THE JOURNEY TO GDPR COMPLIANCE

Prakhar AgrawalPrakhar.Agrawal@exlservice.comPractice Director – Data Privacy

lookdeeper@exlservice.com

Mohit ManchandaMohit.Manchanda@exlservice.comHead of Consulting and F&A, UK/Europe

Written by

September 7, 2018

WHITE PAPER

EXLSERVICE.COM 2

However, the work is far from over. Business must lay out a clear plan to progress from their current privacy level to the desired compliance level, a task requiring immediate attention. They must also plan to implement forward-looking solutions allowing for sustained compliance as new data and processing activities come into the regulated perimeter. These trends are pushing businesses towards solving problems across three key areas:

Privacy Assessment Framework

Demonstrating ongoing compliance

Organisations have invested significant effort to show their commitment to comply with principles of transparency, accuracy and data minimisation required by the regulation. With accountability as the new principle, regulators have made it clear that organisations (data controllers) need to demonstrate compliance on an ongoing basis. Myriad challenges complicate this task:

• Organisations do not have a robust privacy assessment framework that they can use assess and monitor privacy risks and controls on an ongoing basis

• Current risk assessments do not provide adequate coverage of GDPR or data privacy

• Organisations do not have a GDPR-specific risk and controls matrix, and there are no proven libraries they can leverage out of box

• Privacy risks vary with business functions

Third-Party Risk Management

Assessing the data privacy and security preparedness of third-party data processors

Data breaches are now common. The increasingly complex supply chain for today’s technologically advanced business landscape and evolving cyber threats only fuel the chance of an organisation being subjected to a third-party related breach. Many studies of some of the recent breaches suggest that as many as 50% breaches can be directly or indirectly attributed to supply-chains.

The GDPR, FCA and other regulatory norms make the repercussions for these breaches massive. However, many organisations have taken a myopic approach to data privacy and security, focusing largely on perimeter and ignoring or deferring their supply-chain.

As organisations now look to enhance and optimise their third-party risk management processes, they face several challenges:

• There is no single authoritative repository of all third parties and their related details, including services they provide and data they process

• Various departments hold and maintain their own

With GDPR now in full effect, European residents are finally in a more privacy-friendly world. Organisations invested weeks and months getting to their interim privacy maturity states in the time leading up to the May 25th deadline. They largely prioritised efforts around areas such as data processing inventory, privacy notices, consents, DPO appointment, contracts addendums, rights request workflows, and basic training and awareness.

CURRENT AND FUTURE FOCUS AREAS

EXLSERVICE.COM 3

many challenges in the long run:

• Spreadsheets only provide a point-in-time snapshot and must be maintained as new data and processing operations come into regulated perimeter

• Unstructured data has been largely deferred until now; discovering and inventorying such data manually is unimaginable

• Manual processes for rights request management aren’t scalable for spikes and surges in request volumes given tight fulfilment timelines

• Manually fulfilling complex requests such as data erasures may not work, especially as unstructured data comes into the mix

• Access provisioning and permissions will require sophistication to account for staff movements

Achieving sustainable compliance requires people, processes and technology working together. Digitising spreadsheets will minimise errors, automating critical activities creates efficiencies, and robust underlying processes support business logic while an effective governance structure provides strategic direction.

Conclusion

GDPR is profoundly reshaping the way data is managed by organisations, challenging their current system landscapes, internal processes, data management practices and governance structures. It is not surprising that current measures for complying with this regulations aren’t yet sustainable. Organisations still require sizable and well-deliberated investments in terms of augmenting people, process and technology. GDPR compliance is a journey, and a solid compliance roadmap will ensure compliance and good data practices in the longer run.

records of suppliers in largely unstructured forms such as spreadsheets

• Current processes for conducting third-party risk assessments are manual and time-consuming, resulting in a low proportion of risk-assessed third-parties

• Assessment questionnaires are subjective, making the quality of data gathered as part of responses is poor

• Manual risk scoring methods mean that insights generated from assessments are basic, at best

• There is limited knowledge of risks posed by the organisations in the third party’s supply chain

Manual process alone will not enable organisations to accurately assess their third-party risk. Technology will be critical in augmenting overall risk assessment and reporting processes.

Sustainable Compliance

Forward-looking processes and solutions

Largely organisations’ compliance efforts thus far have been tactical. They were aimed at getting over the line and minimising adverse privacy impact. Unsurprisingly, many of these measures were manual and hence less sustainable. Take, for example, areas such as data and processing inventory, DPIA and rights of data subjects. Organisations carried out structured data audits to understand how personal data is held and processed, resulting in spreadsheet-based data and processing inventories. Likewise, data protection impact assessments (DPIA) questionnaires were manually circulated to various internal business functions for one-time risk assessments of their processing activities. Customer requests around portability and erasure are tracked manually or via a ticketing system with no workflow capability. Other areas have seen similar tactical fixes mainly aimed at achieving partial compliance in the short term. Such measures prompt

EXLSERVICE.COM

GLOBAL HEADQUARTERS280 Park Avenue, 38th FloorNew York, New York 10017T +1 212.277.7100 F +1 212.771.7111

United States • United Kingdom • Czech Republic • Romania • Bulgaria • India • Philippines • Colombia • South Africa

EXL (NASDAQ: EXLS) is a leading operations management and analytics company that designs and enables agile, customer-centric operating models to help clients improve their revenue growth and profitability. Our delivery model provides market-leading business outcomes using EXL’s proprietary Business EXLerator Framework®, cutting-edge analytics, digital transformation and domain expertise. At EXL, we look deeper to help companies improve global operations, enhance data-driven insights, increase customer satisfaction, and manage risk and compliance. EXL serves the insurance, healthcare, banking and financial services, utilities, travel, transportation and logistics industries. Headquartered in New York, New York, EXL has more than 28,000 professionals in locations throughout the United States, Europe, Asia (primarily India and Philippines), South America, Australia and South Africa.

© 2018 ExlService Holdings, Inc. All Rights Reserved.For more information, see www.exlservice.com/legal-disclaimer

lookdeeper@exlservice.com