Genesis and its relevance in current times
General Data Protection Regulation (GDPR) was implemented in the European Union in May 2018 to protect personal data of individuals of EU and frame rules relating to movement of personal data. The Regulation aimed to protect the fundamental right of individuals with respect to their personal data.
GDPR created unique challenges to the Indian IT industry as the EU was the second largest market after the US, presenting itself as both a huge challenge as well as a business opportunity.
While India did have the IT Act 2000, the focus on protecting personal data as mandated by GDPR was a challenge from the perspective of having to realign the compliance aspect, as non-compliance could lead to a penalty as high as 4% of the company’s annual turnover.
The opportunity was of course to position themselves as leaders providing GDPR compliant services and solutions and command a premium in the market.
The Government is preparing to implement the Personal Data Protection Act of 2019. The key principles are similarto GDPR – privacy is a fundamental right that needs to be protected and the individual whose data is being used or processed should be assured that it will not be misused.
By the time PDPA becomes a notified act, some clauses may undergo modification, but the ACT to protect individual data privacy in the current scenario of digital expansion across all walks of life is a step in the right direction
It is expected that many more countries will align to stringent data privacy rules in the future.
Key Principles
The focus of this article is to examine the impact of privacy laws and how organizations should gear up to make their products and services compatible
The key principles of GDPR are listed below
Principles related to processing of personal data
Lawfulness of processing
Conditions for consent
Conditions applicable to child’s consent in relation to information security services
Processing of special categories of personal data
Processing of personal data relating to criminal convictions and offences
Processing which does not require identification
Without going into details of each, these principles broadly ensure that the personal data is collected with the data owners consent (which should be demonstrated by the user of the data) and the data owner is aware of the purpose of use, data collected is processed lawfully, with fairness and transparency and will not be used for purposes other than that specified and will be kept only for the duration required for processing. The personal data should also be kept secure and in case of minor, the legal guardian has to provide the consent.
Unless explicit consent is provided personal data involving racial or ethnic origin, political or religious opinions, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.
The areas of interest to service providers based outside the EU would be the clauses related to data being taken out of the EU for processing. Now this is a very familiar scenario for service providers in the IT industry.
For personal data to be transferred to a 3rd country or international organization, the regulation stipulates that the transfer is allowed to the third country, a territory or one or more specified sectors within that third country, or the international organisation if the entity in question ensures an adequate level of protection. This protection includes not only data, but also things like rule of law, respect for fundamental freedom, legislation, implementation of legislation, supervisory authorities etc.
Personal data could also be transferred to a 3rd country or international organization if the commission deems that they provide adequate safeguards that ensure data protection and legal remedies
The onus shifts to international organizations that need to process data and the types of controls they have in place.
Need for ISMS
Having an effective Information Security Management System (ISMS) and validated by ISO27001 certification goes a long way in addressing the requirements of data protection under GDPR.
A well-functioning ISMS supports handling of personal data with adequate controls. An effective ISMS has the following mandatory components
Information Security Policy statement which outlines the objectives of the ISMS
Information Security Scope covering the functions, locations and scope of the ISMS
Information Security Manual covering the context of the organization, leadership and commitment, planning, support, operations and ongoing monitoring and improvement
Statement of Applicability – outlining the ISO 27001 controls that are applicable in the context of the organizations ISMS
Information Security Policies – outlining the policies and guidelines to address the requirements of the applicable controls
Information Security Procedures – outlining the guidelines and operating principles for Information Security, Risk Management, Internal Audits, Change Management, Incident management and Continuous improvement and monitoring
ISMS Records – covering the measurement, tracking and review of various processes outlined in the Procedures to adhere to the applicable controls
Regular reporting and Senior management reviews of the ISMS controls
As we can see, a robust ISMS system should have all the checks and balances in place to ensure not just data privacy and protection, but a much larger set of Information security requirements are met.
At a high level an effective ISMS certified by ISO 27001 ensures the following:
Build a culture of awareness around information security and data protection. It is everyone’s responsibility to be aware of potential threats and the Confidentiality, Integrity and Availability (CIA) of the data they are controlling or processing, especially when it is related to Personal Identifiable Information (PII)
Business processes, apps, systems and networks must adequately secure personal information, requiring a comprehensive suite of technical, procedural, physical and other controls
A robust assessment and treatment of information risks during the design of business processes, apps, systems etc. and checking the necessity of collecting personal data. There may be business requirements to collect personal information (if it cannot be avoided). In this case, many security controls are required in practice to mitigate unacceptable information risks that cannot be avoided. This covers transparency into how the data is being used, asking for rectification of personal data, withdrawal of consent, deleting or archiving data when it is no longer required etc
Where explicit consent for processing personal data is required, systems and procedures should be put in place and records should be available to be able to demonstrate this.
For systems where users’ personal data is being collected directly, the conditions should be clearly articulated, including an incident management process allowing the user to ask questions about the data usage
Author
Kaushik Nag
Director, Business Excellence