Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Life After GDPR: 10 steps Ciklum Took to Become Compliant

by Dmytro Zelman, Head of Information Security and Privacy, Ciklum

The European Union’s General Data Protection Regulation (GDPR) went into effect throughout Europe on May 25, 2018. Superseding a similar regulation enacted in 1995, GDPR offers EU citizens a greater amount of freedom and control over the use of their personal electronic data and unifies data collection requirements for businesses.

GDPR is based on seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
Dmytro Zelman, Head of Information Security and Privacy, Ciklum
Dmytro Zelman, Head of Information Security and Privacy, Ciklum

Ensuring compliance with GDPR isn’t just the law — it’s good practice. Though some of the requirements may seem expensive, time-consuming or burdensome, the end result offers users far more flexibility and transparency regarding how their data is handled.

Because of GDPR, businesses like Ciklum across the world were forced to rethink and restructure many of their data collection policies in order to become compliant. Though many of our existing practices already focused on privacy and security, GDPR allowed Ciklum to take a deeper look at our data collection policies and determine the best ways to become GDPR compliant. We’d like to share those seps with you to offer a greater understanding of our approach to GDPR compliance.

Here are 10 steps Ciklum took to become compliant with GDPR:

Step 1: Increase awareness.

First and foremost, companies need to be aware of the impact GDPR has on their business.

From the top of the organization down, starting with the Executive Board and Leadership teams, Ciklum made sure that every single one of our employees understood the changes to our processes that GDPR would require. Ciklum used a risk-based approach to address any area identified as having potential issues with compliance.

Step 2: Know the data.

One of GDPR’s key data protection principles is accountability. Not only are companies responsible for complying with GDPR, but they must also carry out technical and organizational measures that can demonstrate compliance.

To establish effective and demonstrable data policies and procedures, Ciklum has made data discovery and mapping a key element in understanding how data is acquired, accessed, transferred and stored.

Step 3: Communicate privacy information.

Privacy policies must be reviewed and revised in accordance with GDPR.

Ciklum’s updated Privacy Policy clearly explains how information is gathered, the lawful basis for its use and how long data can remain in our system. We use clear, plain text information regarding data subject rights to ensure users have an accurate and easy-to-understand picture of their privacy rights and understand how we’re collecting and utilizing their data.

Step 4: Fulfill individual rights.

One of GDPR’s key elements entitles users to several individual rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure (also known as the right to be forgotten)
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

To be compliant with these rights, Ciklum adjusted its procedures, processes and internal systems to ensure users can delete personal data on request and to provide user data electronically in a commonly used format free of charge.

Step 5: Identify lawful basis for processing.

GDPR laws require that personal data is processed lawfully, fairly and transparently.

We’ve enacted the process of identifying and documenting data on a lawful basis. To ensure accountability, Ciklum has updated the Privacy Policies and data processing agreements for our clients and vendors and notified all parties of any changes.

Step 6: Consider consent.

User consent offers individuals choice and control over how their data is used, and the GDPR sets a high standard for how consent can be requested.

Ciklum reviewed our process of gathering, recording and managing individual consent. For instances where individual data may be processed, we provided users with positive opt-in and simple withdrawal options.

Step 7: Deal with data breaches.

Personal data breaches are taken very seriously under the GDPR. Within 72 hours of the discovery of a data breach, companies must carry out a thorough organization, inform both regulators and impacted individuals of the data breach, identify what personal data was impacted and draft a comprehensive plan to contain the breach.

Ciklum is committed to data security, and we have taken great steps to prevent unauthorized access to user data. We have implemented procedures to detect, report and investigate in the event of a breach of personal data. Any data breach that poses a risk to individual rights and freedoms will be reported to our customers and the appropriate data protection authorities.

Step 8: Incorporate data privacy by design and data protection.

Under the data protection by design and default provision of GDPR, every step of an organization’s data processing activities and business practices must incorporate data protection and privacy. Additionally, under certain circumstances, processes known as Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) are required to be carried out for any major project that requires the processing of private or personal data.

In our application development, architecture and design, Ciklum has always considered security and privacy an essential practice by default. To address the requirements of data privacy by design and default, Ciklum established a framework to assess situations where PIAs and DPIAs are required to be conducted, and we have assigned responsibilities to appropriate parties for carrying them out.

Step 9: Designate a data protection officer.

For public authorities or bodies, or for organizations whose core activities require large-scale monitoring or processing of individual data the GDPR requires the appointment of a Data Protection Officer (DPO).

Under this requirement, Ciklum has appointed a designated Data Protection Officer under our organization’s structure and governance. Responsibilities for data protection compliance have also been assigned to people within our organization with relevant knowledge, and have received support and authority to carry out their rules.

Step 10: International

The transfer of personal data outside of the European Union is restricted under the GDPR, no matter the transfer’s size or frequency. International transfer of personal data risks losing the protections offered by the GDPR.

Because Ciklum is a global organization that conducts cross-border transfers, we’ve taken care to determine a lead data protection supervisory authority to prevent international data transmission.