Solution Brief

Looking Beyond
GDPR
Compliance

  • Assess the business impact
  • Be prepared
  • Accelerate business growth
Download PDF

Why Should You Worry or Care?

General Data Protection Regulation, or more commonly known as GDPR, is a new law that’s established in the EU and will be in effect from May 2018. The regulation is essentially designed to harmonize data privacy laws across Europe to protect and empower all EU citizens’ (and residents’) data privacy and to reshape the way organizations across the region approach data privacy.

Although GDPR may appear to be an immediate challenge for businesses, there’s potential opportunity for a new level of business growth. And those who adopt early, which is now, can leverage the benefits.

GDPR is based on following two core values:

  • Recognition of protection of personal data that belongs to an individual and control on processing of individual’s data as a fundamental right
  • For business organizations, certainty on business process related to personal data processing

Unlike Data Protection Directive (DPD), GDPR is a legal framework where businesses that don’t comply are subject to penalties of up to 4% of annual turnover.

What’s the Impact?

The GDPR definition of “personal data” is not just limited to a name, postal address, telephone number, passport number, etc. Instead, it covers any information that can be used to uniquely identify an individual; this could include online identities, website cookies, and IP address as well.

Any organization processing personal data of individuals living in the EU, or an organization that monitors the behavior of individuals living in the EU.

An organization established in the EU regardless of whether data processing is taking place within EU or not.

Any outside established organization that processes personal data from the EU, including business offering services and goods to the EU.

How Does This Affect Existing Data?

It’s not compulsory to discard all of your existing approvals and obtain fresh consent from individuals to be compliant with GDPR. However, it’s absolutely necessary to conduct a review on your current consent management process; if the process is in compliance, you can consider existing consent as valid and continue to process the data.

Privacy Principles and Customer Rights

Principles

Lawfulness of the processing and transparency

Organizations should ensure there’s legitimate grounds for collecting and using personal data. Getting active consent from a customer is the widely used approach, but GDPR requires consent to be clear, specific, granular, unbilled from other policies, and given freely. In addition, the organization should able to demonstrate when and how the customer provided consent.

Think about employing a tool that supports the full scale of consent lifecycle management.

Accuracy

Organizations should take measures to ensure personal data is accurate. If it finds that the data is inaccurate, the organization should act immediately to rectify or erase such data.

Think about introducing a user-friendly, customer selfcare portal so users can update their personal data when required.

Data protection officer

Organizations process large amounts of personal data and are expected to appoint a Data Protection Officer (DPO), who will act as the single point of contact for individuals and supervisory bodies for any data protection related issues. The DPO can also advise the organization on data protection measures and policies.

The DPO can be a staff member or contracted, and a group of companies can have one DPO that oversees requirements across the group.

Data protection impact assessment

GDPR recommends organizations to carry out a data protection impact assessment (DPIA) depending on the nature of data processing, especially when adopting new technologies.

Purpose limitation

The purpose of data processing must be limited to the original purpose to which the customer has provided consent.

As you are not allowed to use the collected personal data for any other purpose, once the intended purpose is completed, consider erasing this data or make them anonymous or pseudonymous.

Cross-border data transfers

When transferring personal data to a country or organization that’s not listed as an entity with the required level of data security, the organization should ensure the third-party receiver has fulfilled the required safeguard measures or require explicit consent from the individual.

Data minimization

Only personal data that’s required for the processing purpose can be collected and stored.

Review your business process and identify the required set of personal data for processing.

Customer Rights

The right to be informed

Each individual should be clearly informed by the organization about the adequate level of information with regard to processing; this includes name and contact details of the organization, purpose of data processing, legal basis for processing, and intended time period the individual’s data will be maintained. All processing activities should be transparent to the individual.

Think about providing simple, clear, and attractively designed privacy notices to explain how the organization will process personal data.

The right to restrictions

It’s possible for an individual to request an organization to restrict the processing of his/her personal data. In such cases, the organization may continue to store the data, but the purpose for which the data can be processed will be strictly limited.

The right to access and rectification

The organization should facilitate individuals to access its personal data processes to ascertain what personal data has been processed, for what purpose, etc. If data is inaccurate, the individuals can seek rectification.

Think about introducing a user-friendly, customer selfcare portal so users can verify what data is stored by the organization.

The right to object

It’s possible for an individual to request an organization to restrict the processing of his/her personal data. In such cases, the organization may continue to store the data, but the purpose for which the data can be processed will be strictly limited.

Think about introducing a full-scale consent management tool so your customers can track, review recorded consent, and revoke approvals if necessary.

The right to be erased

An individual has the right to request the organization to erase their personal data with immediate effect.

Data portability

An individual has the right to ensure his/her personal data is stored in a structured, commonly used, and machine-readable format. When technically feasible, an individual can request to directly transfer his/her personal data from one organization to another.

Think about introducing a tool that enables an individual to download their own data in standard formats and can facilitate the transfer of customer data from one system to another based on open standards.

7 Steps To Be Fully GDPR Compliant

1

Build awareness around GDPR

Awareness is a key step in your GDPR compliance journey. It’s not a one-time task or not one that a single company within a group can execute. It’s a continuous process, hence organizations must ensure deep and proper understanding and contribution from every employee. You need to build in-house expertise on all aspects of GDPR, which include definitions, scope, territorial applicability, objectives, main privacy principles, consumer rights, and processes required to liaise with supervisory bodies.

2

Understand whether your business is affected

Following a thorough understanding of all aspects of GDPR, you would need to ascertain whether your business is affected. A business may be impacted depending on the nature of the business, such as offering services or goods to the EU, or processing or storing data recovered from another business in EU.

3

Review the impact on your current data

GDPR does not require an organization to erase existing personal data; however, you need to properly evaluate whether the data collection has been carried out with proper consent and if you’re in a position to demonstrate proof of consent for the processing purposes.

4

Review your systems and processes

At this stage, you need to mainly focus on business operations related to personal data processing, but should not limit yourself to just that. Areas, such as data processing/storing infrastructures, network infrastructures and staff members who access personal data would need to be evaluated as well. You need to specifically check whether a data processing impact assessment (DPIA) must be carried out.

5

Implement necessary safeguards

At this stage, based on the detailed plan derived from Step 4, you need to implement required safeguards. Adjusting your business process, upgrading software, network and storage systems, introducing internal staff training and proper auditing/monitoring systems are some of important aspects you would need to consider.

6

Appoint EU representatives and/or a DPO (if applicable)

If your business is not established, but offer service/goods to the EU, you need to appoint representatives within the EU in order to address GDPR related matters. You might also want to evaluate whether you need to appoint a DPO to handle such matters.

7

Revise your documents and policies

Implementation of those safeguard measures internally is not sufficient. You need to revise your public material as well, such as websites, social channels, terms and conditions, and privacy policies in accordance with GDPR requirements. Individuals and supervisory bodies too should be able to access and evaluate this material.

The WSO2 Advantage

WSO2 offers the key technology enablers required for digital transformation. We are trusted by globally recognized brands across many industries, including eBay, Experian, Verifone, BNY Mellon, West Interactive, Motorola, Transport for London, and StubHub.

We have the expertise to be your trusted technology partner not just to make sure you leap over the GDPR hurdle, but to also ensure your organization leverages the wider benefits of this regulation. We can offer you a digital transformation solution that capitalizes on GDPR to accelerate your business growth.

WSO2 Identity and Access Management (IAM) solution is designed to support digital transformation initiatives by connecting and managing multiple identities. WSO2 IAM and secure API Management help to address new requirements of GDPR, such as customer data privacy, a self care portal to enable customer rights defined in the GDPR and full scale consent lifecycle management. The WSO2 IAM solution also supports secure identity provisioning across systems in a GDPR compliant manner.

Interested in learning more about the WSO2 IAM solution? Contact Us and let us know your requirements.