Digital Transformation is underway for all the economies globally and this has resulted in voluminous data being generated, processed and transmitted across multiple entities with no geographical boundaries.
In order to be globally relevant, businesses need to be compliant with the law and demonstrate competitiveness. The GDPR gives a holistic view of data, process, network, and applications, and facilitates the audit framework to ensure data security.
Vaultastic has implemented the GDPR compliant methods and processes making it the harbinger of this sweeping new law. The following are some of the steps to align your business with the GDPR –
1. Awareness and Information Mapping
Key organizational members and decision-makers should be aware of the GDPR and should accordingly manage the permissions of all the other members who have access to company data. A data audit should be carried out at a granular level to answer the who, where, why, what, when and how questions related data subjects and the data usage. This entire audit should be documented with utmost details.
2. Privacy Notifications and Communications
Document the existing processes to avail the consent of data subjects about the utility of the data. Also, there is a need to document how the data is obtained, whether directly or indirectly.
The IT systems should be evolved to a level where the data subjects are in full control of the data and can perform the functions like rejection, withdrawal, rectification, objection, and access.
3. Individual Rights
Individual rights are important as “Privacy” is a fundamental right. Under GDPR, businesses need to demonstrate the ability to give the data subject complete control over data by developing a system where the individual can perform these functions broadly as follows –
- Request for personal data
- Request rectification and rectify the personal data
- Identify all the controllers and the processors of the data
- Manage the third parties which access the data and, if required, restrict the same
- Businesses to provide alert for data breach and remedy within the stipulated time
- Request for backup of the data and also locate and export the data in machine-readable formats
- Data should be easily portable
4. Consent Management
At the minimum, the companies have to ensure that the notification is clear and easily understandable, obtain consent freely and fairly, stop the data processing if the consent is rejected, obtain the parent’s consent if the child is under the age of 16 years and lastly all the data subjects should have a mechanism to withdraw the consent at any time.
5. Data Privacy Impact Assessment (DPIA)
Organizations have to perform the Privacy Impact Assessment which helps in defining and documenting the data process methods. Companies have to make sure that no data beyond the acceptable limit and above the consent of the data subject is collected. Furthermore, no personal data is shared with third parties other those for the initial consent were obtained. The legal basis for data processing must be established very clearly before collecting any personal data.
6. Data Security and Breach
Under the GDPR, companies have to encrypt the data. In case of a breach, companies must inform the data protection authority within 72 hours, while also informing the data subjects about the breach and its impact.
7. Appointment of Data Protection Officer
It is mandatory to appoint a Data Protection Officer (internal or external) with professional knowledge in data protection law and IT security covering the complexity of data processing and the size of the company. The Data Protection Officer is required to maintain audit trails, perform data inventory management, document processing activities, monitor compliance and enforce legal practices by liasoning and assisting the supervisors and managers.
All the above steps will ensure that the organizations are not only GDPR compliant, but also ready to optimize marketing expense and increase the returns on the investments.