specific, informed, unambiguous and must be a positive opt-in, permission cannot be assumed as a default. Hence, the organisation shall review how it seeks, records and manages consent to process data and implement mechanisms to obtain and record consent (where applicable) both retrospectively and for new personal data processing activities.
Uphold data subject rights:
- Implement processes and mechanisms to uphold the rights of data subjects by responding to requests appropriately and in a timely manner. The following data subject rights are to be considered to be fulfilled under valid conditions:
- respond to subject access requests
- support rectification of personal data
- apply restrictions on personal data processing
- handle objections to processing of personal data
- enable personal data portability
- erase personal data as requested by data subjects
- investigate objections to automated decision making
Manage privacy incidents:
- Update the existing security incident management processes to cover the identification and initial handling of suspected personal data breaches.
- Use automated security tools to detect suspected data breaches that may involve personal data, for example:
- intrusion detection systems (IDS)
- security information and event management (SIEM)
- Maintain an incident response strategy and identify and plan specific roles for an incident response team to execute the strategy, or an operational incident detection team such as a security operations centre (SOC).
- Under the GDPR, all organisations will have to report specific types of data breaches to the Supervisory Authority and, in some cases, to the individuals affected. Reporting of breaches to individuals is critical in the case of high-risk data where the breach could typically result in discrimination, damage to reputation, financial loss or loss of confidentiality to the individuals affected.
Manage data protection impact assessment (DPIA):
- Define the circumstances under which a DPIA is required as per the GDPR.
- Perform DPIA for any personal data processing likely to pose a high risk to the rights and freedoms of natural persons and managing the potential impact on data subjects from processing such personal data. The DPIA should assess the following:
- necessity and proportionality of the personal data processing
- risks to the rights and freedoms of data subjects (also known as the impact on data subjects)
- measures that will address the risks to the rights and freedoms of data subjects and other persons concerned, including security measures and safeguards for cross-border transfers
Appoint a data protection officer (DPO):
Many organisations will be required to appoint a DPO under the GDPR. This will be essential when an organisation is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities, or when a member state law specifies the appointment of a DPO.
Meet data transfer requirements:
- Establish a process for managing personal data transfers and adequately protect the rights and freedoms of data subjects when transferring personal data to internal or external parties.
- Perform cross-border transfers of personal data to third countries (either inside or outside the organisation) when the processing is protected by a mechanism recognised by the GDPR, which include:
- adequacy decisions and binding agreements, where the European Commission (the Commission) declares a country’s data protection laws or a binding agreement (e.g. the EU-US Privacy Shield) suitable for transferring personal data (without the need for additional safeguards)
- appropriate safeguards and enforceable legal agreements (e.g. contracts and binding corporate rules) to protect data subjects’ rights and freedoms
- transfers subject to derogations (e.g. gaining explicit consent from a data subject when necessary to perform a contract or protect his/her vital interests)
Establish data processor accountability:
Perform due diligence before establishing a relationship with a third party and ensure contracts with third parties that process personal data, including the following:
- nature and purpose of the processing type of personal data and categories of data subjects,
- contractual assurance of compliance with the company’s privacy policies
- requirement of written approval from the organisation if the third party processor plans to use or further disclose personal data/information
- requirement in the contract that if the processor enlists another third party they are held to the same privacy policies as the company (i.e. controller)
- requirement that data will not be processed unless instructed by the controller
- transfers of data outside of territories approved by the Commission are subject to an approved cross-border mechanism
The date for the implementation of the GDPR is fast approaching. Organisations are advised to consider the above steps in order to ensure their compliance with the data regulation and save themselves from hefty fines and penalties.