ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / It’s All Private!!!! – No Means No…

It can be observed in the Privacy Acts worldwide, that they are not just created for regulating the use of data by organizations but with a very strong intention of customer empowerment. Strong focus can be observed in regard to customer rights over control and management of their own personal / private data in these regulations.
In my view, two of the strongest tools in the arsenal are:
– Consent
– Right to be Forgotten
In this part of the “It’s All Private” series we will talk about best practices organizations can follow for these two requirements.

Consent

  • Be it HITRUST, GDPR, CCPA or any of the other regulations, it mandates that personal data from the customers cannot be stored by the organization without written consent from customer / consumer.
  • Organizations can achieve this in many different methods:
    • Countries where there is a legal requirement for hard copies, the organizations can have download links for forms which the customers can read, sign and then share with the organizations as their consent.
    • The other most accepted and implemented method is have a disclaimer page covering all the necessary terms for consent regarding the storage of data or website cookies and a accept checkbox which once clicked will act as formal consent from the user.
  • It is recommended that the terms should include the exact PII data parameters which will be captured and stored. It should also include guidance about how the data is going to be protected and have brief outline of controls which will ensure that the data is maintained with integrity intact and without loss of unauthorized access or theft.
  • The organization also needs to provide assurance that the data will not be shared with any other entities without an explicit consent from the customers for the same.
  • The Organization should internally have a well-documented and implemented plan to ensure the safety and security of the PII data which will be at rest within the organizational environment.
  • Data retention policy and guidelines based regulatory, legal and other law of the land requirements should be documented and implemented as well.

Right to be Forgotten

  • Customers giving a consent does not necessarily mean that the organizations have a blanket right to maintain the data with them forever.
  • Customers retain the right to exercise their “Right to be Forgotten”, which is simple words is that the customers want any and all of their references of PII data with the organization to be deleted.
  • Article 17 of GDPR is “Right to be Forgotten” and is probably one of the most talked of articles among the entire GDPR regulation.
  • Organizations need to ensure that they have a link on the website, or an email-id listed for any customer to apply and exercise their “Right to Forget”.
  • Every organization must have the following to respond to any such request:
    • Automated or manual response to the customers acknowledging the receipt of the request and informing the expected timeline in which the erasure will happen.
    • Have a documented policy and procedure on identifying and obtaining all the data linked to a specific individual from active storage as well as back-up storage.
    • Have a documented policy and procedure for secure deletion of this PII data, so that it cannot be recovered post deletion.
    • Post-deletion communication procedures with customers informing them about the successful deletion of their data.

Having mentioned the above best practices, would like to highlight, that depending on applicable regulations based on jurisdictions there are some exceptions and exemptions to the both “Consent” and “Right to be Forgotten” requirements. However this requires a detailed analysis of the type of business, type of data collected, region of business etc. for which I would suggest organizations to take help of Data Privacy SMEs from firms like ControlCase to guide and help in the right manner.
But other than that, remember if the Customer Says “No” means “No”.

Ashish Kirtikar
ControlCase
General Manager - Europe & UK

Related Blog

HIPAA, CCPA, and GDPR: Privacy or Information Security?
Modern enterprise security teams must address many different types of requirements as they create their cyber defenses. These requirements can be internally generated, customer requested, legally defined, mandated by a court, or driven by an incident. They typically involve adding new protections such as cyber security platforms or increasing assurance such as through penetration testing.
CCPA vs. GDPR
¡Todo es Privado! ....No Significa No….
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
Désormais tout est privé .... Non signifie Non ...
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
Désormais tout est privé - Le barème prêt
La poussée vers la digitalisation à travers le monde signifie que diverses industries telles que la vente au détail, la santé, la restauration, etc. ont migré une part importante de leurs activités / services vers le mode en ligne. Cela oblige les consommateurs à partager leurs données personnelles ou sensibles (par exemple, numéros de carte, numéros SSN, dossiers médicaux, données d'identification, etc.) sur ces canaux en ligne.
It’s All Private!!!! - The Ready Reckoner
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.

About Us

ControlCase is a global provider of certification, cybersecurity, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost-effective, and comprehensive in both on-premise and cloud environments.
ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC2, CMMC, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT, and FedRAMP.

Contact Us

Thank you for reading this blog. If you are interested knowing how we can help you in your data privacy initiatives within your organizations, feel free to contact us using below form.



  • Captcha Image