GDPR

The General Data Protection Regulation (GDPR) is the new European Data Protection Regulation
that harmonizes current data protection laws across the EU member states. The fact that it is a
“regulation” instead of a “directive” means it will be directly applicable to all EU member states
without a need for national implementing legislation. This course will take you through the 12
steps of GDPR and how you can implement them at work.

Welcome

Hi! I am Datum! You and I will go through this learning module together.

Before we proceed, let's take a look at a course objectives.

Flip the cards below to explore the course objectives.

Click to flip

Describe the 12 steps of GDPR

Click to flip

Implement GDPR at TCS

Scroll down and click the next lesson to continue.

Lesson 2 - Understanding GDPR

Understanding GDPR

In order to understand General Data Protection Regulation (GDPR), which comes into effect from
May 2018, let’s take a time machine and go to the future!

Evolution

Now that we know what GDPR is, let us see how it evolved.

Here are a few things you need to remember about GDPR.

Take a look at this map below to know how the global privacy landscape, including the GDPR
looks now.

12 steps of GDPR

Before we proceed, are you sure you are well aware of the terms related to data privacy. If not,
please take this course, Process : Data Privacy_WBT, course ID : 53965 on iEvolve first.
For a quick reference, please read the attached Key terms pdf file.

Key Terms.pdf

663 KB

Let us now look at each of the 12 steps of GDPR.

Here we go!

Click the upcoming buttons to explore the steps of GDPR.

Step 1. Awareness

Step 2. Information You Hold

Step 3. Communicating Privacy Information

Step 4. Individual’s Rights

Before we proceed, just go through this checklist. Do your data protection processes ensure all
the following for the associates? Even if you miss ticking one, you should review your processes
in the GDPR context.

To obtain confirmation whether his/her personal data are being processed.

To access the data (i.e. to a copy) undergoing processing. The Controller may provide a secured
system which would grant the Data Subject direct access to his/her data.
Right to be forgotten: Individuals have the right to have their data ‘erased’ in certain specified
situations and to receive proof of the erasure.

Right to restriction of processing: It allows the individual to require data to be held in limbo
whilst other challenges are resolved. If personal data are restricted, then the Controller may only
store the data. It may not further process the data.

The Controller can be required to transmit the data directly to another controller.

Can request a Controller to rectify inaccuracies in personal data held about them.

Can require the Controller to provide information in a structured, commonly used and machine
readable form.

Consent to only certain personal data can be withdrawn and not all. Certain personal data
should be obtained and processed as a part of the employment.

The right to object to certain processing activities and also to decisions taken by automated
processes.

To be provided with supplementary information about the processing.

Step 5. Subject Access Requests and Legal Basis

Well it is the way you would like to access data in the future or the way organizations will need
to provide access to the data you share with them.

GDPR brings in new timelines for handling subject access requests. In most cases, you will not be
able to charge for complying with a request, and you will have how many days to revert.
30days

Can we refuse a subject access request?

Step 6. Legal Basis for Processing Personal Data

As, we have seen in our previous examples, consent is an important part of GDPR’s
accountability tenet.

We have also glimpsed at an Informed consent form, one of the ways in which you can take
consent. What are the other ways? Let’s take the upcoming quiz and discover.

Step 7. Consent

You are about to download a fitness app, but just when you go to install it asks you, can it access
your contact lists. What is this?

The correct answer is, this is a consent form that the app is asking its users to act on. The
consent form will also state how it is going to use the data you are sharing.

What else should a consent form say apart from how it is going to use the data?

1. Why it needs the data

2. Till when it needs it

3. When it will delete it

4. Who else will access the data

5. When the user can retrieve it

The correct points are:

1. Why it needs the data

2. Till when it needs it

3. When it will delete it

4. Who else will access the data

Organizations will need to demonstrate that consent has been given each and every time data is
solicited. Consent taken and given needs to be verifiable.

While working on multiple websites, you have requested your passwords to be saved. Along with
that can your office network take your consent once and then pre-tick the consent checkboxes?
No

Step 8. Children

Did you know that GDPR will bring in special provisions for protecting the personal information
of children?
Are you part of a project that provides services to children, and collects their personal data to
gauge market preferences? Do you collect personal data of young adults to research on social
media trends?

If yes, then it is time to review your consent taking processes, and make sure your data privacy
notice is written in a language that children can understand. You will need a parent or guardian’s
consent in order to process personal data belonging to children.

Step 9. Data Breaches

But inspite of all the processes you have followed what happens if there is a personal data
breach? What do you need to do?

You need to address the issue by following this four-fold path.

Click to zoom in.

Click to zoom in.

A popular travel booking site was hacked last night. Personal data of 3000 users were
compromised. What should the travel site do now?

Click the arrows to find out.

Here is an example:

Click to zoom in.

Click to zoom in.

Step 10. Data Protection by Design and Data Protection Impact Assessments

Let's understand data protection by design and data protection impact assessments better
through this small quiz.

Do you remember the last time you did your Pulse survey? You shared your feedback about
various functions of the organization, but did the organization get to know which associate gave
what feedback/rating:

It did not. The survey interface has been designed in such a way that personal data of associates
is not revealed.

no

SUBMIT

TRY AGAIN

Can you identify which of the following examples is an instance of Data Protection by Design?

First two options are not related to Data Protection by Design. While the first option is an
example of protecting personal data in general, the second option is an example of consent.
SUBMIT

TRY AGAIN

Which of the following is a technique of protecting data by design?

data making

data anonymization

data psydonmymisation

data minimization

all the above

SUBMIT

TRY AGAIN

Here is how your applications should be designed in the future.

Note: If the DPO cannot decide it by himself, or is not sure, he can contact the Data Protection
Authority for clarification.

Coming back to Data Protection Impact Assessments, we have already seen how spider webs are
used to do so.

A key tenet of the new regulatory landscape is an expectation that organisations will promote
privacy and data protection compliance from the start of any new project.

While creating new products and services, privacy risks need to be identified and managed from
the very earliest design-phase.

How can you do that?

You should do this by carrying out privacy impact assessments as a matter of routine, especially
when considering new arrangements that may involve handling sensitive data fields, or large
volumes of personal data. The following basic ground rules should help set outline parameters to
those involved in the design process.

Flip the cards to understand the dos and don'ts of the various tasks.

use to complete specific tasks authorised in advance

Click to flip

Do not collect sensitive data other than exceptionally needed do not ignore privacy policy or
notice commitments on fair use

Access

Click to flip

Provide users with access rights as needed to perform their tasks

Click to flip

Do not set privileged account access by default

Sharing

Click to flip

Control data sharing within and outside the organization

Click to flip

Do not send data outside the organization or offshore unless additional protections are in place
Use

Limit type/volume of data collected to 'as needed' to complete specific tasks authorised in
advance

Click to flip

Design systems with user preferences in mind

Do not collect sensitive data other than exceptionally needed do not ignore privacy policy or
notice commitments on fair use

Click to flip

Do not assume data collected for one purpose may be used for other purposes

Storage

Click to flip

Have effective data retention policies

Click to flip

Do not keep data indefinitely or without good reason

Processing
Click to flip

Use aggregated, key coded, pseudonymous or anonymous data where possible

Click to flip

Do not link identifiable user data without prior consent

Governance

Click to flip

Establish information governance structures up to board level

Click to flip

Do not ignore the importance of managing risk across the organisation

Step 11. Data Protection Officers

So, what are the governance obligations of Data Controllers and Processors?

Assign responsibility and budget for data protection compliance within the organization.
Appoint a Data Protection Officer (DPO). Take care he/she has the requisite qualification and the
regular possibility to visit special trainings and obtain certifications to stay up to date.

Ensure that a full compliance program is designed incorporating features such as: PIAs (Privacy
Impacting Assessment), regular audits, HR policy reviews, and awareness programs.

Keep a record of processing activities, for example, the type of data processed, and the purposes
for which it is used.

Report to Supervisory Authority and Data Subjects in case of an incident defined as a data
breach.

Develop or update internal breach notification procedures, including incident identification

systems and incident response plans. These procedures should be regularly tested and reviewed.

Implement appropriate technical and organizational protections to render the data unintelligible
in case of unauthorized access.

DPOs report to the Regional Country Head. They should have sufficient domain and business
knowledge, relevant qualifications, certifications and access to the top management of the local
TCS entity.

So, what should a Data Protection Officer do?

Build Comprehensive GDPR Knowledge – country wise requirements in terms of data residency
and data transfer, employee notices, employee consent, data retention, breach notification,
regulatory regime, role of DPO, and associated risks.

Inform and advise on processing of obligations pursuant to GDPR Regulation, and to other
member state data protection provisions – breach, consent, employee notice, and so on.

Provide advice on data protection impact assessment and monitor its performance.

Interact with the country/regional supervisory authority and act as the specific point of contact.

Monitor compliance with TCS privacy policies including the assignment of responsibilities,
awareness raising and training of staff involved in processing operations, and audits, if any.

Step 12. International

This is with respect to the transfer of personal data to countries outside the EU or to
international organizations, which are not one of the approved countries. The data does not
need to be physically transported to be considered as transferred. Viewing the data hosted in
another location would amount to a transfer for GDPR purposes.

Let’s hear what an expert has to say about this.

The Controllers are prohibited from transferring personal data outside the EU to a third country
(which is not in the list of countries considered to be having adequate data protection.
Transfers of personal data outside the EU will be allowed where the European Commission has
issued an adequacy decision regarding the level of data protection provided in the location
where the data is transferred. Transfers of personal data will also be allowed based on legitimate
interest if the transfer is not repetitive and concerns only a limited number of individuals (Data
Subjects).

GDPR recognizes Data Transfer Agreements (DTA) as a valid mechanism to transfer personal data
outside the EU.

Data privacy in daily business

So, as a TCSer how do you abide by GDPR? Let's find out with the below quiz.

Would you give TCS employee information to your customers or publish it in the World Wide
Web?

No you wouldn't. Otherwise it will be a violation of TCS’ data protection policies.

As a Data Processor for your customer, you work with a few subcontractors. Should your
subcontractors follow the same level of confidentiality and data protection as a TCSer in your
team?

Yes. The subcontractor needs to abide by all the data privacy policies that TCS has agreed on
with the customer, and we need to ensure that.

Identifying roles and responsibilities

Here are some situations where you might deal with personal or even sensitive data. You are just
doing your job and you are not aware that you are dealing with the law. Whenever you stumble
into those situations, ask yourself, are you dealing with personal data? Do you have the
authority? Even when you are 100% sure, talk to your supervisor and or the Data Protection
Officer.

As IT: Remote Access to a PC, especially mirror reflection of a user session without informing the
user

As Manager: Copy, view or forward personal data like CV internal or to TCS customers

As Delivery Team: Access or installation of access rights to the E-mail mailbox of a user
As Admin: Access or installation of access rights to the Home-directory of a user without prior
information

Everybody: Use of any functionality, doesn‘t matter what kind, allows one undetected access to
a PC

Transition: Assessments from Log files and Protocols

Lesson 7 - Activities required for compliance

Activities required for compliance

In view of the level of sanctions that may be imposed in case of breach, it would be prudent for
the Data Controllers (and the Data Processors) to audit their data flows at this stage and ensure
that they will be GDPR-compliant by the time the new rules come into effect in 2018.

The following are some of the key points that they need to look into:

Discovery of the current data (where the data is stored, data flow etc.)

Identify the gaps from Data Discovery

Roadmap for compliance to bridge the gaps from Data Discovery

Procedure for data transfer

Current procedure to track and report in case of any breach

Current data archival, retention and deletion policy

Employee training

Security Policy: Assessment of the current security framework at Offshore Development Centre
(ODC) to prevent any unauthorized access.

PIA is an analysis of how information is handled to ensure handling conforms to applicable legal,
regulatory, and policy requirements regarding privacy; to determine the risks and effects of
creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and
disposing of information in identifiable form in an electronic information system; and to examine
and evaluate protections and alternate processes for handling information to mitigate potential
privacy concerns. A privacy impact assessment is both an analysis and a formal document
detailing the process and the outcome of the analysis.

Sanctions in case of non-compliance

Failure to meet the regulations in GDPR exposes the organization to administrative fines.

There are two tiers of fines:

Minor Breaches will be subject to fines of up to €10,000,000 or, 2% of global turnover, whichever
is the higher.

Major Breaches will be subject to fines of up to €20,000,000 or, 4% of global turnover, whichever
is the higher.

Flip the flash cards below to look at a few examples of breaches.

1 of 4

The severity of each breach depends on the context.

Impact on TCS as data controller

TCS is the Data Controller of the PI of its data subjects in its European subsidiaries, JVs and
overseas offices. It needs to take all the necessary protections and the process changes to
comply with the GDPR Provisions when it comes to processing and transfer of these data to
locations outside of EU.

TCS will have to comply with all the Data Controller obligations mentioned earlier.

Impact on TCS as data processor

TCS acts as the Data Processor when we process the Personal data of the individuals on behalf of
a Data Controller in the various outsourcing deals concerning EU residents and citizens.

Data Controllers and Data Processers will be jointly responsible if there is a breach, but Data
Controllers may seek to transfer as much of their obligations onto TCS as the Data Processor,
thereby increasing its liability.

As the first step we need for each account where we deal with Personal Data to focus on the
following:

Assessment of the current Data Flows

Data Discovery in the current business process or function or project

Identify the gaps from Data Discovery

Roadmap for Compliance

Execute and implement all the changes required to make the customer processes compliant with
the provisions in GDPR before it comes to force in May 2018

As TCS is a company headquartered in a country outside EU and not in the whitelist of

reasonably secure countries, it will need to use certain derogations for demonstrating
compliance. TCS will need to appoint a DPO (Data Processing Officer) to devise appropriate
strategy so that both the TCS and our customer engagements are ready with respect to the
compliance when GDPR will come into force in May 2018.