GDPR compliance: Failure to comply will be costly
DATA CONTROL
To preserve subjects’ privacy, organizations must: * Only process data for authorized purposes * Ensure data accuracy and integrity
* Minimize the exposure of subject identities, and * Implement data security measures.
DATA SECURITY
Data security goes hand-in-hand with data control. GDPR puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement: * Safeguards to keep data for additional processing * Data protection measures, by default
* Security as a contractual requirement, based on risk assessment, and encryption
RIGHT TO ERASURE
Subject data cannot be kept indefinitely. GDPR requires organizations to completely erase data from all repositories when:
* Data subjects revoke their consent
* A partner organization requests data deletion, or * A service or agreement comes to an end
It is worth noting, however, that subjects do not enjoy a carte blanche right for their data to be erased. If there are legal reasons — specified in the regulation — an organization can retain and process a subject’s data. Exceptions are few, however.
RISK MITIGATION AND DUE DILIGENCE
Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires they:
* Conduct a full risk assessment
* Implement measures to ensure and demonstrate compliance
* Proactively help third-party customers and partners to comply, and
* Prove full data control
BREACH NOTIFICATION
When a security breach threatens the rights and privacy of a data subject or subjects, organizations must: region’s priority markets; support training needs of tour practitioners in the region and facilitation of the tourism business to encourage growth of the industry. We expect productive, regular consultation among stakeholders and the Department to align efforts and policies for everyone’s benefit," said Cebu Alliance of Travel Operations Services (CATOs) president Alice Queblatin. * Notify authorities within 72 hours
* Describe the consequences of the breach, and * Communicate the breach directly to all affected subjects
6 STEPS TO GDPR COMPLIANCE
To prepare for GDPR, organizations can use this six step process:
1. Understand the law
Know your obligations under GDPR as it relates to collecting, processing, and storing data, including the legislation’s many special categories.
2. Create a road map
Perform data discovery and document everything — research, findings, decisions, actions and the risks to data.
3. Know which data is regulated
First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.
4. Begin with critical data and procedures Assess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.
5. Assess and document other risks Investigate any other risks to data not included in previous assessments.
6. Revise and repeat
Repeat steps four to six, and adjust findings where necessary.
For Chief Security Officers, GDPR and the Philippine Data Privacy Act impose an upgrade on the organization’s security capabilities to both meet the regulation’s requirements and improve overall security vis-a-vis data confidentiality and privacy. If companies in Cebu need assistance, we have a team in place to assist – contact Schumacher@eitsc.com