This article has been written by Shahil Rangra an engineer cum lawyer.
Introduction
Data privacy compliance is so crucial in today’s time. The compliance can be done by legal rules implementations or by adapting to international standards of data safety. Internal audits of companies which deals with data processing required to be implement.
Ensuring the Data Privacy:
Identification of Business requirement:
Conduct Privacy Impact Assessment (PIA). Under this the existing frameworks are studied and thereby analysis of the potential risks is made. By doing this new approaches are generated to mitigate the available risks.
Develop a Privacy Program Management (PPM): It is to minimize the risk of any loss. Define the privacy policy under it in a precise manner. Set procedures that to be followed set up the type of approaches to be taken and in the end frame drastic privacy policy. Such strategies are adopted that mitigate any potential risks. Proper compliance of legal regulation is carried out. If any loophole of risk is found then proper implementation of privacy and organizational control is done. In this the identification is the first process, and thereby execution of various controls is made such as the access control, technical control etc.
GDPR compliance: It is the most comprehensive regulatory framework in the world till date and it’s binding on the party. It ensures confidentiality and regulations as per the defined standards. If one’s processes are not in compliance with GDPR, then first is to update the processes. Review and revise the privacy policy. Implementing the documented procedure for ensuring the data transparency. Data mapping is to be carried to know in a single picture the processes data flow. Must carry out the accountability of data subject’s rights. Data protection officers are appointed if the organization met the GDPR standards. Through DPO awareness and training programs should be carried out. Data breach and incident reporting systems are there to report data breach. It is required to report such a breach within 72 hours as per GDPR.
Encountering a privacy breach:
- First isolate the system that means shut down the system thereby containing the breach from further spread.
- Evaluate other risks associated with such breach. By this other unaffected data could be saved.
- Must consider notifying individuals about the breach. Users are informed by sending messages to them and the status of remediation approaches.
- Remediation and Learn the lessons for preventing future such failure.
Develop new approaches by modifying or adopting completely new approaches to a system.
Creating a privacy policy:
Privacy policies are created by the Data Protection Officer and approved by the higher management of a company. Some of the general steps that must be followed are as follows.
- First is to understand the business requirements.
- Define the scope and statements. It must include parameters such as the data of which country is collected, the data is used for what purposes and what are the processes involved in carrying out the tasks?.
- Once the policy is drafted and in case of any confusion the contact details of the person must be given, so that explanation and awareness can be imparted.
- The policy must mention the procedure for the collection of data.
- Must define, if the user data is stored or accessed by the third party.
- Define the retention period and conduct periodic review of such databases.
- Periodic revision and rectification must be done of the policy, so that it can be updated as per the legal and regulatory framework.
Compliance of Data privacy policy as per GDP:
It is the coherence of the steps that are followed to ensure the proper privacy adherence.
- Data list: It is the list of records of users Data which is stored in a company database. It is also known as inventory or records of data. It covers the type of data stored and processed.
- Data journey list: It covers the journey of data from subscription till unsubscribe. The data flows in various verticals and how it is dealt in between. It should check whether after serving the purpose, is it deleted or not.
- Express consent: if the consent is to be taken then it should be formulated well for what purpose it is taken. Terms and conditions of it are defined clearly. There should be an option to opt-out as like opt-in.
- Bundle of rights: it covers the process of rights of an individual. Individual covers all the people such as the user, employee, consumer, supplier etc. All the rights of an individual such as right to information, access information, deletion right and the right to restrict information are kept expressly mentioned from the early stages of any process.
- Data controls: it is the technical aspects of assessment where it is to be checked that under which mechanism data is being processed. It is to be checked that whether the mechanism is followed is secure or not. Whether the technical and contractual controls are set up or not.
- Accountability and transparency: It is essential in data privacy compliance that transparency is a must. Inform the individual or user by public domain privacy policy and cookie notices etc. To ensure accountability first the privacy impact assessments be done and then the privacy program be created.
- Staff training: usually the staff of a company is not aware of privacy technicalities. So the proper awareness of all persons in the company must be done.
- Incident reporting system: it is crucial that reporting mechanisms must be available. As per GDPR such notification be done within 72 hours. After incidence reporting the monitoring, remedial and responding mechanism be framed.
- DPI: Data protection impact assessment covers the assessments from the initial data flow till end. Under it the risks gap are covered by controls or by amendment. It is crucial to do because the action plan of remedial processes is based on it.
- Documentation: It is important for a company to record its affairs in the matter of future analysis of any contingencies. Periodic reviews of such documents are done and obsolete be carved out. It must be documented what privacy measures done by the company in the data privacy compliances.
Conclusion:
In today’s time of digital transaction, there is heavily reliance of public on digital Medias. They share crucial information/data, which require to be kept secure. Therefore, ensuring the data privacy by enabling data privacy policies and strategies in an organization is most important.