Realize business value from big data with Infosys data analytics solutions.

Results tagged “GDPR”

The EU General Data Protection Regulation (GDPR) comes into force in exactly 1 month, on 25th May 2018. As deadline is approaching, GDPR demands that organizations should be able to demonstrate compliance with its data processing principles.

For many organizations, it is not possible to achieve GDPR compliance by 25th May, 2018, if they have just started their GDPR implementation. In such situation, companies should concentrate on how to prioritize those areas of GDPR where failure to act would leave organizations with potential penalties. Companies must be able to show the proof that they are taking appropriate measures to comply with the GDPR regulation.

Let's look at 5 key areas which organizations should focus on in order to bring their company on right GDPR path in a quick way.

1.     Be ready with GDPR implementation plan

Organizations should make sure that overall strategy for GDPR compliance is in place. It is important to demonstrate a road map & commitment to address GDPR requirements complimented by the tools, technologies and resources. GDPR implementation plan should be able to give clear picture of:

  • Where personal and sensitive data is stored?
  • How the data flows within and outside the organization?
  • Personal data collection, generation and processing practices
  • Roles and responsibilities; governance and accountability
  • Required changes in internal/external processes and privacy documents
  • Training and Education Program

 2.     Make sure data breach response procedure is in place

As per GDPR, data breaches must be reported to customers and the data protection authorities within 72 hours following the discovery of the breach. That's why it is important for the organizations to ensure that they have an efficient system in place to detect and react to any breaches in a timely and effective manner. As GDPR enforcement is right around the corner, companies should at least ensure that policies and procedures are in place to identify, inform and inspect breach within the timeline.

3.     Designate a DPO (Data Protection Officer)

If organization is a public body, systematically monitors data subjects on a large scale or handles special categories of protected data then they must employ a Data Protection Officer (DPO). DPO acts as a point of contact and should be fully resourced and supported to lead company's GDPR compliance program. So, it's a good way to show that organization is on right track of GDPR compliance journey.

Even if organizations do not officially need to appoint a DPO under the terms of the regulation, they should ensure sufficient staff with designated responsibility to deal with compliance.

 4.     Be ready to deal with data subject's personal data requests

According to the GDPR, individuals have the right to access their personal data, the right to correct inaccurate personal data, the right to have personal data erased, the right to restrict the processing of their information and the right to move personal data from one service provider to another. Organizations must be able to demonstrate that they can respond to a data subject's personal data requests within the time frame. Organizations should make sure that plan is in place to validate and identify requesting data subject, provide platform for data subjects to create all type of requests and respond to their requests within time frame. Organizations should update their privacy policy and notices and let the customers know how they are planning to handle their requests.

 5.     Conduct GDPR training programs for employees

It requires lot of effort by every organization to build data protection into its culture and into all aspects of its operations. Employees need to be actively engaged in and supportive of the GDPR compliance project. Creating GDPR awareness by conducting training and education programs plays a vital role here.


(1) Use of cookies or similar technologies: Whenever you set cookies or similar technologies on a user´s equipment for marketing purposes, you need to obtain cookie consent. Cookie consent would need to be provided by all affected consumers. This is not safeguarded if different consumers use the same device once one consumer has provided consent and the cookie settings store this choice. However, this problem is difficult to overcome in practice.

Regarding the tracking/profiling also on third-party websites, the use of a cookie to track consumer´s behavior on third party websites before it enters your website cannot be legitimized with cookie consent only.

2) Collection and processing of consumer´s personal data: The most sensitive issue is the justification for the collection and processing of consumer´s personal data (such as consumer´s browsing habits in connection with its ID etc.).

Tracking/profiling through account: If you track consumers through their account we think that the profiling may be justified without explicit consent but based on customer's legitimate interests. You may argue that account holders are existing customer (where GDPR generally allows broader leeway. Aspects which need to be considered with the balancing of interests in our view:

  • Privacy intrusion is little when ads are merely shown on your website;
  • Personalization only relies on information gathered from your website (and not from third-party websites);
  • Consumer is an existing consumer and is informed about that tracking via the Privacy Policy; and
  • Consumer can also withdraw its cookie consent at any time to end the tracking (as it is usually emphasized in the Privacy/Cookie Policy)

Tracking/profiling through device:

  • Tracking/profiling restricted to your website: If you track consumers through their device on your website only, we think the collection/processing of personal data in relation to existing consumers (i.e. those with account) can still be based on legitimate interest. In relation to consumers without account, we do not think that the justification of legitimate interest will work. This issue is a dark grey area, requires a risk assessment and discussion with your DP team.
  • Tracking/profiling also on third-party websites: We do not think that the collection/processing of personal data on third party websites for marketing purposes can be based on legitimate interest alone. This tracking is very sensitive and would hardly be acknowledged as covered by legitimate interests that outweighs the privacy interests of the consumer by data protection authorities ("DPAs"). We recommend that at least the most sensitive part which is the collection /processing of personal data should be covered by a proper GDPR consent.


Who should drive the GDPR Program?

There is an increasing awareness of GDPR regulations and organizations are coming to terms with it. Having said that, many are grappling on how to structure and execute the program. Why is this a vexing problem? Structuring the GDPR program is not a trivial task. While past experiences in delivering security programs and regulations can provide some guidance, it cannot be replicated in the GDPR scenario. The primary reason for this is because of the nature of the GDPR itself. GDPR is not a 'prescriptive' document, it does not lend itself to a 'check list' that can be deployed. May be couple of years down the line, it could be possible, but not right now. GDPR requires subjectivity and interpretation; 'Risk Management' and proportionate response in accordance with the risk threshold is inbuilt into the structure. Coupled with this is the fact that while the 'intent' of the regulation is clear, there are several grey areas when it comes to contextualizing and operationalizing it to a specific business case. Secondly, data security and protection is in a 'Darwinian' moment. Stakes with GDPR are high. It is being looked upon as a 'role model' in terms of data privacy regulations and in many ways will pave the path for future action in this space. Organizations are acutely aware of this and they are determined to make an informed and calibrated decision on how to approach this situation. The costs associated with a tepid initiation of GDPR will be manifold and will set the organizations' back significantly.

Key Success Factors

What is required to deliver any GDPR program is a high level of management awareness, the right organization, efficient tools, employee education, and an effective implementation model. 

The key success factors for a delivering a GDPR program are -

1.    Alignment to overall Business Strategy & Operations

2.    Decision Making Mandate

3.    Budgetary Control

4.    Ability to drive organization & create awareness 

5.    Ability to execute

We are of the opinion that only a combined implementation model is effective in achieving and demonstrating compliance. Combined efforts are typically required to achieve a clear mapping of regulatory requirements to the entire organization and all its operations, including IT.

We recommend a 'GDPR Task Force' to be constitute under the auspices of the Office of the CEO. This task force will be led by by the CEO and will have representation from all the departments of the organization including the CXO suite and all the business functions - CFO, CIO, CDO, CSO, Legal, Marketing, Sales, HR, Procurement etc.With its wider management focus and with project groups across different functions--such as legal, marketing, and IT--will help with strategic considerations, since it reviews what customer data is collected, how it is used, and how it could be done better to create competitive advantage. This ensures that "privacy by design," as required by the GDPR rules. Privacy by design means taking data protection into account at every step of a company's processes, from R&D and business development to marketing and sales.