Stregtheig Privacy Protectio with the Europea Geeral Data Protectio Regulatio Abstract The expoetial growth of digital data has led to a substatial icrease i data breaches. To meet the privacy cocers of the digital world ad place safeguards aroud persoal data, the EU Parliamet adopted the Geeral Data Protectio Regulatio (GDPR) i April 2016. Eterprises ca wi customer trust if they comply with the practical measures listed i the GDPR.
Itroductio The Europea Uio (EU) parliamet adopted the Geeral Data Protectio Regulatio (GDPR) to address evolvig digital privacy challeges, ad esure that orgaizatios collect, process, trasfer, store, ad dispose of the persoal data of EU citizes without ifrigig upo their idividual rights. The ambit of this regulatio icludes: All EU orgaizatios that process the persoal data of EU citizes Orgaizatios outside the EU that offer goods ad services to EU citizes Busiesses that process persoal data by moitorig the behavior of EU citizes 88% of cosumers feel that whe choosig a compay, safeguardig their persoal data is more importat tha product quality (86%) or customer service 2 (82%). GDPR Timelie Creatio of data protectio directive 96/46/EC August 1995 Jauary 2012 Iitial proposal to data protectio regulatio Approval of draft by Europea parliamet March 2014 Jue 2015 Shapig of fial stage of regulatio The GDPR timelie The Path to Compliace Adoptio by coucil of EU ad EU parliamet April 2016 May 2016 Publicatio of the official joural Eforcemet of GDPR May 2018 The GDPR has eight key features with which orgaizatios eed to comply. 1. Obtai the coset of data subjects EU GDPR madates coset for lawful processig of persoal data. Data subjects should give coset freely, either through a statemet or a clear affirmative actio, ad are free to withdraw the same at ay time. GDPR prohibits the processig of 'sesitive' persoal data, barrig a few exceptios. Oe of the importat exceptios is that of 'explicit coset' provided by data subjects. However, the differece betwee coset ad explicit coset has ot bee clearly articulated i the legal text. I the case of childre, coset ca oly be give by the perso holdig paretal resposibility for the child.
Orgaizatios should: Revisit privacy otices to esure that they are trasparet ad provide extesive iformatio o processig persoal data. Review the grouds for processig sesitive persoal data ad validate whether explicit coset has bee obtaied for processig sesitive data through clear, uambiguous, ad trasparet otices. Review existig persoal data coset mechaisms for childre, ad implemet appropriate techologies or processes. Validate whether legitimacy of processig is i lie with GDPR requiremets if processig of persoal data is ot based o coset. 2. Esure the rights of idividuals The GDPR empowers data subjects by itroducig ew rights to existig data protectio directives, such as: Right to be iformed Right of access Right to rectificatio Right to erasure Right to restrict processig Right to data portability Right to object Rights i relatio to automated decisio makig ad profilig Orgaizatios should: Comply with each right ad respod to a customer's request withi a moth, failig which they will be liable for fies. Review curret profilig activities to esure compliace with regulatory requiremets. Aalyze existig request hadlig mechaisms, ad create processes to deal with requests from data subjects. Maitai a ivetory of persoal data flows to deal with ew rights related to erasure ad data portability. Defie ad implemet retetio rules for various data categories.
3. Demostrate accoutability The ous of demostratig GDPR compliace ad provig it to supervisory authorities upo request will ow be o data cotrollers. Orgaizatios should: I essece, Orgaizatios should create a privacy culture ad implemet appropriate measures to esure that privacy is all pervasive i the overall IT strategy. Trai employees o GDPR obligatios. Protect persoal data with appropriate safeguards, such as ecryptio, pseudoymizatio, Data Leakage Prevetio (DLP), Iformatio Rights Maagemet (IRM), ad Idetity ad Access Maagemet (IAM). Adhere to approved codes of coduct ad certificatio mechaisms. Coduct regular privacy audits of third parties processig persoal data. Assess ad modify the existig iteratioal data trasfer process. 4.Assess data protectio impact 3 Article 35 of the GDPR madates that orgaizatios should coduct data protectio impact assessmets that highlight the purpose of processig, data flow aalysis, ad idetified risks ad safeguards implemeted to protect persoal data. 5. Esure data protectio by desig & default Article 25 of the GDPR highlights the cocepts of privacy by 4 desig ad default. Data protectio by desig requires cotrollers ad processors to embed privacy cotrols throughout the data lifecycle of ew projects ad systems. Privacy by default requires data cotrollers ad processors to implemet measures that esure that they oly collect, process, ad store data that fits the iteded purpose. Orgaizatios should, therefore, implemet procedures to esure that, by default, persoal data is ot made available to a idefiite umber of users. 6. Appoit data protectio officers (DPOs) Article 37 of GDPR madates the appoitmet of DPOs for 5 public authorities. DPOs will also eed to be appoited for cotrollers or processors ivolved i:
Large scale regular ad systematic moitorig of data subjects Processig sesitive persoal data Processig data related to crimial covictio ad offeses Orgaizatios should appoit a data protectio officer with expert kowledge of data protectio laws ad practices. 7. Report data breaches Orgaizatios must report persoal data breaches to a supervisory authority, ad i some cases, to affected data subjects, withi 72 hours of becomig aware of the breach. Cotrollers should also provide additioal iformatio o the ature ad cosequece of data breach, categories affected, ad measures take to resolve the issue. Orgaizatios should: Sed the data breach report to the supervisory authority. Notify affected stakeholders. 8. Avoid sactios Orgaizatios foud i violatio of the ew regulatio could be charged as much as 4% of their global turover or 20 millio EUR, whichever is higher. Orgaizatios should: Aalyze ad balace data value ad data protectio to reduce privacy risk. Classify data collected ito risk categories. Create a overall risk score for systems. Ivest i data protectio techologies. Coduct privacy impact assessmets ad privacy cotrol testig to help idetify security gaps ad bridge them. Cosider cyber liability isurace to miimize losses. Preparig for the New Privacy Regime: Where to Start The jourey towards GDPR compliace should start with a thorough assessmet of the curret state, existig policies, ad processes, alog with implemeted security measures to idetify gaps with respect to GDPR requiremets. Based o these gaps, orgaizatios ca prioritize various measures ad implemet them i a phased maer ad thus comply with the regulatio whe it comes ito force.
This is a framework that orgaizatios ca use to build a privacy strategy ad esure GDPR compliace. Assess Assess the curret state ad existig policies ad processes Idetify Idetify privacy gaps prioritize the gaps Secure Implemet safeguards to secure assets Maage Moitor ad Respod Maage ad coduct privacy cotrols Perform regular testig Implemet policies, processes, ad techologies to cotiuously detect ad respod to threats i time Recover Develop, pla ad implemet solutios to restore data ad services after a data breach A framework to esure GDPR compliace Coclusio GDPR is the future of data privacy. It shifts the balace of power from data cotrollers ad processors to data subjects by empowerig them with greater cotrol over their persoal data. Although the road to compliace is challegig, GDPR presets a excellet opportuity for busiesses to create customer trust ad delight by demostratig their reewed commitmet to securig persoal data. Refereces [1] The ITRC Data Breach Report (2015), accessed Sep 2016, http://www.idtheftceter.org/images/breach/databreachreports_2015.pdf [2] Symatec, State of Privacy Report 2015, accessed Aug 2016 https://www.symatec.com/e/uk/about/ews/resources/press_kits/detail.jsp?pkid=state-ofprivacy [3] Official Joural of the Europea Uio, May 4, 2016, accessed August 2016, http://eurlex.europa.eu/legal-cotet/en/txt/pdf/?uri=celex:32016r0679&from=e [4] Official Joural of the Europea Uio, May 4, 2016, accessed August 2016http://eurlex.europa.eu/legal-cotet/EN/TXT/PDF/?uri=CELEX:32016R0679&from=e [5] Official Joural of the Europea Uio, May 4,2016, accessed August 2016http://eurlex.europa.eu/legal-cotet/EN/TXT/PDF/?uri=CELEX:32016R0679&from=e
About The Authors Swastik Mukherjee Swastik Mukherjee is a Data Privacy ad Protectio Cosultat i the TCS' Eterprise Security ad Risk Maagemet busiess uit, ad helps assess orgaizatioal privacy posture across various idustries ad provides solutios to improve their privacy maturity ad compliace. Siddharth Vekatarama Siddharth Vekatarama is a Data Privacy ad Protectio Cosultat i the TCS' Eterprise Security ad Risk Maagemet busiess uit, ad evaluates orgaizatioal privacy positios to ehace privacy maturity ad compliace capabilities. About TCS Bakig ad Fiacial Services Busiess Uit With over four decades of experiece i parterig with the world s leadig baks ad fiacial istitutios, TCS offers a comprehesive portfolio of domai-focused processes, frameworks, ad solutios that empower orgaizatios to respod to market chages quickly, maage customer relatioships profitably, ad stay ahead of competitio. Our offerigs combie customizable solutio accelerators with expertise gaied from egagig with global baks, regulatory ad developmet istitutios, ad diversified ad specialty fiacial istitutios. TCS helps leadig orgaizatios achieve key operatioal ad strategic objectives across retail ad corporate bakig, capital markets, market ifrastructure, cards, risk maagemet, ad treasury. TCS has bee raked No. 1 i the 2016 FiTech Rakigs Top 100 of global techology providers to the fiacial services idustry, by both FiTech Forward (a collaboratio of America Baker ad BAI) ad IDC Fiacial Isights. TCS has also bee recogized as a 'Leader' i Everest Group's 2016 PEAK Matrix report for Capital Markets Applicatio Outsourcig ad Bakig Applicatio Outsourcig. Cotact Visit TCS Eterprise Security ad Risk Maagemet services uit page for more iformatio Email: Global.esrm@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers About Tata Cosultacy Services Ltd (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled, ifrastructure, egieerig ad assurace services. This is TM delivered through its uique Global Network Delivery Model, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2016 Tata Cosultacy Services Limited TCS Desig Services I M I 11 I 16