General Data Protection Regulation (GDPR)

Introduction

“We’re all going to have to change how we think about data protection.”
I want organizations to think to themselves: “we base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect.”

This was the message from Elizabeth Denham, Information Commissioner, ICO UK, as she delivered a speech on GDPR and accountability on 18 January 2017 (source)

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU. It replaced the 1995 Data Protection Directive and becomes enforceable from 25 May 2018.

The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU and It also addresses the export of personal data outside the EU.

There are strong penalties in place for non-compliance: up to €20m or 4% of global annual turnover, whichever is higher.

How Impelsys is preparing for GDPR

Impelsys is gearing up to be GDPR compliant across all of its product delivery & learning platforms, services and solutions by the time the regulation comes into effect.

To meet the new privacy standard set by GDPR, Impelsys has assembled an internal cross-functional team dedicated to implementing required processes and protocols. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team to drive our organization to meet them.

Some of our ongoing GDPR initiatives include:

1. Understanding the context of GDPR: Involving decision makers and key people, understanding impact of GDPR on existing privacy policy, evaluating privacy controls and data protection techniques, understanding relevant issues and requirements, and identifying the interested parties in business.

2. Awareness and competency: Identified members are trained in Personal Information Management System (PIMS) and GDPR 10012 standard from BSI Training academy to be competent enough and acquire the required knowledge.

3. Privacy Office: Set up the privacy office including top management, privacy officer, legal consultant and Data Protection Representatives (DPR) ie cross-functional team which is dedicated to implement and ensure compliance to GDPR.

4. Inventory of personal data – DPRs have gathered personal data in our product, service and platforms and have prepared the ‘Data Processing Register’ as per GDPR Article 30 – what type of personal data is collected and/or processed, category of data, purpose of processing, legal or lawful basis processing, processing agreements or contracts, sub-processing or third-party, recipients of data, any transfer to third country, security techniques and measures applied, safeguard controls, storage and retention, disposal details etc. Defining the purview of personal data for each of these and documenting a roadmap for compliance in the days leading up to implementation.

5. Lawful, transparency and Legal basis processing: Adhering to the current lawful and legal basis of processing, adopting the GDPR Article 6 to identify the conditions for processing like consent, contract, legal, obligation, vital interests, legitimate interests

  • Condition for contract – between controller & processor, between processor & sub-processor or third-party
  • Condition for consent – obtain, withdrawal, transparency, manage & maintain records
  • Cross border processing

6. Contracts and Privacy Notices: Reviewing current legal basis processing & revising contracts wherever applicable to meet the requirements of the GDPR. Reviewing current privacy notices and devising a plan for making any necessary changes in time for GDPR implementation.

7. Data Privacy Impact Assessment: Conducting the data privacy impact assessment as per GDPR Article 35 – identifying high risk privacy data, risk acceptance criteria and heading towards risk treatment activities.

8. Enhancing data integrity and security – Data privacy and data security are two sides of the same coin. Reviewing & enhancing current security controls, techniques, processes and measures to tighten more and bring in end-to-end security.

9. Rights of data subject: GDPR has given more rights to end users to control their personal data like right to be informed, right to access, right to rectify, right to object, data portability and withdrawing the consent. GDPR Articles 12 – 23 present how these rights should be implemented. Our privacy office is busy in reviewing and updating the procedures wherever applicable to handle these requests.

10. Consent: Under the guidelines of GDPR Article 7, DPR team members are busy in reviewing products and services on how the consent of end users are currently obtained, reviewing whether to make any changes, including obtaining the parental or guardian’s consent in case of children under age of 16/13 to meet the GDPR standards, and finally handling the lawful processing in case of consent withdrawal.

11. Data Protection or Privacy by design: We implemented a variety of security measures to maintain the safety of personal data. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our Payment Gateway provider’s database, only to be accessible by those authorized with special access rights to such systems and are required to keep the information confidential. Technical & design team are involved in reviewing the current system privacy design and planning for enhancing, strengthening and automating the default GDPR operational flow like obtaining consent, management of data subject request, transparency in displaying the stored data, easy retrieval etc., under the guidelines reference of GDPR Article 25.

12. Breach notification: Privacy office is well aware of GDPR Article 33, 83 and 84 in dealing with breaches. Privacy office experts are revising procedures and guidelines to detect and investigate incidents of breach and analyse the impact and cause on personal data and notification. We are building predefined solution repository for remedial, temporary and permanent solutions.

13. Training and Awareness: Trainings and awareness programs are initiated among the employees through internal learning system.

Take a look at this snapshot of training presentation to understand better.

Please contact privacyoffice@impelsys.com more information on GDPR.