As we are going to see a new regime of compliance from 25th of May, 2018 with GDPR, it is going to have a huge impact on the market and individual companies. The manner, they were treating data will completely be changed as no one will ever image to be penalized of 4% of their annual turnover in case of any data breach and exposer – even by accident.
As per Wikipedia, the General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that personal data must be stored using pseudonymization or full anonymization, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner. The business must allow this permission to be withdrawn at any time.
A processor of personal data must clearly disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any third-parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018. Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
The regulation applies if the data controller, or processor, or the data subject is based in the EU. Under certain circumstances, the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU.
Impact on India
Although India has its own regulations governing data privacy and security, the focus now is fully on individual organizations’ ability to embrace GDPR without reservation. This is understandable given the cost impact of noncompliance by companies; in fact, one can safely assume that with this financial year onwards organizations will have a dedicated budget for regulatory compliance and data security.
Organizations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model. Pragmatic compliance does not need to be an expensive exercise too. Expenses are relatively low if implemented with a common-sense approach. Understanding the parameters of the applicable legislation is key to getting it right.
WinMagic’s latest survey of nearly 500 IT Decision Makers (March 2018) found that a significant number of businesses were lacking in systems needed to meet the data management requirements of GDPR, continuous encryption of personally identifiable information across cloud and on-premises servers, and data breach monitoring.
Srinivas Rao, Co-Founder & CEO, Aujas, says, “As the world is getting more and more digital with proliferation of mobile phones and usage of the internet, it is very important for governing bodies to ensure that their people’s data and privacy are safeguarded. Digital economy can only flourish when you connect people, process, data and things in an ethical, meaningful and secure way. We feel that GDPR is a step towards that. The toughest aspect of the GDPR is its guidelines to adhere to the security policies by organization handling EU data in and outside of the state. In order to be compliant, businesses must begin by introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences. India has evolved to become a technology hub equipped with deep expertise and GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions.”
Arun Balasubramanian, MD, Qlik India said: “The GDPR applies to companies in Europe (specifically those in the EU / EEA), so it will affect an Indian company which has a European office, or is marketing to European customers. In terms of readiness, companies have had a long time to prepare for GDPR, but as the GDPR bar is quite high, many may be struggling to be ready come 25th May 2018. The biggest challenge in meeting the requirements is understanding not only what personal data companies have in their multiple systems, but also understanding the relationships of that data as well as who has access to it. This includes monitoring the consent and tracking of who opted in or out in for campaigns, newsletters, or petitions. GDPR is considered by many to be the highest global standard, and many countries have and will continue to strengthen their privacy laws in the near future.”
Despite the impending deadline, most APAC businesses which serve the EU market or have significant transactions that capture PII are still not fully prepared. According to the third biennial EY Global Forensic Data Analytics Survey by Ernst & Young (EY), only 12 per cent of firms in APAC have a GDPR compliance plan in place.
“While GDPR affects private and public sector organizations handling PII, certain key industries will have heightened exposure as a result of the volumes of PII data they handle as well as the nature of their business,” said Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet. “These include e-commerce-based organizations operating internationally, as well as companies that serve significant numbers of tourists, visitors, or expatriates from the EU.”
So, organizations preparing for GDPR must focus on reconfiguring their business processes and IT architectures, as well as reducing exposure of PII data.
Fortinet advises enterprises in APAC to take the following steps to accelerate GDPR compliance:
- Engage a third-party firm to assess data protection practices and exposure to GDPR rules.
- Conduct a comprehensive data audit to understand data source, collection and processing. It should include documenting where GDPR-impacted data is stored, how it is communicated between systems within the domain, and any external clouds or third-party data custodians.
- Determine how long it takes for data-breach detection and mitigation and what is required to improve these processes to meet GDPR requirements. This element of the action plan should also include a detailed security assessment.
George Chang, VP, APAC, Forcepoint, said: “As the capacity to collect, store and analyze data for commercial purposes continue to grow exponentially, GDPR seeks to strengthen and unify personal data privacy and protection – putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner. It’s no surprise that this seismic shift in the way we approach data security has caused a ripple effect across the globe, with many countries following suit and modernizing their own privacy and data protection laws.”
He added, “While many may be worried about the implications of a new regulatory era, it will create trust and provide good practices that will benefit both the individuals and the business. These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost-savings and even fuel innovation. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimize the all too common reputational and financial fall-out of a breach.”
Anant Maheshwari, President, Microsoft India, said, “GDPR is the biggest change in European data protection laws in more than 20 years, bringing this area of law into the digital age. It designates individual choice as a priority over everything else. It stands on the pillars of mutual trust and respect, both of which are core to running any sustainable, ethical organization. It will govern how organizations within and outside the EU will collect, manage, process, and protect personal data while respecting individual choice.”
He added: “To me, this is a golden opportunity for India to drive thought leadership in the global market. We can build expertise and capabilities, create new lines of advisory and consulting businesses, develop a market differentiator and be a source of competitiveness. One merely has to look around to witness how fast India is making strides in its journey towards cloud migration. With millions going online for the first time, protecting their vulnerabilities cannot be compromised in our long march forward. The Supreme Court of India demonstrated its commitment to its citizens when it declared privacy a fundamental right last year, and now the onus is upon us as an industry to play our part.”
Rahul Kumar, Country Manager – WinMagic India, said, “Companies in Europe are already setting aside an average of $1.4 million as part of their GDPR readiness effort. The scene is no different in the US, where companies are spending $1 – $10 million towards GDPR readiness. It is also possible that as organizations’ data pool continues to grow, evolve and move, they will start institutionalizing programs on data privacy, security and user experience.”
He added, “GDPR may spawn other regional blocs to bring out their own version of data protection regime. Although many countries maintain their own data privacy and security regulation, a blurred line separates the rights of the individual and organization. GDPR has removed this ambiguity in data management. Of course, there is murmur in certain quarters that data protection should not be driven by the fear of contravention, but by the need for accessibility and user experience. However, striking the right balance is a challenge to both businesses and regulators. In any case, GDPR remains a benchmark for future data privacy regulations because it is creating an ecosystem of compliance. At its core, GDPR is not about individual or corporate rights; it is about gaining and maintaining consumer trust. Companies that understand the opportunities of using data—within the regulatory framework—for business development and innovation will benefit significantly with their customers and suppliers.”
GDPR is teaching us to collect less information from our customers, unless we really need it. Even if you don’t need to comply with GDPR, this is simply a good practice. Your business saves money by having less data to protect and your customers gain the privacy that many desire in the process. Want users to use secure passwords? Provide them with password management tools and training, especially if users can use the same tool at home to benefit their families. Humans will do what is easiest, so it is our job to make privacy as easy as possible.
Individuals need to take control of their privacy the best they can. It isn’t impossible and often it isn’t even hard, you simply have to keep your eyes open and not surrender sensitive information to organisations that don’t need it. Carefully consider how much information you are asked to surrender compared to what you are being provided in return. Your identity is valuable and you shouldn’t give it up for trivial services. Sadly once your information is stolen it can be impossible to put the genie back in the bottle, don’t give out your details to those who don’t need it. I have a secret birthday I don’t share with sites that ask… It’s my real one.” said Chester Wisniewski, Principal Research Scientist, Sophos
“Indian businesses are battling severe issues of data protection and cyber security that have larger business implications on productivity and customer confidence. GDPR is a welcome step towards addressing privacy issues, as it now brings data protection at the forefront. Embracing GDPR with a strategic roadmap should be the immediate priority for Indian CXOs, that would include creating awareness, training as well as constitution of a dedicated data protection framework. GDPR can be a competitive advantage for India, if enterprises understand its relevance and further bring in a risk-based iterative mechanism to their business strategy that is trustworthy secure, and agile in the digital world.”
As per NASSCOM Indian companies have been complying with European data security directives since 1995, and GDPR is a graduated version of this existing framework. As a sector we are committed to maintaining the highest standards of business practices, and we will be fast learners in the GDPR landscape.
Over the past year or so, in the run up to the implementation deadline, NASSCOM and DSCI have been running various outreach programs for their members across major cities in India. The aim of these sessions has been to prepare and raise the awareness of the industry, especially SMEs and start-ups.
In March 2018, NASSCOM organized three workshops in Delhi, Bangalore, and Mumbai with the Directorate-General for Justice and Consumers (DG JUST) of the European Commission. Experts from Brussels held these seminars for NASSCOM members to hear directly from the architects of this regulation. They could freely ask them any queries or doubts that they had regarding the GDPR laws. NASSCOM has also launched a GDPR Helpdesk for member companies to have their questions resolved.
There are areas where GDPR provides relief and consistency, however, it also comes with very stringent penalties on non-compliance. Most large companies are very well prepared due to economies of scale, however, the impact on SMEs and start-ups are a cause for concern they may struggle with several areas that render it costly for processors.
These include appointing a data protection officer in organizations, the concept of privacy by design (encryption) and by default (processing the minimum amount of data), new privacy rights for individuals like the Right to Erasure and Right to Data Portability, and new consent rules which require consent for different activities from different stakeholders, including employees and customers. Once this learning curve is scaled, we do see an opportunity to offer services for GDPR compliance and complaint process capabilities.
“At the end of the day, complying with GDPR may well turn out to be the right thing to do to protect the privacy and interests of all stakeholder communities linked to an organization,” concluded Rajesh Maurya. “As onerous as GDPR might seem, it could mark a big step towards restoring public confidence in the ability of businesses to deliver social benefits while simultaneously curbing social risks.”
Fortinet lists the top three industries impacted by GDPR:
- Retail − Retail businesses most likely to curate GDPR-relevant PII data include cross-border e-commerce operations, multi-venue retail chains, hospitality, travel, and F&B businesses. Brick-and-mortar businesses serving EU customers can also find themselves liable to GDPR PII protections. Paying with a credit or debit card, providing shipping address information and participating in a customer loyalty program all fall under the protection of GDPR.
- Healthcare − GDPR extends its coverage to non-EU organizations storing or processing the medical information of EU persons. GDPR enacts particularly stringent protection and processes for handling particular types of PII medical information. In general, an organization may collect and process personal medical information only if it is necessary for patient treatment and diagnosis, and with the explicit consent of the patient. GDPR also mentions genetic data as an area of particular concern.
- Financial Services – Financial organizations often maintain huge stockpiles of PII data on account holders. They also consume and generate vast quantities of highly personal marketing data to support selling financial services and assessing credit worthiness of commercial and individual customers.