How does GDPR compliance work?

Would you like anyone to collect, store or process your personal data without your consent? I am sure your answer is ‘NO’!

This was the design thought, when the General Data Protection Regulations (GDPR) was published in May 2018 by the European Union to protect individual (called data subjects) privacy rights.

GDPR compliance for any organization begins with mostly the same approach.

To comply with GDPR or similar privacy legislations, businesses start by asking, ‘Do we really need to collect this personal information?’ GDPR defines this as the principle of data minimization. If your service only needs the email address, why collect the physical address?

Here is a list of tasks that an organization can perform to design, and comply with GDPR:

1. List personally identifiable information (PII) through all your sources. Question the need to store and collect and if there is an opportunity to minimize the collected data. In doing so, you are reducing the GDPR compliance footprint.

2. Determine whether you are a controller and/or a processor. A controller is an entity that determines the purpose of data processing. A processor, on the other hand, is another entity which processes the data as per the controller’s direction or purpose. If you are a doctor seeing a patient, you are a controller. If you are a pharmacist who collects personal information from the doctor, you are a processor. If you are serving a walk-in patient, the pharmacy becomes the controller.

Note that GDPR applies to both the controller and the processor.

3. Next, perform a gap analysis against the applicable GDPR requirements.:

• Gap analysis on privacy practices - The gap analysis will determine the controls and practices you have implemented and the ones that you haven’t. For instance, a gap could be the absence of a written consent record in your online platform.
  
  
• Gap analysis on security practices – The focus here will be to determine security controls and practices implemented and those that are not. A gap could be the absence of encryption on your notebook that stores PII.

4. Use the gap analysis to discuss, design and implement the requirements. This is a combined effort of people, processes and technology, that you need to bring in.

5. Nominate a data protection officer, whose main role would be to fulfill data subject rights.

6. Train employees about their responsibilities on privacy and security obligations.

7. Processes are when two or more people work together to achieve a common goal. Processes such as collecting consent, and deleting PII when a user seeks to exercise their ‘data erasure’ request, are some of the privacy and security processes. Processes are always documented. So, define all the applicable internal policies and procedures.

8. Technology can be implementing security of data in motion and in-store in the entire lifecycle of personal data. Encryption, malware protection, and multi-factor authentication are popular controls that would apply in all scenarios.

9. If you have service providers in your business identified as processors, and you share PII with them, then you need to ensure that they sign a data processing agreement. This ensures that they are held accountable for the security of the data.

10. Procedure on Breach response: Yes, you got it right! You need that. In case of a breach, the data subject needs to be informed that their data has been compromised. GDPR requires that the controller informs the data subject and the supervisory authority of a data breach within 72 hours.

11. Last but not least, maintain a GDPR compliance monitoring program. It could be as simple as testing your GDPR compliance program every month by conducting sample checks on key people, processes and technology controls that have a direct impact.

12. With these steps in place, we hope that you maintain your GDPR compliance successfully and that the breach never occurs.

Do write to us at roadmap@coralesecure.com if you have any questions or clarifications.