Pragmatic Approach to GDPR Compliance

Harshad Mengle, Director - Cyber Security, Capgemini Sogeti India

What is GDPR in nutshell?

Privacy is one of the biggest problems in this new digital age. At the heart of the internet culture is a force that wants to find out everything about individuals. Once data draw conclusion about individuals, people will be tempted to trade and do com­merce with that data asset. This was not the purpose when social media or information age was founded. Thus people liv­ing in the digital age are faced with a dichotomy. Digital age is ever evolving.

European strong regulation came to rescue for individuals privacy rights. General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements.

GDPR has 11 chapters, 99 articles and 187 recitals and de­tails can be found on­tion/reform/index_en.htm

GDPR is driven by two serious threats; Reputational dam­age and Hugh monetary fines.

Time to be compliant to GDPR is before 18th May 2018.

Do I need to be compliant?

The GDPR will apply to EU and non-EU companies that

(i) process personal data in relation to the offering of goods or services to EU data subjects or

(ii) monitor individuals’ behaviours that are conducted within the EU. The concepts of personal data and processing remain very broad. Personal data include any kind of information (i.e., location data, online identifier) that allows a person to be iden­tified—even indirectly.

Few Challenges in GDPR

Age Gate in GDPR ensures parents consent is mandatory while processing data of 16 yrs below age. This is important because in most of the situation portal will lack age verifica­tion system and some control mechanism should be in place to record and store these consent securely. Secondly the Consent language should be clearer and should be communicative. Hence Privacy con­trol framework Integration with legal framework is a must.

Right to know furthermore gives Data control rights to EU individuals. As per the clause every Individual should, therefore, have the right to know and obtain communication in particular with re­gard to

(i) The Purposes for which the personal data are processed,

(ii) Where possible the period for which the per­sonal data are processed,
(iii) The recipients of the personal data, the logic involved in any auto­matic personal data processing.

Allowing individual to Erasure of personal data will need a careful im­plementation since forensic might need to have traces of user data. Le­gal Consent framework need careful­ly address these issues in conjunction with technology.

Security of privacy data processing demands the pseudonymisation and encryption of personal data. How­ever there are different algorithms to mask data such as Secure Substi­tution, Key Masking, Randomizer, Shuffling, Simulation, Encryption and Mathematical Formula Based.

Privacy by Design Privacy need to be addressed in the system or pro­cess during design phase, it should not be restricted to new systems but also include legacy systems and change management process.

Few IT Challenges in implementing GDPR

Data Identification – Data growing out of control, PII data can be held on any endpoint, how to identify and categorise will be an ongoing challenge.

Initial Cleanup – Making data reten­tion policy as per different regula­tion and initial cleanup from systems will need enormous amount of ef­forts right from choosing technol­ogy till Implementing and executing policies on interdependent systems.

Inventorying Data, Data categorisa­tion and ongoing cleanup needs to be part of the policy framework and also should be practical.

Structured Approach to Privacy Management – Lack of Business aware data management will encum­ber Privacy data management.

Technology Evolution – Bar Code / RFID based solution reveals privacy information and need to be protect­ed. E.g. on Bar code printed Flight Boarding pass reveals privacy infor­mation of passenger.

Skilled Resources – The main chal­lenge most companies are facing now is the lack of skilled cyber se­curity resources, which is addressed by commitment towards raising awareness of the cyber security skills shortage.

Opportunities to C’Level Executive

1. Data rationalisation – There could be duplication in data man­agement which can be normalised which can directly help to opti­misation cost. Cost reduction in Backup solution, increase in cloud solution effectiveness.

2. Effective control of Information Management – With Privacy data management program CISO’s and CRO will be able to proactively identify risk and address data leak­age in effective ways.

3. Effective IT management Soft­ware Engineering practices/Docu­mentation – Compliance Implemen­tation needs very comprehensive records of data processing docu­mentation which should have de­tailed data mapping to determine what data is collected, how and why, where it is stored, who has access to it and whether approach is integrat­ed legal framework etc.

4. Business driven approach - As the business design data strategy, Pri­vacy Office needs to ensure Policy and framework are up-to-date and relevant which intern demand col­laboration with Business, Risk Legal and IT.

5. Robust Information Security management – Compliance to pri­vacy framework will help C-suit to build strong Technological and pro­cess control framework which can be also easily integrated with Secu­rity Operation management for pri­vacy breaches and opportunity to get more Budgets.