Categories
Technology

Comparing GDPR & ISO 27001

This post was first published on my corporate blog
https://www.yash.com/blog/differences-between-gdpr-and-other-data-protection/

The EU adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR) during May 2016. As of May 25, 2018, the GDPR will be a directly applicable law in all member states within the EU and the European Economic Area (EEA). While the GDPR does not introduce many substantially new concepts, it increases the compliance requirements of data controllers and personal data processors. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organization is actively managing its data security in line with international best practice.

What’s the difference between GDPR and the Data Protection Act?

There are considerable differences between the Data Protection Act and GDPR. The GDPR is explicitly risk based, the risk being to the fundamental right of a person with regard the processing of personal data – data controllers and processors must manage that risk. In contrast the Data Protection Act implies management of risk. The core difference between the Data Protection Act and GDPR is that the Data Protection Act applies only to the UK while the GDPR applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens. The Data Protection Act is enforced by the Information Commissioner’s Office (ICO) while the GDPR compliance will be monitored by a Supervisory Authority in the UK with each European country having its own Supervisory Authority.

Non-compliance of the Data Protection Act can result in fines of up to £500,000 or 1% of the annual turnover. While for the GDPR, the potential penalties for non-compliance are much more severe with fines of up to €20 million or 4% of the businesses annual global turnover. In the case of the GDPR, a Data Protection Officer is mandatory for any business or organization with more than 250 employees. Under the Data Protection Act, in the current legislation there is no need for any business to have a dedicated Data Protection Officer. Any data breach must be reported to the Supervisory Authority within 72 hours of the incident under the GDPR, while in the Data Protection Act, businesses are under no obligation to report data breaches, though they are encouraged to do so.

Protection Impact Assessments (PIAs) are not a legal requirement under the Data Protection Act but in GDPR,

PIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual. Under the DPA , data collection does not necessarily require an opt-in under the current Data Protection Act.

The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.

DATA PROTECTION ACTGDPR
 Applies only to the UKApplies to the whole of EU and, crucially, also to any global company which holds data on EU citizens.
Non-compliance can result in fines of up to £500,000 or 1% of the annual turnover Non-compliance is much more severe with fines of up to €20 million or 4% of the annual global turnover
A dedicated Data Protection Officer is not mandatoryA Data Protection Officer is mandatory for any business or organization with more than 250 employees
No obligation to report data breaches, though they are encouraged to do soAny data breach must be reported to the Supervisory Authority within 72 hours of the incident
Enforced by the Information Commissioner’s Office (ICO)Monitored by a Supervisory Authority in the UK with each European country having its own supervisory authority.
Protection Impact Assessments (PIAs) are not a legal requirementPIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual

How are EU GDPR, ISO 27001 and 27018 related?

ISO 27001 is a framework that in essence requires a risk based approach to the management of critical and sensitive data and information and their associated supporting assets. The GDPR is about managing the risk to the fundamental right that a natural person has regarding personal data. Both are risk orientated and require the identification of risk, and planning and implementation of the necessary controls to modify levels to an acceptable level. ISO 27001 includes encryption of personal data and as part of the business continuity planning the ability to restore and recover information and data in a timely manner.  

According to the GDPR, personal data is critical information that all organizations need to protect. However, there are some EU GDPR requirements that are not directly covered in ISO 27001, such as supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. If an organization stores processes personal data in the cloud, it can also use ISO 27018 to cover many GDPR requirements. Therefore, if the implementation of ISO 27001 identifies personal data as an information security asset, and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of the GDPR requirements will be covered.

The ISO 27000 series of standards provide the means to ensure this protection. There are many points where the ISO 27001 and ISO 27018 standards can help achieve compliance with this regulation. Listed below are a few of the most relevant ones:

  • Because of the high fines defined in GDPR and the major financial impact on organizations, it will be natural that the risk found during risk assessment regarding personal data is too high to not be dealt with. On the other side, one of the new requirements of the GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. While implementing ISO 27001, personal data must be classified as high criticality.
  • By implementing ISO 27001, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with GDPR, this regulation will have to be part of this list.
  • Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 will ensure a consistent and effective approach to the management of information security incidents, including communication on security events. According to GDPR, data subjects will also have to be notified, but only if the data poses a high risk to data subjects’ rights and freedom. The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
  • Asset management – The ISO 27001 leads to inclusion of personal data as information security assets, and allows organizations to understand what personal data is involved and where to store it, how long, its origin, and who has access, which are all requirements of the GDPR too.
  • The adoption of Privacy by Design, a GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 ensures that information security is an integral part of information systems across the entire lifecycle.

In a nutshell, the GDPR mostly deals with personal data collection, while ISO 27001 helps ensure that this collection of confidential data is secure. Also, the GDPR will expand on Data Protection Act and it’s focused on looking after the privacy and rights of the individual, and based on the premise that consumers and data subjects should have knowledge of what data is held about them, how it’s held, and other core information that the Data Protection Act did not demand.

Categories
Technology

Everything your need to know about GDPR

This post was first published on my corporate blog
https://www.yash.com/blog/everything-you-need-to-know-about-gdpr/

With the help of advanced business analytics and AI, companies are using the power of data to its best use. But what is this data? It comprises of personal details of citizens of the European Union (EU). Therefore, it is imperative to act according to a set standard of consumer rights in order to protect the data from being misused.

The standard by which the EU is currently working with the Data Protection Act was formed in the year 1998. The world of business intelligence has advanced beyond expectations since then. In the modern world, consumer data can be exploited in unimaginable ways. The need for a more comprehensive regulation that protects the consumer data from being exploited in the current world scenario is a must. Thus, the formulation of all new General Data Protection Regulation (GDPR).

What is GDPR?

In simple words, GDPR that is slated to come into effect as on 25th May 2018, is a regulation designed to protect the personal data of citizens of the European Union from possible misuse by the corporates. Non-compliance with the strict regulations of GDPR may result in hefty fines for the businesses.

GDPR will supersede the previous Data Protection Act and with refined and stricter regulations, EU hopes to safeguard customer privacy in the upcoming Digital Economy.

The provisions of GDPR is consistent across the 28 European Union member states that make it only one standard required to be met by the businesses. Although, the guidelines are strict and the standard expected by companies operating under EU is severely high; adhering to the GDPR will ensure a smooth running of a business for the enterprises.

Not only will GDPR act as a stringent master in controlling the customer privacy and data, it will also make the business atmosphere simpler for EU companies. GDPR is expected to offer a simpler legal environment for businesses to operate by making the law for data security identical all through the single market.

Who and How does GDPR effect the companies?

GDPR is aimed at making businesses more accountable for protecting and monitoring data of the customers. These data include-

  • Customer identity including IP address, location, RFID tags, and cookies.
  • Genetic and general health data
  • Biometric Data
  • Ethnic/ Racial data
  • Political belief
  • Sexual Preferences

GDPR essentially is applicable to every company that accesses, stores, processes, any kind of personal data of any of the EU citizen. It does not matter whether the presence of the business is within EU states or not, the company still has to comply with GDPR if it uses EU citizen’s data in any way. For any company with more than 250 employees GDPR is mandatory, but even if the company operates with less than 250 employees and uses the data of the EU citizens, it must comply with the GDPR.

The Six principles of GDPR You Must Know About

Emphasizing the aim to drive the GDPR compliance, the six principles summarize the main responsibilities of the organizations towards managing the personal data of the consumers. These six principles are:

1. Fair practice, Lawfulness, and Transparency

The first law of GDPR says that personal data of any kind must be processed impartially, lawfully and with transparency. In order to follow GDPR lawfully, the companies must meet the data acquisition and processing criteria laid out in the guidelines.

2. Legitimate Purpose Limitation

The principle clearly states that the personal data can be collected for explicit, legitimate, and specified purposes only. Although the scope in GDPR is widened for certain categories, the principle essentially means “do what you say and say what you mean”.

3. Data Minimization

According to article 5, clause 1© of the law, the personal data collected must be relevant, adequate, and limited to only the necessary info with reference to the purposes for which they are to be processed. The principle explicitly means that nothing more than the bare minimum required data should be retained for processing.

4. Accuracy of Personal Data

The principle states that the accuracy of data must be maintained. Care and protection must be taken to safeguard personal data from theft and leaks. Also, rectification of the inaccurate personal data must be done without any delay.

5. Limitation on Storage of Data

The principle applies to limit the storage of unwanted data. Data that is no longer required must be securely removed. There are a few exceptions added to this principle such as the data collected for scientific purposes and for the public interest.

6. Confidentiality and Integrity

The principle comes as a result of protecting the fundamental right of data security. The integrity and confidentiality of data must always be maintained. Controlling the number of people accessing the data is a great way of achieving it.

Rights of Data Subjects under GDPR

Data subjects are essentially the ones whose data is being captured. In cases where the data subjects want to exercise their rights, the processors have to be answerable to them under the scope of their rights. There are 8 fundamental rights for data subjects, listed as under:

1. The right to be informed

The GDPR asks the processors or data collectors to dutifully and clearly inform the subjects regarding the data storage and their rights towards the data procured.

2.The right of access

The data subjects have the right to know how the data concerning them are being processed.

3. The right to rectification

In case of a scenario where the personal data is incorrect or false, it is the responsibility of the data collectors to correct it with immediate effect.

4. The right to erasure

The data subjects have the right to ask to be forgotten i.e. to get their personal data erased.

5. The right to restrict the processing

There may be certain circumstances where the data subject may not be able to get the data erased or forgotten but can restrict the processing to a certain extent. For example, in defense or legal claims cases, this right can be exercised.

6. The right to data portability

Data subjects enjoy the right to transfer their data from one online platform to another.

7. The right to object to processing

As stated in the clauses of GDPR, the controllers (data collectors) must process the data lawfully and with full transparency. However, in cases where the lawful bases are not absolute, the data subjects have the right to object.

8. Rights in relation to automated decision making and profiling.

Data subjects can use their rights in certain cases with respect to profiling of their information.

The Obligation of Data Controllers

Under GDPR, as soon as an enterprise gain access to the personal data of the consumers, it becomes obligated to use it responsibly and follow all the principles and guidelines stated in the regulation. As a data processor/ controller, the following obligations holds great significance

  1. Proper implementation of appropriate technical and organizational measures to ensure and demonstrate that the data controllers comply with the principles of GDPR. Internal data policies such as processing activities audits, HR policies review, and staff training may be included in it.
  2. To maintain relevant documentation regarding processing activities.
  3. Wherever required, the appointment of a qualified officer to monitor data protection should be done.
  4. Implementation of adequate measures that suffice the principles of data protection at the time of designing the process itself.
  5. The inclusion of data protection impact assessments wherever required.
Categories
Technology

RPA PoCs – Are you doing it wrong?

Proof of what exactly?

For any technology adoption, a proof of concept is the usual approach to evaluate the usefulness and effectiveness of the technology. Howeve,  RPA is a different animal altogether. The usual proof of concept does not work because it’s not even clear what is being proven.

The unknowns in any RPA roll-out

  • Ease of use of the RPA tool?
  • Does it work with the applications that need to be automated? RPA tools are very finicky and sometimes even the simplest looking automation needs are hard to accomplish.
  • What’s the performance and accuracy?
  • Is it enterprise grade? What’s the approach to technology best practices around documentation, version control, peer reviews, testing, release and configuration management, security, auditing etc.
  • Will it work in the environment it needs to be deployed?
  • Will it scale?
  • Will it seamlessly fit in the companies processes – release, change management, deployment, support. What changes are needed to the processes?
  • Are the company’s processes standardized enough to start RPA journey?
  • How will the employees feel about automation of their tasks?

Of all these questions a typical RPA PoC only answers the first question. An irrelevant question that usually gets an incorrect answer as well. At the end of these PoCs the bot created is nothing more than a demoware, which quickly gets forgotten.

A better RPA test

A good test for RPA is to pick a real process which has just enough technology and organizational complexity that provides a good test bed but not so much to kill the project even before it gets started.

  • Process involving a complex mix of technology. Don’t go easy here. If the process is a candidate for RPA, then RPA should be able to work with all of the technical stack. It’s better to get a realistic picture of what are the limitations of the RPA tool now.
  • Process should involve multiple business units to check the organizational dynamics
  • Process should have some number of business rules and data quality issue
  • Take a process that’s performance sensitive – either high volumes or large effort but which is not critical. You should be able to take the bot live without much risk.

During the enter development, deployment and production phase make copious notes of what went right and what did not meet expectations. After at least a month of going live, hold a retrospective on the same and try to answer the questions laid out in the first part of this article.

When you have all the answers you can decide the outcome of the POC and the next steps.

Categories
Technology

Delivering the RPA Hype

Look at any sales or marketing pitch around Robotic Process Automation and you’ll see these statements repeated in some form or other.

  • 50-80% reduction in cost.
  • It’s easy to get started. No special skills needed. Even the process executive can ‘train’ the bot
  • By extension, this is not coding and doesn’t need formal processes/change management
  • RPA can automate (almost) any manual process
Categories
Technology

TCS RPA

TCS’s Santhanam brushes aside the fears of robots taking over jobs, dubbing them an “exaggeration.” It is merely the next level after the past few decades of digitisation.

I agree with him. Read more at https://qz.com/1000424/tcs-is-quietly-transforming-itself-to-take-on-indias-emerging-it-scene/

Categories
Technology

RPA – The golden duct tape

At my last company, while optimizing the business processes, I had a ringside view of robotic process automation (RPA) in action. We used to work closely with the RPA team and identify process steps that are good RPA candidates and help build a business case for the automation.

In my current role, I’ve jumped into the ring and now delivering RPA solutions to our customers. I’ve started this blog to document and share my experiences around robotic process automation.

I’m both excited by the promise of what RPA can do, as well as feel let down by the infancy and immaturity of both the vendors and the practitioners. In the upcoming posts, I’ll highlight the key issues and suggest possible solutions to derive the benefits RPA has to offer.

Before I get to the dark underbelly of RPA, let me first present the rosy front.

Robotic Process Automation – The IT duct tape

RPA is like a versatile duct tape that can stick together applications that need to exchange data, but needed a human to do it. Just like a duct tape is a temporary fix that can last a long time with proper maintenance, similarly RPA solutions can be tactical solutions that are quick and cheap to implement, while the strategic IT initiative might take time or might never get prioritized.

RPA tools aid in extraction, manipulation, validation and exchange of data. They work with the current IT landscape without needing to change the underlying systems. At the simplest, they can mimic a user by controlling the keyboard and mouse. However most RPA vendors come with a lot of advanced ways for automating application interaction.

The promise of Robotic Process Automation

RPA tools can deliver great value by automating the long tail of automation needs. This results in the following benefits.