The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to all enterprises, regardless of location, that is doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities and businesses whose core activities center around the regular or systematic processing of personal data are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
GDPR: Transparency, Control, and Accountability
With millions of transactions conducted worldwide, any company doing services is responsible for the protection of customer and employee personal information. It’s also critical to building and maintaining the trust necessary for business continued success.
Definitely, there is a need for privacy management software if it needs to be used by more than 1,500 organizations to comply with data privacy regulations across sectors and jurisdictions, including the EU GDPR and ePrivacy (Cookie Law).
Also, the multi-lingual software to be deployed in an EU cloud or on-premise, and requires a combination of intelligent scanning, regulator guidance-based questionnaires, and automated workflows used together to automatically generate the record keeping required for an organization to demonstrate compliance to regulators and auditors.
Given a large number of privacy assessments, tools existing in the market will be useful in creating a customized Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) Automation platform that allows for bulk edits. Basically helps the organization to scale the process of distributing, collecting, and analyzing assessment questionnaires to more efficiently conduct privacy management operations.
Any tool for that matter needs to have a suite of privacy management questionnaire templates. The templates include a Privacy Impact Assessment Pre-Screen (PIA), a Data Protection Impact Assessment (DPIA), and a Records of Processing (Data Mapping) template based on deep research and regulatory guidance issued by EU Data Protection Authorities (DPA) and the Article 29 Working Party (WP29).
With the EU GDPR coming into effect on 25 May 2018, organizations must undergo significant operational reform with how they handle personal data of customers, employees, and vendors and with how they implement thorough record-keeping to demonstrate compliance.
Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) Requirements in Article 35 of GDPR
One of these operational requirements is the DPIA addressed in GDPR Article 35, which states:
"Where a type of processing, in particular, using new technologies ... is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."
Instrumental sources include Article 29 Working Party's group of EU regulators, the German Standard Data Protection Model, the CNIL PIA Manual & GDPR Toolkit, the UK ICO PIA Code of Practice, and ISO/IEC 29134:2017 Guidelines for PIA.
Records of Processing (Data Mapping) Requirements in Article 30 of GDPR
A second significant operational and record keeping requirement appears in GDPR Article 30:
"Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility."
Although data inventory and mapping are not explicitly mentioned in the GDPR, it is widely recognized that Article 30 requires an organization to conduct a data inventory and mapping exercise, and most importantly, keep it up-to-date. In creating the Records of Processing (Data Mapping) template to support this requirement, the tool should incorporate available guidance including the CNIL's GDPR Toolkit, the Belgian Privacy Commission's Recommendation Concerning the Register of Processing Activities, and many additional sources.
As the international privacy landscape continues to evolve, prominent global organizations are integrating the software available in the market into their pre-existing privacy programs to reinforce regulatory compliance and consumer confidence ahead of the GDPR. Also having the right tool helps in streamlining compliance efforts by providing the flexibility to scale a privacy program across a global network of customer and employee data.
Authored By - Lokesh S G
TCS Cyber Security Practice