GDPR Strategies for INFOGNANA SOLUTIONS

What is GDPR?

It requires the businesses to safeguard the confidential data of the EU citizens for all the transactions
that take place within the EU member states. The nucleus of the GDPR is to strengthen and unify data
protection for individuals within the EU as well as address the export of personal data outside the
European Union (EU), which means it protects the misuse of personal identifiable information (PII) of
any kind of EU citizens.

Despite the fact that the UK formally exited the EU on Jan. 31, 2020, they will still adhere to all the EU
standards and regulations throughout this year. That means the GDPR will still be the law of the land in
the UK. 

What Happens When a Company Does Not Meet GDPR Requirements?

GDPR penalties will adhere to a two-tiered approach. GDPR imposes steep penalties when companies
fail to abide by its guidelines. The fine could either be 4% of the global annual turnover of the firm or up
to €20 million, whichever is higher.

What Sort of Personal Data Will GDPR Safeguard?

All types of private and confidential information of the European citizens including the identification
information and other health-related information is safeguarded by the GDPR.

 Basic identification information, including the name, address, and the ID numbers
 Sexual orientation
 Political opinions
 Health and other genetic data
 Web data which include the system location, cookie data, RFID tags, and IP address
 Racial or ethnic data
 Biometric data

Are there any Specific GDPR Requirements that affect a Company?

The GDPR requirements are expected to cause the companies to modify the way in which they store,
protect, process, or handle the personal data. For instance, the companies can process and store the
personal data only until the individual's consent or till the purpose for processing the personal data is
served. Besides, the personal data should be portable from one firm to another and the firms should
erase it upon request.

Data breach: Another major challenge is that organizations should immediately report any sort of data
breach to the supervisory authorities. Besides, the customers affected by the breach should also be
informed within 72 hours of detecting the breach. Consequently, companies should provide a
considerable level of personal data protection to the EU citizens.

Which Companies are Likely to Get Affected by GDPR?

Any organization that gathers, processes, or handles personal information of the EU citizens should
abide by the guidelines of GDPR.
 Presence in any of the EU countries
 Not present in an EU country but process personal data of the EU citizens
 Have over 250 employees
 Have lesser than 250 resources, but are actively handling some sort of sensitive personal data,
their data processing impacts freedom and rights of data subjects, and/or is not occasional

5 Key terminologies that need to be understood prior to GDPR implementation:

Data Controllers: The person who decides why and how personal data will be processed. If you’re an
owner or employee in your organization who handles data, this is you, be it employee information or
customer information or more. They can have data processors help them in processing the private data,
within the stipulated norms of GDPR.

Data Processors: The data processors oversee processing the personal information based on directives
provided by data controllers, within the GDPR rules setup.

Data Subject: The data subject is ideally the person whose data is being visited. There must be an official
agreement before the data is processed or controlled.

Data Breaches: There are chances of a data breach in an organization, in which case, the organization
must inform the GDPR establishments within 72 hours of the occurrence of the incident.

Data Protection by Design: Organizations need to incorporate data protection strategies right in the
designing stage of data management procedures, in accordance with the stated GDPR guidelines.

Definition: https://eur-lex.europa.eu/legal-content/EN/TXT/?
qid=1528874672298&uri=CELEX:02016R0679-20160504

Instructions to follow for the GDPR (Lawful basis for processing):

Consent: Companies should get permission from individuals to process their data. Consent must
specifically cover the controller’s name, the purposes of the processing and the types of processing
activity.

Documentation: Most organizations are required to maintain a record of their processing activities,
covering areas such as processing purposes, data sharing and retention. This is called documentation.
  If you have 250 or more employees, you must document all your processing activities.
 There is a limited exemption for small and medium-sized organisations. If you have fewer than
250 employees, you only need to document processing activities that are not occasional, could
result in a risk to the rights and freedoms of individuals, involve the processing of special
categories of data or criminal conviction and offence data.
 What do we need to document under Article 30 of the GDPR: The name and contact details of
your organization, purposes of your processing, categories of personal data, categories of
recipients of personal data, details of your transfers to third countries, Retention schedules.

(Documentation template: https://ico.org.uk/media/for-organisations/documents/2172936/gdpr-

documentation-processor-template.xlsx.)

Data Processing Agreement: Data processing shall be governed by a written contract concluded
between a data controller and processor. The parties can conclude a special Data Processing Agreement
or include data processing clauses in an outsourcing contract.

Certification: is a way for an organisation to demonstrate compliance with GDPR. Certification scheme
criteria will be approved by the ICO and can cover a specific issue or be more general. As a controller or
processor, you could obtain certification for your processing operations, and services. Certification is
valid for a maximum of three years, subject to periodic reviews.

Certification process:

 Find a scheme: you need to find a scheme that suits your needs for the product or service you
want to have certified, and for the nature of your organisation.
 Find a certification body: certification bodies will issue GDPR certifications, so you need to
apply directly to them. For example ICO.
 Data Protection fee: There are three different tiers of fee and controllers are expected to pay
between £40 and £2,900.
 Micro organisations: You have a maximum turnover of £632,000 for your financial year or no
more than 10 members of staff. The fee for tier 1 is £40.
 Small and medium organisations: You have a maximum turnover of £36 million for your financial
year or no more than 250 members of staff. The fee for tier 2 is £60.
 Large organisations If you do not meet the criteria for tier 1 or tier 2 you have to pay the tier 3
fee of £2,900. Direct debit, you will receive an automatic discount of £5.

Data security and Enryption:

 Encryption is a mathematical function that encodes data in such a way that only authorised
users can access it. It is a way of safeguarding against unauthorised or unlawful processing of personal
data, and is one way in which you can demonstrate compliance with the security principle.
 The two types of encryption in widespread use today are symmetric and asymmetric encryption.
The technique of cryptographic hashing is sometimes equated to encryption. The encryption software
you use is also crucial. You should ensure that any solution you implement meets current standards such
as FIPS 140-2 and FIPS 197.

Data Security: is addressed at multiple levels to ensure top security standards across the employee,
physical, and network levels. Additionally, VPNs, SSL, and PGP encryptions are utilized to ensure that
both HIPAA and GDPR requirements are met. Data is strictly on role-based access control standard
ensuring that the data is only seen only by those who must and networks are monitored 24/7.  

Requirement for qualified and certified data protection officer (DPO): 

DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations,
provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data
subjects and the supervisory authority.

One requirement under the GDPR is that businesses that process or store a large volume of personal
data are required to appoint a Data Protection Officer (DPO).
A compliant outsourcing partner will have a DPO that’s certified by a body such as the International
Board for IT Governance Qualifications (IBITGQ).

 Legal background, the data protection officer (DPO) shall be designated on the basis of
professional qualities and, in particular, expert knowledge of data protection law and practices.
Ideally, a DPO should be a licensed lawyer that has sufficient knowledge of not only GDPR, but
other privacy laws that matter for his clients.
 IT security experience. Ideally, a DPO needs to have practical experience in areas of cyber
security.
 Up to date knowledge on all governance compliance requirements and regulations
 Must be a great negotiator and savvy while researching vendors, providers, platforms, and tools
 Must able to conduct high level researched meetings with legal, IT, and stakeholders like CEO,
CFO, etc.
 Experienced in disaster recovery and best practices for data integrity
 Can execute a solid strategy that will keep costs lower while still maintaining a clear path on
total data leak prevention
 DPO can be an existing employee, you can contract out the role of DPO externally, you may
appoint a single DPO to act for a group of companies.
 GDPR requires you to publish about the DPO: Publish the contact details of your DPO and
provide them to the ICO.

A DPIA is a way for you to systematically and comprehensively analyse your processing and help you
identify and minimise data protection risks. DPIAs are a legal requirement for processing that is likely to
be high risk. But an effective DPIA can also bring broader compliance, financial and reputational
benefits, helping you demonstrate accountability and building trust and engagement with individuals.
Do you have a registered office in the EU? 

An outsourcing company is a data processor and if they are based in a country like India and process
personal data of EU residents, they have to designate a representative in the EU. The representative
must be registered with a Data Protection Authority (DPA). 

Set Up A Data Register:

You should create a data register, which is a record of data processing activities. If for any reason, a data
breach takes place, you will be required to show the data register to the data protection association
have been set up by the European countries

Review your current privacy notice:

Make sure your business reviews its current privacy notice and be sure to adapt it in time to implement
the changes of GDPR. When collecting personal information, your identity should be revealed at all
stages along with what your intentions are with the data – this is usually done through a privacy notice.
Individuals have the right to inform the ICO if there is a problem in the way you are handling their data.

Personal information management system:

Anyone can claim to be GDPR compliant but to actually be compliant, their systems and processes need
to pass through stringent auditing by an independent certification body. By being BS 100012 certified by
a standards body such as the British Standards Institution (BSI) it demonstrates that the offshore partner
can manage risks to personal information.  

Certifying to BS 10012 Personal Information Management means your offshore partner upholds the
ideologies of the GDPR and provides reassurance that personal data is managed in line with best
practices. A compliant offshore partner will establish a Personal Information Management System
(PIMS) so that personal data is managed in line with GDPR best practices.

Example product: (BS 10012 )

 It outlines the core requirements organizations need to consider when collecting, storing,
processing, retaining or disposing of personal records related to individuals. Easily integrated
with other popular management system standards, BS 10012 brings big benefits to companies
of all sizes, including:
 Helps to identify and manage risks to personal information 
 Supports regulatory compliance with data protection legislation 
 Inspires customer trust  
 Protects your organizations reputation 
 Benchmarks your own personal information management practices with recognized best
practice
How can organizations prepare?

In addition to the adopted technical controls, structured documentation, monitoring, and continuous
improvement, the implementation of ISO 27001 promotes a culture and awareness of security incidents
in organizations.

The adoption of standards such as ISO/IEC 27001 Information Security and, potentially, ISO/IEC 27018
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII
processors, will be the basis to quickly achieve compliance with the EU GDPR.

Therefore, if the implementation of ISO 27001 identifies personal data as an information security asset,
and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of
the EU GDPR requirements will be covered.

The first thing an organization should do is an EU GDPR GAP Analysis to determine what remains to be
done to meet the EU GDPR requirements, and then these requirements can be easily added through the
Information Security Management System that is already set by ISO 27001.

GDPR cost benchmarking analysis:

The minimum and average implementation cost per employee is consistent across firm size, with
implementation costing £300-£450 on average per employee across all sectors.

In terms of additional spending on consulting services and technological solutions found 80 percent of
those in a micro company (1-9 employees) expect GDPR compliance to cost their business under
$50,000 and most (92 percent) of those working at an enterprise (more than 1,000 employees) expect
GDPR compliance to cost their business over $50,000. 

Nearly two-thirds (67%) of those organizations surveyed by the report involved at least 25 employees in
the preparation process. Thus, when calculating the total GDPR cost, you have to factor in this lost time.

The average company, spent 2,100 hours in meetings. And, for larger enterprises, that figure is much
closer to 9,000 hours. All of those lost hours ramped up the total GDPR cost considerably.

Business opportunity rather than compliance burden: Indian IT companies serving the EU market,
their second largest after the US, would be required to comply with the GDPR. However, rather than
seeing this as an additional burden in terms of compliance, Indian companies should see it as a massive
business opportunity knocking at their doors.

Steps On How To Prepare For GDPR:

1. Raise awareness. 
2. Document everything. 
3. Review current privacy notices.
4. Check your rights for individuals.
5. Review & update request procedures. 
6. Refresh existing consents.
7. Protect the data of children. 
8. Detect, report & investigate breach of personal data.
9. Adopt an approach to privacy & data protection.
10. Designate a Data Protection Officer (DPO).