Show original post

Compliance management is the process by which organisations plan, organise, control, and lead activities that ensure compliance with the laws and standards. These laws and standards don’t just come from outside or are industry specific, they can be internal as well. A good example can be a general Standard Operating Procedure (SOP) with respect to a particular process being carried out by an organisation.

On the other hand, the General Data Protection Regulation (EU) 2016/679 (hereafter referred to as GDPR) is more focused on the fulfilment of the regulation requirements needed for compliance and the delivery of measurable operational benefits. After all, data is the new commodity, and GDPR mandates a baseline safeguard on how companies or organisations deal with data.

The GDPR represents an opportunity to make data a central part of your decision-making process and deliver a true return on investment and therefore, it is not just a journey for compliance but an opportunity to reinforce commitments in respecting the privacy and upholding the data protection rights of individuals as GDPR inculcates a wider scope in terms of data privacy. It is not just applicable to EU organisations but to any business that processes or manages what is called Personal Identifiable Information (PII) of EU citizens as per GDPR.

GDPR journey begins with a concept called privileged access management which can be considered as the fundamental tenet of GDPR:

Control, monitor, and manage your organisation's privileged access

The GDPR requires that organisations ensure and demonstrate compliance with its personal data protection policies. Protecting personal data, in turn, requires complete control over privileged access, the foundational tenet of the GDPR. Controlling privileged access would require one to:

  • Consolidate all privileged accounts and put them in a secure, centralised vault;
  • Assign strong, unique passwords and enforce periodic password rotation;
  • Enforce additional controls for releasing the passwords of sensitive assets;
  • Audit all access to privileged accounts;
  • Completely eliminate hard-coded credentials in scripts and applications;
  • Wherever possible, grant remote access to IT or any other systems without revealing the credentials in plain text;
  • Enforce strict access controls for third parties and closely monitor their activities;
  • Establish dual controls to closely monitor privileged access sessions to highly sensitive IT or any other assets;
  • Record privileged sessions for forensic audits.

 Most well-known and prominent concerns of GDPR:

1. New requirements

The GDPR focuses on fair and lawful processing, accountability, transparency[1], and governance to minimise the risk of breaches and uphold personal data protection by imposing new responsibilities on organisations.

Not only must organisations carry out such changes, but they must adopt, test and maintain, and be prepared to demonstrate such compliance to regulators.

2. Specific processes

Many of these new requirements are specific processes organisations must adopt, with the intent that such measures will help structure and formalise certain areas to make compliance more efficient.

The GDPR imposes concrete measures, such as:

  • The obligation to keep internal records of data protection activities;
  • The requirement to notify regulators of data breaches without undue delay (organisations must report breaches to supervisory authorities within 72 hours[2] and document the underlying facts, effects and remedial action taken; and
  • Appointing an official Data Protection Officer[3] (required for some organisations).

3. Hefty fines and sanctions[4]

Regulators are authorised to handle non-compliance with the GDPR in one of three ways:

  • Issue a warning or impose a temporary or definitive ban on processing personal data;
  • Impose a fine up to EUR 20 million or 4 percent of the total worldwide turnover, depending on the circumstances of each individual case; or
  • Both of the above.

With these provisions, the GDPR hopes to make the cost of compliance less than the cost of violations.

4. Vague requirements

The lingering uncertainty around the GDPR is one of the biggest impediments to compliance, with parts of it deliberately left vague.

Undefined terms such as “undue delay,” “likelihood of (high) risk to rights and freedoms” and “disproportionate effort” will require further clarity by the courts or regulators, or time for specific market practices to develop.

Similarly, the regulation offers no definition of what constitutes a “reasonable” level of protection for personal data, offering regulators significant flexibility in assessing fines for data breaches and non-compliance.

5. Extra-territorial reach

Similarly, the GDPR’s definition of Personal Identifiable Information has a broad scope, requiring a high level of protection for a wide range of information. It also has an extensive reach, with many firms (particularly in countries like U.S.) not even aware they will be subject to the new EU regulations.

The primary principle behind the GDPR is that it views personal data as the property of the individual[5], not data controllers or processors. It applies to all EU citizens wherever they may be situated and regardless of the organisation’s location.

Consequently, in today’s digital and global world, it’s almost impossible to avoid dealing with some form of personal data from the European market.

The changes brought about by the GDPR:

Wider Scope: GDPR is not just applicable to EU organisations, but to any business that manages or processes personal information of EU citizens.

Data Processors: Both data controllers and processors are now jointly responsible for complying with the new rules. Data Processors are now subject to additional obligations.

Advanced Data Subject Rights: The GDPR retains the existing rights for data subjects, moreover, creates new rights such as right to erasure, right against profiling, right to Data Portability.

Privacy Impact Assessment (PIA): Privacy Impact Assessments (PIA) must be conducted for any risky or large-scale processing of personal data.

Breach Notification: Organisations now have to report data breaches to individuals who were affected, and to a supervisory authority within 72 hours.

Higher Bar for Lawful processing: The lawfulness, fairness and transparency principle amongst other things requires processing to fall within one or more of the permitted legal justifications for processing. For example, the bar for valid consents has been raised and is much higher under GDPR.

Transfers: Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in GDPR are met.[6]

Consent: The conditions for consent have been strengthened, and the organisations and companies are no longer able to use illegible terms and conditions. The request for consent must be given in an easily accessible form, with the purpose for data processing attached to that consent. Consent must be informed, specific and freely given[7] and distinguishable from other matters and provided in an easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Accountability and Governance: Accountability forms part of the theme of GDPR and data governance is no longer just a case of doing the right thing however, organisations need to be able to prove that they have done the right thing to regulators, to data subjects and potentially to shareholders and the media.

[1] General Data Protection Regulation (EU) 2016/679, Article 5

[2] General Data Protection Regulation (EU) 2016/679, Article 33

[3] General Data Protection Regulation (EU) 2016/679, Article 37

[4] General Data Protection Regulation (EU) 2016/679, Article 84

[5] General Data Protection Regulation (EU) 2016/679, Article 4

[6] General Data Protection Regulation (EU) 2016/679, Article 44

[7] General Data Protection Regulation (EU) 2016/679, Article 7