The European-wide data protection regulation was adopted by the EU Council and Parliament on April 2016. All the organization within EU must comply with the legislation by May 2018. This article describes some key challenges to the enterprise to comply GDPR - General Data Protection Regulation by May 2018.
Every organization which comes under the purview of GDPR need to allocate additional funds to comply GDPR by May 2018. This will be an additional IT spending and the CIOs need to revisit their IT spending strategies for upcoming years to ensure that their enterprise complies with GDPR. The cost involves privacy impact assessment, implementation phase, and post-assessment review after its implementation to ensure that the implemented controls are working adequately. It is mandatory for larger scale enterprises to appoint Data Privacy Officer (DPO) or the organization must appoint a DPO if they process personal data related to criminal convictions and offenses.
Traditionally legacy systems have been used to process the critical business data by major Financial, Insurance and Healthcare sectors. Due to business growth, the volume of data might have increased multiple folds and external interface connections to third party vendors, federal governments, regulators and trusted business partners may have been increased to support business growth and meet compliance. It is important that the organization should have an accurate end to end data flow diagrams to track the data movement. If data tracking or data flow diagrams about all the interface connections and data movement are not available, the organization need to perform reverse engineering processes using available tools or consultants to develop end to end business process documents and data flow diagrams. Once the discovery phase has been completed, the enterprise must perform Risk Assessment to identify critical applications where the PII is being processed and rank those applications based on the degree of risk level. Define the controls to mitigate the gaps that are identified during data privacy assessment
Every organization which comes under the purview of GDPR, need to enhance their current data governance framework to meet GDPR compliance. This framework basically contains the policies, procedures, roles and responsibilities, monitoring mechanisms and accountability for each line of business.
The enterprise must perform Privacy Impact Assessment and implement privacy by design to identify the data privacy offenses and automatic alerts for any data security violations related to PII. Accordingly, the existing PII processing, storing, transmission and destruction processes must be changed in the current IT infrastructure.
The current IT infrastructure shall be changed to accommodate customer portability of data to another enterprise within EU. Furthermore, additional customer features need to be added to the existing infrastructure such right to view data, rectify the data and right to be forgotten (erase the data) when the data retention period is completed or when the data is no longer required to be processed.
The IT infrastructure needs to be enhanced to detect and initiate alerts for any data breaches and build Incident management and recovery capabilities to meet GDPR requirements. The data backup and recovery process need to be enhanced to meet the compliance.
The access control list shall be reviewed again to ensure that only authorized user has access to PII based on business ‘Need to Know’ or Least Privilege access to perform their job function. It is enterprise responsibility to prevent the unauthorized access during PII data processing, storage, and transmission. Only authorized staff members need to deploy the code into live environments. It is enterprise responsibility to provide access to a customer to view or modify and erase their data based on circumstances. Privileged access management and Identity Access Management governance framework need to be enhanced to meet the compliance.
The Data dictionary represents current physical data model and this is one of the key element for data privacy assessments. In some cases, the same data element may have different database column name (such as Customer Name, Cust Name, Customer etc.) in several databases. The enterprise may have deployed database servers at different locations and stored data in several technical platforms such as Oracle, DB2, SQL server, hierarchical database and sequential files. Aggregation of different data elements from several database servers and sequential files are a bigger challenge to implement GDPR to address each data flow in multiple applications, Without consolidated data dictionary, it will be a huge task to develop centralized data dictionary and track the data flow both incoming and outflows in the enterprise. In general, the data element addition or modification is an ongoing effort to keep data dictionary accurate whenever a new data element is being added, modified or decommissioned from the system.
In addition to the cost to meet the GDPR compliance, the enterprise needs to revisit the SME utilization on the GDPR project and there will be a possible delay to complete ongoing projects and also projects which are in the pipeline due to budget and resource constraints. In order to implement PII portability, the IT infrastructure across the Europe Union must be developed, integrated, tested and implemented and the customer portability framework needs to be developed. It will be a bigger challenge for an enterprise to meet 100% GDPR compliance by May 2018.
Authored By - Ananda Narayanan G
TCS Enterprise Security and Risk Management
Rate this article: