Scenarios And Challenges In Personal Data Protection

By Ajay Kumar, Group Head IT, Polyplex

Ajay Kumar, Group Head IT, PolyplexPolyplex is one of the largest producers of thin polyester film that manufactures Biaxially Oriented Polyester (BOPET) Film for packaging, electrical and other industrial applications. The company has manufacturing facilities in India, Thailand and Turkey.

The EU General Data Protection Regulation (GDPR) has undergone the most important change in data privacy regulation in twenty years. The changes came into force in May 2018. The new regulations give data subjects significant new rights over collection, processing and transfer of their personal data by data controllers and processors in the course processing activities related to the offering of goods and services to such data subjects in the EU.

The companies dealing with EU residents have undertaken many steps to ensure compliance with new requirements. Many organizations have updated their data privacy policies in addition to other measures around data flow and processing within internal processes.

Other countries are also following with stricter data privacy regulations in view of a personal data breach at a popular and global social networking site. The Personal Data Protection Bill in India also includes provision for imprisonment in case of breach related to personal data. This is under draft stage, but it gives enough indication as to the global trends in personal data protection laws.

“The companies dealing with EU residents have undertaken many steps to ensure compliance with new requirements”

We’ll analyze two incidents and review the implications in light with emerging global regulations.

Incident One

It was a courtesy call by a marketing executive of a hosting company we engaged for some hosted application services – this time it was from an unknown number and not his known contact number. It turned out that he joined a different company recently and was exploring possibility of business with the new company. When the company approached us, he was representing the company and was designated the single point of contact from the company. We exchanged business cards and he had my direct contact number. I shared my contact with the hosting company with specific instructions that it should not be shared further among the teams and only one person should contact me for any technical or commercial issue. The company had necessary protect in place in CRM system and got official mobile surrendered when the person left the company, but it was not aware that the person had a backup of mobile address book and restored it on his new mobile and connection.

The name, contact number and position of a customer contact is a personal data. It has been a common practice among marketing teams to maintain these data in spreadsheets, phone address book, PIM such as Outlook or simply in business card holders. What happens when a marketing person leaves the organization? Are these data adequately protected? If this event occurs with a customer contact residing in EU, many implications follow. There is a data breach on account of customer contact information falling in the hand of other company and used for a purpose it never meant.

Any customer contact information obtained in the ordinary course of business can be used for normal business communication by the same entity it was shared with. The contact information should be protected and limited to the persons who are authorized to communicate with the customer contact. There should be a non-disclosure agreement with the employees who have access to the information.

Incident Two

The representatives of a hospital chain are camping in the office complex. They are offering health plans with some corporate discounts to all employees of the company. An employee receives a call from one of the representatives of the hospital and esquires if he has checked the plans. He mentions a specific plan that might be useful for the employee in view of some recent health issues.

The employee is pleased at the plan conditions but also surprised at how the representative could identify such a specific plan for his prevailing conditions. It turned out that the hospital representative worked on the basis of inputs received from one considerate HR member on specific health conditions of the employee.

The HR systems stores a lot of personal data which include personal data such as date of birth, past employment data, health reports as part of joining process and biometric data for the purpose of attendance systems. It is also common for HR and administration departments to facilitate corporate deals for the employees.

While providing such facilities, it is common to assess coverage for better deals and this may need evaluation of employee data. The anonymized data may be justified for working out bulk deals but specific information that leads to identification of health condition of a specific person is a data breach, unless there is a express consent for such sharing of information to third party service provides.

So what is the common line of actions that needs attention in emerging scenarios of data protection laws?

• Data Protection Procedures and Policies are not limited to electronic data processing. They cover personal data of data subjects – it may be in any form, electronic or paper.

• CRM and HR systems are common examples of databases containing massive amount of personal data repository. Entire processes around these systems should be assessed in view of new law and compliance.

• Employees’ off-boarding process has serious potential of data breach. Review carefully if information ownership and access is properly terminated. Also ensure necessary contract conditions exists that forbids retention and use of personal data acquired in the course of employment. The conditions should cover extension of these restrictions after cessation of employment.

• Mobile devices, whether official or personal, used in business communication and free apps are big potential threat of data breach - review what is there on devices and it does not contradict any data security policy.

Don't Miss ( 1-5 of 25 )