How to prepare for GDPR Compliance

What is GDPR?

General Data Protection Regulation (GDPR) requires businesses to protect the personal data of European Union (EU) countries’ citizens. Organizations that collect and/or process data from the EU region must comply with the regulation by May 25, 2018.

What data are we talking about?

GDPR is here to protect the privacy of Personally Identifiable Information (PII) such as:

• Name and address of a user
• Web information like location, IP address, cookie data
• Biometrics
• Political opinions
• Device IDs like IDFA, AAID

Who is affected?

All organizations that store or process personal information about EU citizens (no matter where on the globe they are). In fact, this is valid even if they do not have a business presence within the EU must comply with GDPR.

What if an organization is not GDPR compliant?

If any organization is not GDPR compliant by May 25, 2018, then the regulation attracts a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.

How do you prepare for GDPR?

The following checklist can help you comply with GDPR:

• Identify if your customer’s product deals with EU data.
  NOTE: The common approach that most businesses are taking across industries is to proactively reach out to their entire user base and ask for their users’ explicit consent. That is a much easier and the most recommended thing to do. But, if for some reason this is detrimental to your business directly or indirectly, identify your available data.
• If EU data is involved, identify the parameters involved. For example device IDs, email IDs, IP address.
• Assess whether the data is really required for business. If the data is not required, immediately delete all such data and update your product to stop receiving such information.
• If any data is essential, find a way to replace the data. For example, replace essential PII data with unique tokens or encrypt the data such that the token or encryption that no one can reverse to identify the person.
• If you have been storing any PII data, update the data retrospectively.
• Ensure GDPR compliance of all the entities involved in your business workflow.
• In case of data breach, notify your data regulators within 72 hours of the breach.
• Have a provision in your product to facilitate easy capturing of user preferences. This lets the user decide if they want to know the information your product captures, how is it used, and if they want your product to delete or restrict the processing of their information.

What has Talentica done for GDPR compliance?

We understand that our customers are from both B2B and B2C scenarios. It is important for us to create tools or techniques for our customers to achieve GDPR compliance. We have been working to ensure all our customers are GDPR compliant.

Production-deployed customers:

For customers whose products are already in production, we perform the following:

• Record Consent: Before storing any personal user data, we seek the user’s consent via consent forms and APIs.
• Compliance Audit: We identify whether any users are in the EU region and whether they have provided consent for data sharing.
• Consent Record Logs: We store an audit trail of when, where and how the consent was given. The logs include the link, text and a screenshot of the consent form.
• Data Pseudonymization: We associate unique pseudo tokens for key personal identifiers like email, name and contact information so that there is no direct association with any personal information.
• Data Encryption: As an alternative to data psedonymization, we encrypt all the personal information. Moreover, encryption also helps in unfortunate situations like data breach or hacks and we cannot use that to re-identify a person.
• Data Export: Our customers’ users can request an export of all data related to them. We notify customers about such requests and extract the required information securely.
• Data Deletion: If any of our customer’s users ask for their data be forgotten, we purge the related data. We also disassociate any data pseudonymization for that user.
  NOTE: GDPR Law states that you should finish processing such requests within 45 days.
• Third–party Compliance: We ensure our customers’ third-party integrations providers are GDPR compliant and they send us their user’s consent forms. If not, we urge them to comply with GDPR. If nothing works, we disassociate ourselves from such providers.

Infrastructure management:

For customers whose infrastructure we maintain, we perform the following:

• Network Isolation: We isolate the infrastructure for EU users on the basis of the GDPR guidelines and setup the servers in EU region itself.

Conclusion

GDPR is unavoidable for anyone working with data about EU citizens. Taking care of this personal data is a responsibility that we share with our customers. A lot of the tools described here are also good practices that we should all be following irrespective of GDPR. By taking good measures, we can all ensure that our customer’s data privacy is fool-proof.

References

• FAQs – https://www.eugdpr.org/gdpr-faqs.html
• PIIs – https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
• IAB GDPR advisory – https://iabtechlab.com/wp-content/uploads/2018/02/OpenRTB_Advisory_GDPR_2018-02.pdf