Since May 2018 when EU GDPR came into force, privacy and protection of personal data and information has become a critical compliance requirement for organizations.
It is important to note here that privacy laws are applicable to all organizations, whether private, public or government and whether business or others.
Any organization that handles personal data needs to ensure their data privacy practices are in consonance with and in full compliance to the data privacy regulations.
The above statement leads to some direct and interesting corollaries.
Corollary 1 - Data privacy must be a matter of grave concern for every living person in the world.
It is important to note here that privacy laws are applicable to all organizations, whether private, public or government and whether business or others.
Any organization that handles personal data needs to ensure their data privacy practices are in consonance with and in full compliance to the data privacy regulations.
The above statement leads to some direct and interesting corollaries.
Corollary 1 - Data privacy must be a matter of grave concern for every living person in the world.
- Data privacy laws consider natural living persons as data subjects.
- Speaking differently, you are a data subject and so is every one else.
- You are a data subject much before you are the owner or employee of an organization and in that capacity expected to protect the organization's interest..
- Violation of data privacy laws by organizations impinge directly upon your civil rights as a data subject.
- You are the rightful owner of your personal data and should have complete say on anything related to it except for matters pertaining to national security, public safety and law enforcement.
- The "Digital Parasites" in the digital economy like Facebook, et al if not tethered would continue to devour your personal data to mint money.
- The digital economy will continue to grow and become bigger with newer "Digital Parasites" coming into existence as time unfolds.
- Hence data privacy must be a matter of grave concern for every living person in the world.
- Any organization will have employees at the very least.
- By definition, every employee is a data subject (in GDPR) or a data principal (in the proposed Indian Data Protection Act).
- Hence data privacy regulations are applicable to each and every organization.
- Any employee will come across personal information of some of the other employees or other persons outside that organization in some or the other manner in the course of fulfilling work responsibilities.
- By definition, when an employee is handling personal information as part of work responsibilities, the organization, effectively speaking, acts either in the capacity of a data controller (or data fiduciary) or a data processor.
- Hence every employee must ensure individual-level compliance with data privacy regulations.
- Every bit of personal data that is handled by an organization needs to adhere to the data privacy principles:
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Accuracy
- Confidentiality and Integrity
- The above data privacy principles have to be individually and independently applied to each and every bit of personal data handled by an organization.
- Hence even one bit of personal data must be viewed as one too many.
Corollary 5 - Every organization must appoint a DPO (data protection officer) with direct reporting into the Board of Directors to drive enterprise-level compliance.
- Since even one bit of personal data is one too many, every organization must ensure enterprise-level compliance.
- Any organization that wants to live to see tomorrow must secure and protect every bit of personal data it comes across.
- Violations by an organization can lead to abrupt cessation of its operations or even a quick end to it's very existence like what happened in the Cambridge Analytica case.
- For ensuring business continuity on data privacy front and to avoid going the Cambridge Analytica way, organizations must appoint an executive-level officer to drive enterprise-level compliance and advise the Board of Directors on data privacy matters.
- The executive-level officer can report into the Chairman/CEO also but should certainly have direct reporting into the Board of Directors too.
- Hence every organization must appoint a DPO (data protection officer) with direct reporting into the Board of Directors to drive enterprise-level compliance.
- Given that data privacy is a given now, organizations must take care of the above corollaries that provide the broad guiding principles to appreciate the usefulness of data privacy regulations as well as key enablers to ensure compliance.
- The executive-level management must be genuinely committed to ensuring the privacy and protection of personal data and information handled by the organization.
- The tendency to find short-cuts in implementing data privacy practices in the name of cost to compliance should be strictly avoided.
- Comprehensive records of PII (personally identifiable information) processing activities must be maintained diligently to avoid any possibility of litigation risks to the organization.