The European Union’s General Data Protection Regulation (GDPR) went into effect throughout Europe on May 25, 2018. Superseding a similar legal act enacted in 1995, GDPR offers EU citizens a greater amount of freedom and control over the use of their personal data and unifies data processing requirements for businesses across the European Union and, in certain cases, beyond its borders.
Ensuring compliance with the GDPR isn’t just the law — it’s good practice. Though some of the requirements may seem expensive, time-consuming or burdensome, the end result offers individuals far more flexibility and transparency regarding how their data is handled, justifying what may be seen by some as downsides.
Because of the GDPR, businesses like Ciklum across the world had to rethink and restructure many of their data collection and processing policies in order to become compliant. Though many of our existing practices already focused on privacy and security, the GDPR allowed Ciklum to take a deeper look at our data collection and processing policies and determine the best ways to ensure compliance. We’d like to share those steps with you to offer a greater understanding of our approach.
Here are 10 steps Ciklum took towards the GDPR compliance:
Step 1: Increase awareness.
First and foremost, companies need to be aware of the impact the GDPR and other privacy law has on their business.
From the top of the organization down, starting with the Executive Board and Leadership teams, Ciklum made sure that every single one of our employees understood the changes to our processes that GDPR would require.
Step 2: Know the data.
One of GDPR’s key data protection principles is accountability. Not only are companies responsible for complying with GDPR, but they should also also execute technical and organizational measures that can demonstrate compliance.
In order to deal with complex data environment, Ciklum has made data discovery and mapping a key element in understanding how data is acquired, accessed, handled and transferred.
Step 3: Communicate privacy information.
Transparency of processing is a key element of the GDPR. In most organizations privacy policies must be reviewed and revised to achieve this goal.
Step 4: Fulfill individual rights
To be compliant with these rights, Ciklum adjusted its procedures, processes and internal systems to ensure users can delete personal data on request and to provide individual’s data electronically in a commonly used format free of charge.
Step 5: Identify lawful basis for processing.
GDPR law requires that personal data is processed lawfully, fairly and transparently.
We’ve enacted the process of identifying and documenting data together with a lawful basis for processing of each piece of data, which in certain cases is more than one. To ensure accountability, Ciklum has updated the data processing agreements for our clients and vendors and notified all parties of any changes.
Step 6: Consider consent.
User consent offers individuals choice and control over how their data is used, and the GDPR sets a high standard for how consent can be requested and whether it is appropriate lawful basis for processing in the first place.
Ciklum reviewed our process of gathering, recording and managing individual consent. For instances where individual data may be processed, we provided users with positive opt-in and simple withdrawal options.
Step 7: Deal with data breaches.
Personal data breaches are taken very seriously under the GDPR. Within 72 hours of the discovery of a data breach, companies must carry out a thorough investigation, inform both regulators and impacted individuals of the data breach, identify what personal data was impacted and draft a comprehensive plan to contain the breach.
Ciklum is committed to data security, and we have taken great steps to prevent unauthorized access to user data. We have implemented procedures to detect, report and investigate in the event of a breach of personal data. Any data breach that poses a risk to individual rights and freedoms will be reported to our customers and the appropriate data protection authorities.
Step 8: Incorporate data privacy by design and data protection.
Under the data protection by design and default provision of GDPR, every step of an organization’s data processing activities and business practices must incorporate data protection and privacy. Additionally, under certain circumstances, processes known as Data Protection Impact Assessments (DPIAs) are required to be carried out for any major project that requires the processing of private or personal data.
In our application development, architecture and design, Ciklum has always considered security and privacy an essential practice by default. To address the requirements of data privacy by design and default, Ciklum established a framework to assess situations where DPIAs are required to be conducted, and we have assigned responsibilities to appropriate parties for carrying them out.
Step 9: Designate a data protection officer.
For public authorities or bodies, or for organizations whose core activities require large-scale monitoring or processing of individual data the GDPR requires the appointment of a Data Protection Officer.
Ciklum has appointed a designated Data Protection Officer under our organization’s structure and governance. Responsibilities for data protection compliance have also been assigned to people within our organization with relevant knowledge, and have received support and authority to carry out their rules.
Step 10: International transfers
Being an international company, Ciklum executes a lot of various data transfers on a daily basis. The transfer of personal data outside of the European Union is controlled under the GDPR, no matter the transfer’s size or frequency. On that basis, GDPR suggests frameworks to enable international transfers of personal data.
To build a consistent data privacy strategy, companies should not just apply isolated measures but make the compliance to the regulations a part of their business. The data privacy strategy at Ciklum has been formulated by stakeholders across all the organization – legal, IT, compliance and data owners themselves are fully aware of steps they need to take to keep up with the latest changes in the regulatory landscape. Further, data protection champions have been appointed throughout organization.
GDPR has strongly influenced on the way global companies interact with their EU-based customers, though many companies have successfully tackled the challenges that accompany the adoption of new regulations. Bringing the right processes into place, increasing the security awareness and implementing the necessary technologies will lead to better data handling and improved standards in product design and development.