Life After GDPR: 10 steps Ciklum Took to Become Compliant

by Dmytro Zelman, Head of Information Security and Privacy, Ciklum

The European Union’s General Data Protection Regulation (GDPR) went into effect throughout Europe on May 25, 2018. Superseding a similar regulation enacted in 1995, GDPR offers EU citizens a greater amount of freedom and control over the use of their personal electronic data and unifies data collection requirements for businesses.

GDPR is based on seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
Dmytro Zelman, Head of Information Security and Privacy, Ciklum
Dmytro Zelman, Head of Information Security and Privacy, Ciklum

Ensuring compliance with GDPR isn’t just the law — it’s good practice. Though some of the requirements may seem expensive, time-consuming or burdensome, the end result offers users far more flexibility and transparency regarding how their data is handled.

Because of GDPR, businesses like Ciklum across the world were forced to rethink and restructure many of their data collection policies in order to become compliant. Though many of our existing practices already focused on privacy and security, GDPR allowed Ciklum to take a deeper look at our data collection policies and determine the best ways to become GDPR compliant. We’d like to share those seps with you to offer a greater understanding of our approach to GDPR compliance.

Here are 10 steps Ciklum took to become compliant with GDPR:

Step 1: Increase awareness.

First and foremost, companies need to be aware of the impact GDPR has on their business.

From the top of the organization down, starting with the Executive Board and Leadership teams, Ciklum made sure that every single one of our employees understood the changes to our processes that GDPR would require. Ciklum used a risk-based approach to address any area identified as having potential issues with compliance.

Step 2: Know the data.

One of GDPR’s key data protection principles is accountability. Not only are companies responsible for complying with GDPR, but they must also carry out technical and organizational measures that can demonstrate compliance.

To establish effective and demonstrable data policies and procedures, Ciklum has made data discovery and mapping a key element in understanding how data is acquired, accessed, transferred and stored.

Step 3: Communicate privacy information.

Privacy policies must be reviewed and revised in accordance with GDPR.

Ciklum’s updated Privacy Policy clearly explains how information is gathered, the lawful basis for its use and how long data can remain in our system. We use clear, plain text information regarding data subject rights to ensure users have an accurate and easy-to-understand picture of their privacy rights and understand how we’re collecting and utilizing their data.

Step 4: Fulfill individual rights.

One of GDPR’s key elements entitles users to several individual rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure (also known as the right to be forgotten)
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

To be compliant with these rights, Ciklum adjusted its procedures, processes and internal systems to ensure users can delete personal data on request and to provide user data electronically in a commonly used format free of charge.

Step 5: Identify lawful basis for processing.

GDPR laws require that personal data is processed lawfully, fairly and transparently.

We’ve enacted the process of identifying and documenting data on a lawful basis. To ensure accountability, Ciklum has updated the Privacy Policies and data processing agreements for our clients and vendors and notified all parties of any changes.

Step 6: Consider consent.

User consent offers individuals choice and control over how their data is used, and the GDPR sets a high standard for how consent can be requested.

Ciklum reviewed our process of gathering, recording and managing individual consent. For instances where individual data may be processed, we provided users with positive opt-in and simple withdrawal options.

Step 7: Deal with data breaches.

Personal data breaches are taken very seriously under the GDPR. Within 72 hours of the discovery of a data breach, companies must carry out a thorough organization, inform both regulators and impacted individuals of the data breach, identify what personal data was impacted and draft a comprehensive plan to contain the breach.

Ciklum is committed to data security, and we have taken great steps to prevent unauthorized access to user data. We have implemented procedures to detect, report and investigate in the event of a breach of personal data. Any data breach that poses a risk to individual rights and freedoms will be reported to our customers and the appropriate data protection authorities.

Step 8: Incorporate data privacy by design and data protection.

Under the data protection by design and default provision of GDPR, every step of an organization’s data processing activities and business practices must incorporate data protection and privacy. Additionally, under certain circumstances, processes known as Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) are required to be carried out for any major project that requires the processing of private or personal data.

In our application development, architecture and design, Ciklum has always considered security and privacy an essential practice by default. To address the requirements of data privacy by design and default, Ciklum established a framework to assess situations where PIAs and DPIAs are required to be conducted, and we have assigned responsibilities to appropriate parties for carrying them out.

Step 9: Designate a data protection officer.

For public authorities or bodies, or for organizations whose core activities require large-scale monitoring or processing of individual data the GDPR requires the appointment of a Data Protection Officer (DPO).

Under this requirement, Ciklum has appointed a designated Data Protection Officer under our organization’s structure and governance. Responsibilities for data protection compliance have also been assigned to people within our organization with relevant knowledge, and have received support and authority to carry out their rules.

Step 10: International

The transfer of personal data outside of the European Union is restricted under the GDPR, no matter the transfer’s size or frequency. International transfer of personal data risks losing the protections offered by the GDPR.

Because Ciklum is a global organization that conducts cross-border transfers, we’ve taken care to determine a lead data protection supervisory authority to prevent international data transmission.