How did we make Wibmo GDPR ready in 6 months?

Reading Time: 3 minutes

A brief about GDPR

GDPR is the world’s most strictly enforced set of data protection rules, enhancing how people can access information about themselves and limiting what organizations can do with personal data. GDPR’s full text is a cumbersome beast with 99 individual articles.

The regulation in the EU, which replaced the previous 1995 data protection directive, serves as a framework for laws across the continent. After more than four years of debate and negotiations, the GDPR’s final form was adopted by both the European Parliament and the European Council in April 2016. At the end of that month, the underlying regulation and directives were published.

GDPR went into effect on May 25, 2018. Countries in Europe were given the ability to make minor changes to better suit their own needs. This adaptability resulted in the creation of the Data Protection Act (2018) in the United Kingdom, which replaced the previous Data Protection Act of 1998.

Driver for GDPR

Wibmo currently has a large presence in India, Asia, Middle East, and Africa. And we aspire to enter the European market with our flagship service offering such as Authentication solutions and Fraud Risk Management solutions. We foresee that with increasing dependency on technology and digital products, we can offer seamless services to the European market. Moreover, with the expansion of the European Union, the EU market seems to be more lucrative to capture a large clientele base with a common regulatory framework and processes.

Journey to GDPR readiness

We performed initial due diligence with regards to GDPR articles and realized that it falls under the category of “Data Processor” as the majority of Personally Identifiable Information (PII) are not captured by themselves. These PII are shared with us by our customers/banks (controller) to whom we provide services. Then we defined “Security and Privacy by Design” principles and implemented them across the organization. To make everyone aware of these principles, we also provided mandatory training to all our employees on this subject through the “OneTrust” training tool.

We performed a check for applicability of GDPR Articles and prepared a Statement of Applicability (SOA) which listed the set of GDPR Articles applicable to it. As a next logical step, we engaged with a Big4 consulting firm to perform gap assessment vis-à-vis processor control requirements. The gap assessment covered below domains:

1. Governance and Operating Model

2. Legal and Regulatory

3. Data Privacy Policy

4. Data Management

5. Privacy by Design

6. Security for Privacy

7. Third-Party Management

8. Data Subject Access and Requests

9. Consent Management

10. Training and Awareness

11. Breach and Incident Management

12. Business Unit Processing Activity (BUPA)

13. Data Privacy Impact Assessment (DPIA)

The identified gaps were categorized in the areas of People, Process, and Technology. Then we created several policies and processes with the help of the global privacy team to comply with GDPR articles. To name a few policies and processes — Cyber Security and Privacy Incident Process, Data Subject Request Handling process. We also defined Business Unit Processing Activity (BUPA) and Data Privacy Impact Assessment (DPIA) for applicable business processes. We also enhanced our systems following a robust Change Management process to address some of the technology-specific gaps. We organized several awareness sessions and training on Privacy and Security controls requirements to ensure that the entire company stands in unison with regards to GDPR expectations. We are very pleased to share that the identified gaps have been successfully remediated. The remediation evidence has been shared with consulting partners for independent verification and closure confirmation thereafter. In addition, we have established a dedicated team for enforcement, implementation, and ongoing support of the GDPR compliances.

Finally, we got a much expected and long-awaited tagline that “Wibmo is a GDPR-ready organization”. This compliance would help our business team to attract customers based out of the EU region which will make us globally the number one authentication service provider.

Lastly, we would like to extend a big thanks to all our customers, employees, vendors for their seamless support in this journey.

Author:

Pravin Kumar, CISO

Wibmo A PayU/Naspers FinTech Company

Share this post