We have often seen how businesses get impacted through revolutionary elements in technology, economic, regulatory and political environments. GDPR is one such “element” of EU regulation that is bound to disrupt how customer data is managed through the entire life cycle of the business. Both as individual professionals and as organization, we must be aware of GDPR, its implications and acquire skills, deploy processes and policies that ensure our solutions comply with the tenets of “TRUST” and “PRIVACY”.
India, too, is working to roll out its own data protection policy. In fact, a whitepaper was released in December 2017, to this end. It will be worth the effort for us to build re-usable frameworks addressing privacy by design. Let me introduce GDPR and its likely impact on our products and business.
Introduction to GDPR
Europe has been particular in ensuring the “protection of data” of EU residents as consumers of businesses. On April 12, 2016, the European Parliament (European Union – EU) rolled out a General Data Protection Regulation (GDPR) (EU2016) policy and its compliance is effective from May 25, 2018. Unlike their earlier policy the new regulation, gives EU residents a complete “CONTROL” of their own private and sensitive data used across all services that they access/consume across the globe irrespective of their location.
Is it really applicable for us if our products and solutions are sold in non-European markets? Yes. The cost of no-compliance to GDPR is way above than the cost of compliance. A few potential costs include:
- Penalty fees from regulatory bodies (This will cost is 20 million Euros or 4 per cent of the entity’s global annual turnover-whichever is higher)
- Negative impact on the organization’s brand and its products
- Potential firing of the company’s CXX leaders on non-compliance
- Legal battle (cost of time and effort) with regulatory bodies/European Union residents on breach of privacy
So the implications of cost make it mandatory for us to understand what GDPR really constitutes. In simple terms, GDPR consists of primarily four stakeholders and eight principles.
GDPR – Stakeholders
a. Data Subject (DS): is an individual (EU resident – living) with personal and sensitive data. This data is the key data that needs protection for maintaining the privacy of the individual.
b. Data Controller (DC): is prime entity who is offering products and services to the data subjects.
c. Data Processor (DP): is secondary entity that enables Data Controller to offer services by processing the information essential for business purpose.
d. Data Protection Authority (DPA)/Information Officer (IO): Regulatory body who enrolls, monitors and governance the compliances to GDPR of Data Controllers.
Let us understand what constitutes Personal Data and Sensitive data of the Data Subject (user).
Personal Data: Any data point that would help one to identify directly or indirectly the individual (living person) is classified as Personal and Private Data. (E.g. Email Address, Name, Photo, Address, Computer IP)
Sensitive Data: Any private data that impacts the sensitivity of the individual like gender, marital status, bank account details, family details and its history, sexual orientation, health information.
Now let us look at the eight principles of GDPR that every product/solution needs to comply while dealing with above data.
GDPR – Eight Principles
P1: FAIR and LAWFUL
|Data Subject (DS)||Data Controller (DC)||Data Processor (DP)|
|Has complete ownership of his/her personal and sensitive data.||Takes complete ownership of fair and lawful usage of the data collected.||Must adhere to all principles while processing the data of the EU resident.|
|Have the right to retention and right to be forgotten.||Interacts with Data Subject for consent and notifications||Needs to keep the data accurate (up to date) with support from DC|
Personal and Sensitive data must be collected, updated, used, deleted (destroyed) fairly and lawfully. Compliance to Schedule (2) – for Personal Data (PD) and Schedule (3) of GDPR for Sensitive Data to be ensured by DC and DP is must.
A well-defined purpose must exist for which the data is collected and processed. The purpose must be made aware to the data subject and consent taken. For any new purpose, the data subject must be notified and the consent needs to be taken again.
Data collected must be adequate and relevant for the core purpose. At the same time it must not be excessive for the core purpose for which it is collected for processing.
It will be the onus of all the stakeholders to keep the information accurate. Implying periodic update to the records stored is essential.
In addition to be being compliant to GDPR, the DC and DP may need to comply with other regulatory bodies to RETAIN the data for a specified duration. Data Subject has the “RIGHT TO BE FORGOTTEN” and DP and DC are to comply to that as well once the services are terminated and the duration of retention (as per regulatory compliance) is completed. E.g. Three or Eight years since last transaction user have the right to be forgotten. This implies the data must be erased completely from all form of storage devices.
This principle focusses on “Rights of the User” (Data Subject). Privacy becomes the fundamental right of the User and using this principle, users can expect the compliance to other 7 principles by the DP and DC stakeholders. Violations can be notified to Information Officer.
Opinions given by users become personal data. DC and DP may collect and process such information. However the context must be mentioned and stored under which the processing is done.
Data must be collected, accessed and stored in secured manner. Authorization, Authentication and encryption of data both during storage and transmission become essential. ACL (Access Control List), White/Black listing, Classification of data and alignment to the purpose is as well addressed here.
Data must be portable across service providers so that it is easy for the user to shift between services. EU Resident either consuming services in/outside of EU with services being deployed in international domain, yet need compliance to GDPR.
With the basics of GDPR, let us look at what it means for Mahindra Comviva and its products.
Mahindra Comviva as an organization plays the role of “Data Processor” in B2B model, as we provide our products/solutions to customers (telecom operators, banks) who in turn are “Data Controllers”.
In case Mahindra Comviva provides solution and service to end customers directly (B2C model), we also act as “Data Controller” in addition to “Data Processor” and hence stringent level of compliance will be expected.
In case of having EU data subjects as employees of Mahindra Comviva, internal systems as well need to comply with GDPR.
GDPR has increased the territorial scope by mentioning that compliance is essential while dealing with “EU Subject” irrespective of his/her location and not the location of DP/DC. As such we as organization need to comply with GDPR provided we have single EU subject as customer irrespective of our location of deployment (EU or Non-EU) and the role as DP or DC.
What gets impacted most in our products is the way we collect and store the user information.
1. Mobile Number uniquely identifies the user and hence is private data. So the way we store and use the “Mobile Number” of the customer, a consent must be taken and user must be notified of the purpose for which it gets used. Hence the need for CONSENT Gateways with configurable policy of taking consents configured by DC/DP would be helpful as per Data Protection Officer (DPO)’s requirements.
2. Data must be anonymized using “Anonymization Layer” so that even breach does not give out reference to actual data subjects. This layer of “anonymity” also ensures that any third party system dealing with our EDR/CDR data does not use it for purposes than originally intended.
3. With “Privacy” and “Trust” becoming the new norms of government and regulatory policies across the globe, it is essential for us to look at them in detail.
DESIGN FOR TRUST
Consumers are bound to use “TRUSTED” brands of products, platforms and services. With sensitive data, the need for designing for “TRUST” has become apparent. Data minimization to ensure we collect only the data that is needed and not beyond.
It is essential to use secured API’s for collecting data and only collect “adequate” information from the end customers.
1. Data Storage:Storing the only essential personal and sensitive data in encrypted formats.
2. Data Access:Defining a very clear ACL (Access Control List) with what level of data will be accessed by whom. Restrict the components of solution while accessing the data and provide only “ESSENTIAL” permissions for MINIMAL access to accomplish the core purpose.
3. Data Audit:Keeping audit trail of access, update and deletion of record.
4. Data Breach: Notifying the impacted stakeholders within 72 hours of data breach and taking both preventive and corrective measures
PRIVACY BY DESIGN
With the need for the “PRIVACY”, the product architecture and design must be reviewed and altered to support “PRIVACY” as inherent attribute or as NFR (Non Functional Requirement) to ensure compliance to GDPR. This also includes processes, policies and technology adoption to support the same across the life cycle of user data.
A playbook is a threaded, strategic process full of consistent, repeatable tactics based on a solid base of data and information. A single document for everyone involved to learn, refer to, pull from, engage with and repeat.
A playbook for GDPR adoption is as below:
2. Organization website as well to comply with the policy and mention how the cookies are used from privacy perspective for data it collects.
3. Identify and create a role for “Data Protection Officer” – DPO from the perspective of having a dedicated engagement both within the organization and as SME for dealing with Products data
4. DPO to drive the “Data Privacy Charter” and define and roll out “Policies” and “Guidelines” for compliance by the stakeholders internally. DPO would also conduct periodic reviews and governance for compliance to Privacy.
5. Data Audit: Prepare an inventory of all the data related to “Customer” (Data Subject) and classify it into mandatory and optional for the business. Encryption and anonymization is to be applied for mandatory fields and do away with optional fields if not helpful for the core purpose of the business/service offered to the customer.
6. Data Flow Audit: Audit the way the data that is collected, processed, retained/deleted in our products. Secured API’s to be used for collection and even retrieval and encryption during transmission.
7. Engineering Focus:Engineering teams need to CONSCIOUSLY look at the data that is required by the product to function. Feature richness would depend on the availability of the data of customers and customers are to be notified about the same.
Personally I believe, this is one of the most essential policy in the realm of digital world that paves way for the safety and privacy of living individuals complying to the laws of identity. GDPR more than threat is an opportunity for the organizations businesses to establish the “TRUST” of their brands through “TRANSPARENCY” in the way they handle customer data. It is also time for new skills for both engineering and operations teams to design the element of trust and privacy into the solutions and their operational practices on ground.
Better late than never; Let us begin our journey to make our solutions GDPR Compliant.