GDPR Compliance

Interested in GDPR compliance? Do it now!

The changes which ushered in by GDPR from Friday 25 May 2018 are substantial and ambitious. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.

So, why Indians should bother about it?

To make Europe ‘fit for the digital age', European Commission set out plans for data protection reform across the European Union in January 2012. Though GDPR is discussed globally as if it is an issue between EU and US, the Indian IT industry also has a huge stake since it works both for the US and EU clients and needs to provide a "GDPR Compliant Data Processing Service".

The European Union General Data Protection Regulation (GDPR) is a sweeping data protection law that not only affects European businesses but all organizations handling the personal data of EU citizens.

As GDPR is proposed as a "Global Regulation", no Indian Company would get EU business unless it is compliant with GDPR. GDPR applies to all businesses and organizations established in the EU regardless of whether the data processing takes place in EU or not. If a company tries to be compliant, it has to confront a tough penalty structure.

As of May 2018, data breaches where citizen, patient, subscriber or customer personal data is inexcusably left vulnerable will not be tolerated and the financial penalties will be painful.

The penalty will be 10,000,000 Euros or 2% Global Turnover for offenses related to Child consent, transparency of information and communication, data processing, security, storage, breach, breach notification; and transfers related to appropriate safeguards and binding corporate rules.

And 20,000,000 Euros or 4% of Global Turnover, for offenses related to data processing, consent, data subject rights, non-compliance with DPR order, and transfer of data to the third party.

GDPR objectives:

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

What types of data does the GDPR protect?

• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

While much of the GDPR requirements focus on the processes and procedures for acquiring, utilizing and handling personal data that is ‘lawful and fair', the cybersecurity dimension is absolutely critical in order to prove that you have ensured ‘appropriate security and confidentiality of the personal data'.

With the right sort of consistent, unified, cross-functional approach, GDPR can act as a great driver for the entire organization to move to treating data processing in a transparent and accountable fashion.

Key factors you need to understand:

• How GDPR impacts and also benefits multiple departments across the organization
• The GDPR responsibilities of each department
• The importance of cross-functional co-operation in creating a risk-based, business-driven GDPR strategy
• Why GDPR must become business as usual across the entire organization

How ISOAH can make your company GDPR ready:

With our expertise and experience in Cyber Security industry at ISOAH, we are offering our services to make the compliance procedures much less challenging by reducing complexity, time and cost and adding considerable value.

Whether you are an SME or a multinational, our GDPR services will be customized according to your needs. We can help you with variety of best practice solutions, evaluating your GDPR compliance position and developing a remediation roadmap through to implementing a suitable GDPR compliance framework.

GDPR Program implementation areas:

• GDPR Gap Analysis:
  The first step is to do a Gap Analysis when you are uncertain about how much your company complies with GDPR. Gap Analysis will be conducted to get a detailed assessment which will show your organization's current GDPR compliance position, and a remediation plan to address the gaps and risks.
• GDPR data flow audit:
  Get an inventory of the personal data held and shared by your organization in case you are not sure what personal data you hold or where it resides. Also get a data flow map of your processes.
• Data protection impact assessment (DPIA):
  Get an assessment of the data protection risks associated with your new process and a remediation plan to mitigate those risks.
• GDPR transition services:
  We can help you to implement your GDPR compliance project by adapting your existing data protection program to the GDPR.

This includes:

1. Data protection frameworks
2. Policies and procedures
3. Data processor management
4. Information security
5. Incident management
6. International data transfers
7. Compliance documentation

In-house GDPR training and awareness:

In any organization, your workforce is the last line of defense. For GDPR compliance too, your staffs and management must understand their responsibilities under the GDPR. ISOAH can offer a structured learning path to impart knowledge and skills needed to deliver GDPR compliance.

Companies must dedicate their time to understand what they need to do in order to become compliant. Creating a plan of action beforehand will also help to stay ahead of others. As data has become a valuable currency in the world, it is believed that GDPR will strengthen data protection measures of companies and empower consumers if followed in the right spirit.