Written by Barry Cook, Privacy & Group Data Protection Officer, VFS Global
Our journey towards making visa processing more agile and efficient is very much about the ongoing digital transformation that is impacting all industries. This positive development, among other things, cannot be realistically achieved without relying on the collection and processing of data to create knowledge, competencies, and capabilities. This collection and processing require a governance oversight to ensure that it’s not used to the detriment of the individual. To this end, we have seen an upsurge in data protection legislation in the last few years.
In fact, properly regulated and controlled data protection practices do not have to jeopardise the digitisation of our industry; on the contrary, they enhance it by maintaining trust and credibility with customers, partners, employees, shareholders and other stakeholders. In short, good data protection practices have a positive effect on the bottom line.
The EU GDPR, General Data Protection Regulation, is an EU regulation (2016/679), designed to harmonise personal data protection laws across the EU member countries, it entered into force on May 25, 2018. It addresses issues of transparency around personal data usage by companies and gives more control to the individual over their personal data. This far-reaching regulation marks a new stage in the development of data privacy practices in Europe.
Eighteen months on, I have narrowed on three selected takeaways from the EU GDPR that I deem most relevant to our practices in the UAE and Saudi Arabia.
1. Automate: Automation via dedicated privacy software is the key to EU GDPR compliance in large organizations like VFS Global as it enables an organisation to easily know where personal data is located in complex systems. It also helps to fulfil the requirement to keep a record of processing activities. This enhances data security by knowing where all your important personal data is located, and this ensures a rapid response in the event of a data privacy incident or a data access request.
2. Properly handle personal data: The EU GDPR obligations for protecting personal data are directly applicable to services like ours. The GDPR requires that companies explain how they handle personal data via their privacy notice using “clear and plain language”. It is important to see if a company has posted a privacy notice or policy which should include a simple explanation of how they collect and use data in compliance with applicable laws. We have to make sure that our 1,400 websites are compliant—taking care of simple things like cookies, the small files placed on the computer from the browser session. In certain countries, we have to seek permission to put those files on an individual’s device. Also if we are using any analytics, like Google Analytics, we have to make the individual aware that we are doing so, and allow them to not accept it.
3. Be proactive: Services must analyse how the EU GDPR affects their business processes and take proactive steps in achieving compliance. To this end VFS Global adopts the concept of privacy by design and default. What that means is wherever we have a business or technical process, we look at the outcomes of that process and make the default one—the one that preserves the privacy of the individual.
With high penalties in place, there is a huge financial risk for companies in case of non-compliance. There are also real risks to reputation or brand image. Therefore, we must take the EU GDPR obligations very seriously, and external validation through standardisation bodies helps organisations ensure that they are on the right track to comply with the EU GDPR.
Equally important is the fact that customers are concerned about where and how their personal data is being captured when using services. Most regulations, including the GDPR, are designed to ensure that personal data that can be linked to an individual are not shared without the permission or knowledge of the individual. We also know that most consumer concerns center around their private information, such as personal pictures and other details.
New regulations, like the GDPR, are a big step towards better-protected data. However, this is still the beginning of the journey. As a company that handles large volumes of applicant information (for visas and citizen services), one of VFS Global’s biggest focus areas is to have an uncompromising approach to maintaining information security at every level of the process. In fact, VFS Global is one of the few companies globally that was already able to comply with the requirements of the GDPR when it came into effect in May 2018.
To enable use to be GDPR compliant, we have a 13-point data privacy and protection framework that has over 130 measurable metrics that enables us to monitor data protection across the organisation. This level of monitoring naturally requires an investment in skills and technology to implement and manage such a framework. I Due to a strong senior management commitment and a corporate culture of compliance since inception, that we are today one of the few companies (in any sector) that are easily able to adapt to new data protection legislations that may be introduced in any of the 147 countries we operate in.