Using a 'Privacy by Design' Approach to GDPR ComplianceDr. Reddy Lab's CISO Subhajit Deb Describes Key Compliance Steps
To prepare for compliance with the European Union's General Data Protection Regulation, which will be enforced beginning in May, organizations must adopt a "privacy by design" approach, says Subhajit Deb, CISO at Dr. Reddy's Laboratories, an India headquartered pharmaceutical company that does business in 11 countries.
"So anything new which gets created into the organization - any new system, any new technology, any new vendor onboarding - must go through a review [to check] if there are any risks and if there are, they are called out right at the design phase so that when it comes as a finished product it has all the mechanisms built in by default to comply to GDPR," Deb says in an interview with Information Security Media Group.
Organizations also need to conduct a data protection impact assessment to prepare for GDPR compliance, Deb says. "Traditionally, organizations would do a risk assessment, which covers all kinds of risk, but this is a very focused assessment to understand privacy implications arising out of storage of personal data," he says (see: Addressing GDPR Compliance Challenges).
Educating the board and senior management on GDPR is also essential, he stresses. "The task is enormous, and it is very important that the board signs off and takes the responsibility to sponsor the GDPR implementation across the organization," Deb says.
"Another important thing for the organization is to understand what kind of data is being collected, where it resides and who has got access to it."
In this interview (see audio link below image), Deb discusses:
- GDPR's "right to be forgotten" clause;
- What to look for in a data protection officer;
- Areas in GDPR that needs more clarity.
Deb is CISO at Dr Reddy's Laboratories. Previously, he was CISO at Max Life Insurance. He has also managed global information security at Bank of America and Sumitomo Mitsui Banking Corp. Deb has more than 16 years of experience in leading and managing global information security, business continuity, risk management and data privacy programs.