Protecting data: Six practices companies need to keep in mind to be GDPR compliant
Technology has increasingly proliferated in our lives in turn influencing us to lead a digital life where each individual is represented through an IP (Internet Protocol) address, giving them a unique identity. Governments across the world are concerned about securing people’s identity or Personal Identifiable Information (PII), and have their own definition of laws to protect their citizen’s personal details.
With the advent of non-homogeneous policies, software companies/product vendors often face immense challenges to make their service/product comply with data protection rules and regulations across the geography. Understandably, the European Union with input from software vendor community, came together and formed the General Data Protection Regulation (GDPR), to roll out strict policies to safe guard citizens’ personal identification information.
GDPR offers stringent guidelines for protecting user data and provides a path to secure data with legal regulation. Organizations that hold and process personal data of consumers in their digital assets will need to carry out a comprehensive adjustment of their IT systems and lay down a mechanism to meet the demand of the new data protection act.
Earlier, the legal system failed to understand technology and the complexity of IT industry, but for the first time in the history of the IT industry, the law makers have taken the lead in defining the right measures to protect consumers’ interest.
All the organizations are competing with time to be compliant against the new regulation. It is quite tedious and complex for organizations to strategize, plan and execute the process that gets mandated by the new regulation. What makes it more difficult is, unlike other compliance like ISO or BS, GDPR is quite holistic and directly impacts business revenues.
Organizations need to drive security measures across all digital assets where PII is either stored or processed. This means equipment like servers, networking, storage data centers, telecom providers and cloud vendors need to comply with GDPR defined code of conduct. Tactfully, the data needs to be secured in its original state.
In order to ensure that all aspects of the business architecture comply with GDPR, companies will have to consider the following practices:
1) Understand the personal data an organization holds, the stored location, how it’s secured, its method of process and who has access to it
2) Transparently demonstrate how and why is the company processing personal data
3) Ensure there are effective ways for data subjects to exercise their rights under GDPR
4) Have knowledge of handling data security breaches that may result in risking individual rights
5) Ensuring all future systems, developments incorporate the guidelines for data protection as per GDPR
6) Create an environment that is capable of sustaining data protection plan
As the data security landscape continues to change rapidly, organizations will need to equip themselves to effectively harness the power offered by personal data. Cybercriminals are a rising threat to this and are increasingly finding ways to steal or compromise this data. Compliance with the EU’s GDPR by May 2018 hence has become both a regulatory requirement and a strategic imperative.
GDPR also empowers the consumer, where the consumer can deny any organization to store his/her personal identifiable data. Hence, businesses should revisit how to manage their customer journey. The CXO suite need to spend time to understand GDPR implications across the board and work on mitigating risk, or/and potentially consider buying insurance to over penalties on NC.
(The author is VP & Global Infrastructure Practice Lead, SapientRazorfish)
Updated Date: Dec 14, 2017 11:24 AM
