The groups or external outsourcing firms that maintain

The European Parliament adopted the GDPR in April 2016, requiring certain
classes of companies in accordance with the applicability criteria, to protect
the personal data and privacy of European Union (‘EU’) citizens for transactions that occur
within EU member states, thereby regulating the export of sensitive personal
information outside the 28 EU member states.

 

Applicability

GDPR compliance is
applicable to all companies processing and archiving personal information (including
personally identifiable data within social media, photos, email addresses and
IP addresses) regarding EU citizens
within EU states, even if such companies do not have a business presence within
the EU. The below mentioned companies are required to adhere with GDPR
provisions:

·      
A presence in an EU
country;

·      
No presence in the
EU, however the company processes personal data of European residents;

·      
More than 250
employees; &

·      
Fewer than 250
employees however the company’s data-processing impacts the rights of individuals (data subjects), is
not occasional, or includes certain types of sensitive personal data. 

Compliance responsibility – Data protection
officers

 

GDPR defines specific roles and
responsibilities for ensuring compliance viz. data controller, data processor
and the data protection officer (‘DPO’) respectively.

 

The data controller defines the
methodology for processing personal data and defines the objectives for which data
is processed. Data processors are generally represented by internal groups or
external outsourcing firms that maintain and process personal data records and
are held liable for breaches or non-compliance.

 

Data controllers and data processors
are mandated to appoint a DPO in cases where Companies process or archive significant
volume of EU citizen data, process or archive privileged personal data,
regularly monitor pertinent data subjects, or are a public entity (except law
enforcement authorities, which may be exempt). The primary objective behind
appointment of DPO is to designate someone responsible for overseeing the data
security strategy.

 

Overview of key components

 

i)         
Data privacy by design
(‘DPD’)

Processes will need to be continuously
assessed and periodically amended to consider privacy by design wherein the data
controller must apply adequate technical and organisational procedures to comply
with the requirements of GDPR and protect the rights of data subjects. Types of
privacy data protected by GDPR include:

·      
Basic identity
information such as name, address and ID numbers;

·      
Web data such as
location, IP address, cookie data and RFID tags;

·      
Health and genetic
data;

·      
Biometric data;

·      
Racial or ethnic data;

·      
Political opinions;
&

·      
Sexual orientation.

ii)        
Data portability

Personally, identifiable data must be
portable by open use of common file formats that are machine-readable when the
data subject receives them.

 

iii)       Rights of data subjects

 

The data controller is obligated to
provide a free electronic copy of any personally identifiable data to the data
subject. GDPR provides the below mentioned rights to data subjects from the
respective data controllers:

 

a)    Right
to access: to confirm whether their personally
identifiable data is being processed along with the objective for which it is
being processed and the location; &

i)     
b)  Right to be forgotten: includes permanent or on-demand deletion of his/her personally
identifiable data, cease further distribution of the data, and demand third parties’
restriction on processing of the data.

 

iv)    Data breach notification

 

As a data breach is likely to result in
a risk to the rights of individuals, GDPR requires a mandatory breach
notification to be submitted to the supervisory authority within 72 hours of
the organisation first becoming aware of the breach. In addition, data
processors are required to notify their customers without unnecessary delay.

v)     Consent

GDPR requires ‘a statement or clear affirmative action’ that signals
agreement of transferring personal data. Further parental consent is required
for processing children’s (13-16 years of age depending on member state)
personal data.

Penal consequences

The GDPR allows for steep penalties of
up to €20 million or 4 percent of global annual turnover, whichever is higher,
for non-compliance. Failure to adequately
conduct a DPIA where appropriate, is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global
turnover or €10 million – whichever is greater.

 

Mapping
IT security, governance and GDPR

 

Compliance with GDPR will require an IT
governance framework to be modified to incorporate pertinent aspects relating
to data transfer, data subject consent, and privacy by design.
GDPR introduces several privacy
arrangements and control mechanisms that are intended to safeguard personally
identifiable information. Most of these controls are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other ‘ISO27k’ standards, as well as COBIT 5.