Professional Documents
Culture Documents
The General Data Protection Regulation (GDPR) is the new European Data Protection Regulation
that harmonizes current data protection laws across the EU member states. The fact that it is a
“regulation” instead of a “directive” means it will be directly applicable to all EU member states
without a need for national implementing legislation. This course will take you through the 12
steps of GDPR and how you can implement them at work.
Welcome
Hi! I am Datum! You and I will go through this learning module together.
Click to flip
Understanding GDPR
In order to understand General Data Protection Regulation (GDPR), which comes into effect from
May 2018, let’s take a time machine and go to the future!
Evolution
Now that we know what GDPR is, let us see how it evolved.
Take a look at this map below to know how the global privacy landscape, including the GDPR
looks now.
12 steps of GDPR
Before we proceed, are you sure you are well aware of the terms related to data privacy. If not,
please take this course, Process : Data Privacy_WBT, course ID : 53965 on iEvolve first.
For a quick reference, please read the attached Key terms pdf file.
Key Terms.pdf
663 KB
Here we go!
Step 1. Awareness
Before we proceed, just go through this checklist. Do your data protection processes ensure all
the following for the associates? Even if you miss ticking one, you should review your processes
in the GDPR context.
To access the data (i.e. to a copy) undergoing processing. The Controller may provide a secured
system which would grant the Data Subject direct access to his/her data.
Right to be forgotten: Individuals have the right to have their data ‘erased’ in certain specified
situations and to receive proof of the erasure.
Right to restriction of processing: It allows the individual to require data to be held in limbo
whilst other challenges are resolved. If personal data are restricted, then the Controller may only
store the data. It may not further process the data.
The Controller can be required to transmit the data directly to another controller.
Can request a Controller to rectify inaccuracies in personal data held about them.
Can require the Controller to provide information in a structured, commonly used and machine
readable form.
Consent to only certain personal data can be withdrawn and not all. Certain personal data
should be obtained and processed as a part of the employment.
The right to object to certain processing activities and also to decisions taken by automated
processes.
Well it is the way you would like to access data in the future or the way organizations will need
to provide access to the data you share with them.
GDPR brings in new timelines for handling subject access requests. In most cases, you will not be
able to charge for complying with a request, and you will have how many days to revert.
30days
As, we have seen in our previous examples, consent is an important part of GDPR’s
accountability tenet.
We have also glimpsed at an Informed consent form, one of the ways in which you can take
consent. What are the other ways? Let’s take the upcoming quiz and discover.
Step 7. Consent
You are about to download a fitness app, but just when you go to install it asks you, can it access
your contact lists. What is this?
The correct answer is, this is a consent form that the app is asking its users to act on. The
consent form will also state how it is going to use the data you are sharing.
What else should a consent form say apart from how it is going to use the data?
Organizations will need to demonstrate that consent has been given each and every time data is
solicited. Consent taken and given needs to be verifiable.
While working on multiple websites, you have requested your passwords to be saved. Along with
that can your office network take your consent once and then pre-tick the consent checkboxes?
No
Step 8. Children
Did you know that GDPR will bring in special provisions for protecting the personal information
of children?
Are you part of a project that provides services to children, and collects their personal data to
gauge market preferences? Do you collect personal data of young adults to research on social
media trends?
If yes, then it is time to review your consent taking processes, and make sure your data privacy
notice is written in a language that children can understand. You will need a parent or guardian’s
consent in order to process personal data belonging to children.
But inspite of all the processes you have followed what happens if there is a personal data
breach? What do you need to do?
A popular travel booking site was hacked last night. Personal data of 3000 users were
compromised. What should the travel site do now?
Step 10. Data Protection by Design and Data Protection Impact Assessments
Let's understand data protection by design and data protection impact assessments better
through this small quiz.
Do you remember the last time you did your Pulse survey? You shared your feedback about
various functions of the organization, but did the organization get to know which associate gave
what feedback/rating:
It did not. The survey interface has been designed in such a way that personal data of associates
is not revealed.
no
SUBMIT
TRY AGAIN
Can you identify which of the following examples is an instance of Data Protection by Design?
First two options are not related to Data Protection by Design. While the first option is an
example of protecting personal data in general, the second option is an example of consent.
SUBMIT
TRY AGAIN
data making
data anonymization
data psydonmymisation
data minimization
SUBMIT
TRY AGAIN
Coming back to Data Protection Impact Assessments, we have already seen how spider webs are
used to do so.
A key tenet of the new regulatory landscape is an expectation that organisations will promote
privacy and data protection compliance from the start of any new project.
While creating new products and services, privacy risks need to be identified and managed from
the very earliest design-phase.
You should do this by carrying out privacy impact assessments as a matter of routine, especially
when considering new arrangements that may involve handling sensitive data fields, or large
volumes of personal data. The following basic ground rules should help set outline parameters to
those involved in the design process.
Flip the cards to understand the dos and don'ts of the various tasks.
Do not collect sensitive data other than exceptionally needed do not ignore privacy policy or
notice commitments on fair use
Access
Click to flip
Click to flip
Sharing
Click to flip
Click to flip
Do not send data outside the organization or offshore unless additional protections are in place
Use
Limit type/volume of data collected to 'as needed' to complete specific tasks authorised in
advance
Click to flip
Do not collect sensitive data other than exceptionally needed do not ignore privacy policy or
notice commitments on fair use
Click to flip
Do not assume data collected for one purpose may be used for other purposes
Storage
Click to flip
Click to flip
Processing
Click to flip
Click to flip
Governance
Click to flip
Click to flip
So, what are the governance obligations of Data Controllers and Processors?
Assign responsibility and budget for data protection compliance within the organization.
Appoint a Data Protection Officer (DPO). Take care he/she has the requisite qualification and the
regular possibility to visit special trainings and obtain certifications to stay up to date.
Ensure that a full compliance program is designed incorporating features such as: PIAs (Privacy
Impacting Assessment), regular audits, HR policy reviews, and awareness programs.
Keep a record of processing activities, for example, the type of data processed, and the purposes
for which it is used.
Report to Supervisory Authority and Data Subjects in case of an incident defined as a data
breach.
Implement appropriate technical and organizational protections to render the data unintelligible
in case of unauthorized access.
DPOs report to the Regional Country Head. They should have sufficient domain and business
knowledge, relevant qualifications, certifications and access to the top management of the local
TCS entity.
Inform and advise on processing of obligations pursuant to GDPR Regulation, and to other
member state data protection provisions – breach, consent, employee notice, and so on.
Provide advice on data protection impact assessment and monitor its performance.
Interact with the country/regional supervisory authority and act as the specific point of contact.
Monitor compliance with TCS privacy policies including the assignment of responsibilities,
awareness raising and training of staff involved in processing operations, and audits, if any.
This is with respect to the transfer of personal data to countries outside the EU or to
international organizations, which are not one of the approved countries. The data does not
need to be physically transported to be considered as transferred. Viewing the data hosted in
another location would amount to a transfer for GDPR purposes.
The Controllers are prohibited from transferring personal data outside the EU to a third country
(which is not in the list of countries considered to be having adequate data protection.
Transfers of personal data outside the EU will be allowed where the European Commission has
issued an adequacy decision regarding the level of data protection provided in the location
where the data is transferred. Transfers of personal data will also be allowed based on legitimate
interest if the transfer is not repetitive and concerns only a limited number of individuals (Data
Subjects).
GDPR recognizes Data Transfer Agreements (DTA) as a valid mechanism to transfer personal data
outside the EU.
So, as a TCSer how do you abide by GDPR? Let's find out with the below quiz.
Would you give TCS employee information to your customers or publish it in the World Wide
Web?
As a Data Processor for your customer, you work with a few subcontractors. Should your
subcontractors follow the same level of confidentiality and data protection as a TCSer in your
team?
Yes. The subcontractor needs to abide by all the data privacy policies that TCS has agreed on
with the customer, and we need to ensure that.
Here are some situations where you might deal with personal or even sensitive data. You are just
doing your job and you are not aware that you are dealing with the law. Whenever you stumble
into those situations, ask yourself, are you dealing with personal data? Do you have the
authority? Even when you are 100% sure, talk to your supervisor and or the Data Protection
Officer.
As IT: Remote Access to a PC, especially mirror reflection of a user session without informing the
user
As Manager: Copy, view or forward personal data like CV internal or to TCS customers
As Delivery Team: Access or installation of access rights to the E-mail mailbox of a user
As Admin: Access or installation of access rights to the Home-directory of a user without prior
information
Everybody: Use of any functionality, doesn‘t matter what kind, allows one undetected access to
a PC
In view of the level of sanctions that may be imposed in case of breach, it would be prudent for
the Data Controllers (and the Data Processors) to audit their data flows at this stage and ensure
that they will be GDPR-compliant by the time the new rules come into effect in 2018.
The following are some of the key points that they need to look into:
Discovery of the current data (where the data is stored, data flow etc.)
Employee training
Security Policy: Assessment of the current security framework at Offshore Development Centre
(ODC) to prevent any unauthorized access.
PIA is an analysis of how information is handled to ensure handling conforms to applicable legal,
regulatory, and policy requirements regarding privacy; to determine the risks and effects of
creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and
disposing of information in identifiable form in an electronic information system; and to examine
and evaluate protections and alternate processes for handling information to mitigate potential
privacy concerns. A privacy impact assessment is both an analysis and a formal document
detailing the process and the outcome of the analysis.
Failure to meet the regulations in GDPR exposes the organization to administrative fines.
Minor Breaches will be subject to fines of up to €10,000,000 or, 2% of global turnover, whichever
is the higher.
Major Breaches will be subject to fines of up to €20,000,000 or, 4% of global turnover, whichever
is the higher.
TCS is the Data Controller of the PI of its data subjects in its European subsidiaries, JVs and
overseas offices. It needs to take all the necessary protections and the process changes to
comply with the GDPR Provisions when it comes to processing and transfer of these data to
locations outside of EU.
TCS will have to comply with all the Data Controller obligations mentioned earlier.
TCS acts as the Data Processor when we process the Personal data of the individuals on behalf of
a Data Controller in the various outsourcing deals concerning EU residents and citizens.
Data Controllers and Data Processers will be jointly responsible if there is a breach, but Data
Controllers may seek to transfer as much of their obligations onto TCS as the Data Processor,
thereby increasing its liability.
As the first step we need for each account where we deal with Personal Data to focus on the
following:
Execute and implement all the changes required to make the customer processes compliant with
the provisions in GDPR before it comes to force in May 2018