A benchmark to assess readiness for GDPR and other privacy regulations

10 September 2018 Authored by Consultancy.in

As the world of business takes stock of GDPR and its implications on day-to-day operations, global professional services firm EY has published a detailed guide about what the act essentially demands. The firm’s analysis revolves around the concept of ‘privacy by design and default.’

The General Data Protection Regulation came into enforcement in May this year, prior to which firms with primarily digital operations were scrambling to restructure their data management processes to comply with the act. The act was designed to prevent the callous management of personal and financial data by companies.

Although GDPR was created primarily for European businesses, the repercussions of the stringent regulatory framework are expected to be felt across the globe. This can be attributed to the fact that data breaches themselves often have international repercussions, irrespective of where they occur.

An example of this is the protracted cyber attack on Deloitte last year. Among the data compromised over a six-month period was that of 52% of the companies listed on the Indian stock exchange, sparking major public outcry in India

An example of this is the protracted cyber attack on Deloitte last year. Among the data compromised over a six-month period was that of 52% of the companies listed on the Indian  stock exchange, sparking major public outcry in India.

So international firms with operations in India – and Indian firms with operations abroad – will have to reassess their data management practices, and Big Four accounting and advisory firm EY has come up with a handy guide to help firms with the same. The guide offers an in-depth understanding of the privacy by design and privacy by default provisions in the GDPR.

The former, privacy by design, is a precautionary and preventative measure, wherein the implications of a product on privacy are considered during the design process itself. In essence, data privacy restrictions must be applied to various phases, from product & feature development to marketing.

Privacy by default, on the other hand, is an even more comprehensive measure, wherein the entire structure of operations is altered to ensure that only the data that is absolutely essential to core operations is collected, thereby acting as an automatic filter and reducing the possibility of a data breach.

In order to develop such a comprehensive defense mechanism, EY recommends a set of measures that can be implemented within internal organisational processes. To begin with, the firm recommends an assessment of current operations to identify potential gaps in data management systems.

Thereafter, firms must obtain an overview of the PII records in their firm, which can subsequently facilitate the implementation of privacy by design and default. Once implemented, it is crucial that these measures are maintained in the long term

Thereafter, firms must obtain an overview of the PII records in their firm, which can subsequently facilitate the implementation of privacy by design and default. Once implemented, it is crucial that these measures are maintained in the long term.

Key principles to this end include the maintenance of strict confidentiality, internal organisational integrity, and the “availability and resilience of processing services." Lastly, the firm advocates the development of data protection impact assessments, in order to ensure continual improvements in privacy measures.

“In our view, many organisations are welcoming this opportunity as a serious initiative to drive data privacy beyond just mere compliance. In light of recent events on data privacy, this is an enterprise wide initiative that will help companies across the globe to be secure and stay secure,” said EY Partners Jaspreet Singh and Sibyoti Basu in the report.

News

More news on