| |November 20189CIOReviewThe companies dealing with EU residents have undertaken many steps to ensure compliance with new requirementsa marketing person leaves the or-ganization? Are these data adequately protected? If this event occurs with a customer contact residing in EU, many implications follow. There is a data breach on account of customer contact information falling in the hand of other company and used for a purpose it never meant. Any customer contact informa-tion obtained in the ordinary course of business can be used for normal business communication by the same entity it was shared with. The con-tact information should be protected and limited to the persons who are authorized to communicate with the customer contact. There should be a non-disclosure agreement with the employees who have access to the information.Incident TwoThe representatives of a hospital chain are camping in the office com-plex. They are offering health plans with some corporate discounts to all employees of the company. An em-ployee receives a call from one of the representatives of the hospital and es-quires if he has checked the plans. He mentions a specific plan that might be useful for the employee in view of some recent health issues. The employee is pleased at the plan conditions but also surprised at how the representative could identify such a specific plan for his prevail-ing conditions. It turned out that the hospital representative worked on the basis of inputs received from one considerate HR member on specific health conditions of the employee. The HR systems stores a lot of personal data which include per-sonal data such as date of birth, past employment data, health reports as part of joining process and bio-metric data for the purpose of at-tendance systems. It is also common for HR and administration depart-ments to facilitate corporate deals for the employees. While providing such facilities, it is common to assess coverage for bet-ter deals and this may need evaluation of employee data. The anonymized data may be justified for working out bulk deals but specific information that leads to identification of health condition of a specific person is a data breach, unless there is a express con-sent for such sharing of information to third party service provides. So what is the common line of ac-tions that needs attention in emerg-ing scenarios of data protection laws? · Data Protection Procedures and Policies are not limited to electronic data processing. They cover personal data of data subjects it may be in any form, electronic or paper.· CRM and HR systems are com-mon examples of databases contain-ing massive amount of personal data repository. Entire processes around these systems should be assessed in view of new law and compliance.· Employees' off-boarding pro-cess has serious potential of data breach. Review carefully if informa-tion ownership and access is properly terminated. Also ensure necessary contract conditions exists that forbids retention and use of personal data ac-quired in the course of employment. The conditions should cover exten-sion of these restrictions after cessa-tion of employment.· Mobile devices, whether of-ficial or personal, used in business communication and free apps are big potential threat of data breach - review what is there on devices and it does not contradict any data security policy.
<
Page 8 |
Page 10 >