Realize business value from big data with Infosys data analytics solutions.

« March 2018 | Main | July 2018 »

April 27, 2018

Given May 25 is round the corner, what do organizations need to do in view of GDPR?

The EU General Data Protection Regulation (GDPR) comes into force in exactly 1 month, on 25th May 2018. As deadline is approaching, GDPR demands that organizations should be able to demonstrate compliance with its data processing principles.

For many organizations, it is not possible to achieve GDPR compliance by 25th May, 2018, if they have just started their GDPR implementation. In such situation, companies should concentrate on how to prioritize those areas of GDPR where failure to act would leave organizations with potential penalties. Companies must be able to show the proof that they are taking appropriate measures to comply with the GDPR regulation.


Let's look at 5 key areas which organizations should focus on in order to bring their company on right GDPR path in a quick way.


1.     Be ready with GDPR implementation plan

Organizations should make sure that overall strategy for GDPR compliance is in place. It is important to demonstrate a road map & commitment to address GDPR requirements complimented by the tools, technologies and resources. GDPR implementation plan should be able to give clear picture of:

  • Where personal and sensitive data is stored?
  • How the data flows within and outside the organization?
  • Personal data collection, generation and processing practices
  • Roles and responsibilities; governance and accountability
  • Required changes in internal/external processes and privacy documents
  • Training and Education Program

 2.     Make sure data breach response procedure is in place

As per GDPR, data breaches must be reported to customers and the data protection authorities within 72 hours following the discovery of the breach. That's why it is important for the organizations to ensure that they have an efficient system in place to detect and react to any breaches in a timely and effective manner. As GDPR enforcement is right around the corner, companies should at least ensure that policies and procedures are in place to identify, inform and inspect breach within the timeline.


3.     Designate a DPO (Data Protection Officer)

If organization is a public body, systematically monitors data subjects on a large scale or handles special categories of protected data then they must employ a Data Protection Officer (DPO). DPO acts as a point of contact and should be fully resourced and supported to lead company's GDPR compliance program. So, it's a good way to show that organization is on right track of GDPR compliance journey.

Even if organizations do not officially need to appoint a DPO under the terms of the regulation, they should ensure sufficient staff with designated responsibility to deal with compliance.


 4.     Be ready to deal with data subject's personal data requests

According to the GDPR, individuals have the right to access their personal data, the right to correct inaccurate personal data, the right to have personal data erased, the right to restrict the processing of their information and the right to move personal data from one service provider to another. Organizations must be able to demonstrate that they can respond to a data subject's personal data requests within the time frame. Organizations should make sure that plan is in place to validate and identify requesting data subject, provide platform for data subjects to create all type of requests and respond to their requests within time frame. Organizations should update their privacy policy and notices and let the customers know how they are planning to handle their requests.


 5.     Conduct GDPR training programs for employees

It requires lot of effort by every organization to build data protection into its culture and into all aspects of its operations. Employees need to be actively engaged in and supportive of the GDPR compliance project. Creating GDPR awareness by conducting training and education programs plays a vital role here.

April 16, 2018

VISITOR/PROFILE STITCHING IN THE AGE OF GDPR

(1) Use of cookies or similar technologies: Whenever you set cookies or similar technologies on a user´s equipment for marketing purposes, you need to obtain cookie consent. Cookie consent would need to be provided by all affected consumers. This is not safeguarded if different consumers use the same device once one consumer has provided consent and the cookie settings store this choice. However, this problem is difficult to overcome in practice.


Regarding the tracking/profiling also on third-party websites, the use of a cookie to track consumer´s behavior on third party websites before it enters your website cannot be legitimized with cookie consent only.


2) Collection and processing of consumer´s personal data: The most sensitive issue is the justification for the collection and processing of consumer´s personal data (such as consumer´s browsing habits in connection with its ID etc.).


Tracking/profiling through account: If you track consumers through their account we think that the profiling may be justified without explicit consent but based on customer's legitimate interests. You may argue that account holders are existing customer (where GDPR generally allows broader leeway. Aspects which need to be considered with the balancing of interests in our view:


  • Privacy intrusion is little when ads are merely shown on your website;
  • Personalization only relies on information gathered from your website (and not from third-party websites);
  • Consumer is an existing consumer and is informed about that tracking via the Privacy Policy; and
  • Consumer can also withdraw its cookie consent at any time to end the tracking (as it is usually emphasized in the Privacy/Cookie Policy)

Tracking/profiling through device:


  • Tracking/profiling restricted to your website: If you track consumers through their device on your website only, we think the collection/processing of personal data in relation to existing consumers (i.e. those with account) can still be based on legitimate interest. In relation to consumers without account, we do not think that the justification of legitimate interest will work. This issue is a dark grey area, requires a risk assessment and discussion with your DP team.
  • Tracking/profiling also on third-party websites: We do not think that the collection/processing of personal data on third party websites for marketing purposes can be based on legitimate interest alone. This tracking is very sensitive and would hardly be acknowledged as covered by legitimate interests that outweighs the privacy interests of the consumer by data protection authorities ("DPAs"). We recommend that at least the most sensitive part which is the collection /processing of personal data should be covered by a proper GDPR consent.



BE GDPR - READY WITH INFOSYS

https://www.infosys.com/gdpr/

April 12, 2018

Who should drive the GDPR Program?

There is an increasing awareness of GDPR regulations and organizations are coming to terms with it. Having said that, many are grappling on how to structure and execute the program. Why is this a vexing problem? Structuring the GDPR program is not a trivial task. While past experiences in delivering security programs and regulations can provide some guidance, it cannot be replicated in the GDPR scenario. The primary reason for this is because of the nature of the GDPR itself. GDPR is not a 'prescriptive' document, it does not lend itself to a 'check list' that can be deployed. May be couple of years down the line, it could be possible, but not right now. GDPR requires subjectivity and interpretation; 'Risk Management' and proportionate response in accordance with the risk threshold is inbuilt into the structure. Coupled with this is the fact that while the 'intent' of the regulation is clear, there are several grey areas when it comes to contextualizing and operationalizing it to a specific business case. Secondly, data security and protection is in a 'Darwinian' moment. Stakes with GDPR are high. It is being looked upon as a 'role model' in terms of data privacy regulations and in many ways will pave the path for future action in this space. Organizations are acutely aware of this and they are determined to make an informed and calibrated decision on how to approach this situation. The costs associated with a tepid initiation of GDPR will be manifold and will set the organizations' back significantly.

Key Success Factors

What is required to deliver any GDPR program is a high level of management awareness, the right organization, efficient tools, employee education, and an effective implementation model. 

The key success factors for a delivering a GDPR program are -

1.    Alignment to overall Business Strategy & Operations

2.    Decision Making Mandate

3.    Budgetary Control

4.    Ability to drive organization & create awareness 

5.    Ability to execute

We are of the opinion that only a combined implementation model is effective in achieving and demonstrating compliance. Combined efforts are typically required to achieve a clear mapping of regulatory requirements to the entire organization and all its operations, including IT.

We recommend a 'GDPR Task Force' to be constitute under the auspices of the Office of the CEO. This task force will be led by by the CEO and will have representation from all the departments of the organization including the CXO suite and all the business functions - CFO, CIO, CDO, CSO, Legal, Marketing, Sales, HR, Procurement etc.With its wider management focus and with project groups across different functions--such as legal, marketing, and IT--will help with strategic considerations, since it reviews what customer data is collected, how it is used, and how it could be done better to create competitive advantage. This ensures that "privacy by design," as required by the GDPR rules. Privacy by design means taking data protection into account at every step of a company's processes, from R&D and business development to marketing and sales.

BE GDPR - READY WITH INFOSYS

https://www.infosys.com/gdpr/

April 10, 2018

GDPR -Managing Data in the Digital Age

Hallways of businesses across the world, especially in Europe, are abuzz with the newly minted regulation -- General Data Protection Regulation (GDPR). As an upgrade to the previous Directive 95/46/EC, the GDPR upholds the rights of EU citizens to protect their personal data irrespective of the location of processing. The recent fracas with Facebook and unauthorized usage of personal data has brought data security and privacy into the public domain in a never before way. Today, most individuals are eager to know how their data is being used and what are organizations doing to ensure that their interest are adequately safeguarded.

 

The central theme in GDPR is data privacy as a fundamental human right. GDPR is unique because of this fundamental assertion that data is now central to our way of life, and therefore, its treatment cannot be trivial or an afterthought. But then, the prevalent model of data usage and treatment is not holistic and it is not focused on the right way of handling this asset, but on a narrow vision of collecting data and then curating it without an overall harmonious strategy. The basic question of the times that we live in then comes down to addressing this question of how do we handle this -- do we continue forward on the path of collecting and using data by whatever means possible? Definitely Not.

 

In this digitally enabled world, data is all-pervasive. It is driving the business. Unimaginable quantities and varieties of data are moving to and fro in the digital world. In this highly fungible ecosystem, it is a matter of fact that personal data and sensitive information is collected, maybe curated, and then made available for consumption. There are very few organizations who can confidently state that they have a complete handle on all the data elements in their organization.

 

Hence, we believe that adopting the GDPR process will make companies review their data management policies and processes, and evaluate if their data organization is aligned to the digital world and the new-age economy.

 

GDPR is not a set of isolated activities pertaining to legal, consulting or data management, but a combination of different processes working integrally

 

Adopting and assimilating GDPR in the ethos of your organization will be a catalyst for taking the necessary steps to build strong digital capabilities and creating a competitive advantage. Some of the key initiatives could be -

 

Data Discovery & Classification - identifying all personal data lying in fragmented or scattered systems; then categorizing to help understand the type of data within the organization and associated risk of exposure.

 

Data Cataloguing enabling organizations to understand and form data relationships to various business processes regardless of its sources and platforms.

 

Data Standardization - cleansing and consistent formatting of data coming from disparate sources subjecting it to further transformation.

 

Data Profiling & Quality Checks ensuring data accuracy and its completeness in a holistic fashion

 

Data Ownership defining clear specification of data controller's rights while modifying and deleting personal information of an individual. It also advocates for recording consent of data subjects' for storing and processing their personal data.

 

 

GDPR reinforces what has been a best-kept secret in the industry that data holds the key to competitive advantage, and treating data strategically will be a key differentiator between being hugely successful and just scratching the surface.


BE GDPR - READY WITH INFOSYS

For more information on Infosys GDPR, visit https://www.infosys.com/gdpr/