With the evolvement of GDPR one of the major industry which needs huge structural changes are hospitality sector. This is due to massive personal information including child information they carry due to their business model.
One needs to understand that GDPR is not only data or privacy issues but an business issue hence restricting of all processing activities are required to avoid non compliance.
For example : One processing activity of any business is Business Development. The way it needs to be carried on is either by email or voice calling . Both of these activities are in breach of law unless restructured in GDPR framework . For this one needs to cleanse their data to make sure they have right legal basis (consent or legitimate interest) for all data sets . In case consent is difficult to get then appropriate LIA (Legitimate interest assessment ) needs to be conducted before processing (i.e. using that database). More importantly consents or communications should clearly state data subject rights and should be in GDPR framework.
Once you have legitimate database then that become treasure and security of data base require stringent organization and IT control. Business owners must know the implications of breach of data which can easily happen in current IT control regime they follow.
You can see from this example that structural changes are required in business processing and IT controls are only small part of that.
One need to work on principal of data minimization (article 5 of GDPR) where in you may need to prove requirement of every PI information you may hold about an individual . As per law you should not collect any PI or SPII information which is not required in your process . Do note HSBC back office stopped take Gender information as they were unable to prove requirement of gender information in their process.
This way all processing activities are required a great overhaul to be compliant with GDPR which is becoming standard norm across the globe. 16th July 2018 TRAI guidelines also emphasize on data of individual and suggested similar norms as suggested in EU GDPR.
India is also expecting their privacy law any time and such a major overhaul in business activities will take time , so it is important for large businesses to relook how they are operating and better to start change now.
Do contact usif you wish to have GDPR compliance solution for your business and help your organization Stay One Step Ahead !