GDPR: Commentary from technology leaders
General Data Protection Regulation (GDPR) comes into effect from today, May 25, 2018. Although it may not apply to many organisations in India, India Inc can take a cue from and apply the provisions to further improve data security, customer privacy and also show proactiveness from a regulatory perspective. India’s data protection law will also soon come into effect and GDPR also has to be seen in the same light. Below are comments and recommendations from a variety of Industry voices.
George Chang, VP, APAC, Forcepoint on the GDPR enforcement.
“As the capacity to collect, store and analyze data for commercial purposes continue to grow exponentially, GDPR seeks to strengthen and unify personal data privacy and protection – putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner. It’s no surprise that this seismic shift in the way we approach data security has caused a ripple effect across the globe, with many countries following suit and modernizing their own privacy and data protection laws.
India’s Data Protection Law when it comes into effect, is sure to have a major impact on business operations. Organizations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model. Pragmatic compliance does not need to be an expensive exercise too. Expenses are relatively low if implemented with a common sense approach. Understanding the parameters of the applicable legislation is key to getting it right.
While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practices that will benefit both the individuals and the business. These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost-savings and even fuel innovation. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimize the all too common reputational and financial fall-out of a breach.”
Anant Maheshwari, President, Microsoft India
GDPR is the biggest change in European data protection laws in more than 20 years, bringing this area of law into the digital age. It designates individual choice as a priority over everything else. It stands on the pillars of mutual trust and respect, both of which are core to running any sustainable, ethical organization. It will govern how organizations within and outside the EU will collect, manage, process, and protect personal data while respecting individual choice.
To me, this is a golden opportunity for India to drive thought leadership in the global market. We can build expertise and capabilities, create new lines of advisory and consulting businesses, develop a market differentiator and be a source of competitiveness. One merely has to look around to witness how fast India is making strides in its journey towards cloud migration. With millions going online for the first time, protecting their vulnerabilities cannot be compromised in our long march forward. The Supreme Court of India demonstrated its commitment to its citizens when it declared privacy a fundamental right last year, and now the onus is upon us as an industry to play our part.
Supratim Chakraborty, Associate Partner, Khaitan & Co.
“With the GDPR deadline of 25 May 2018 knocking at the door, we are going through an interesting phase. It is a phase of panic, last minute preparations, double checking of steps taken and, for some, a continuing attitude of denial. Most business houses are frantically trying to put their house in order to be compliant with the data privacy and data protection related requirements of GDPR. What is most interesting to note is that the GDPR has forced business entities to sit up and take a serious look at the data that they have been amassing. Even the smallest of start-ups struggled to decipher how much data they have collected, where they have been stored and how they were processed. Therefore, I would say it is a good wake-up call which should be emulated by all businesses. The principles of GDPR are beneficial and could be adopted by all business houses whether there is an EU interface or not. Also, this may be helpful because our domestic law on this subject, which is in the making, may largely adopt the principles of GDPR. Therefore, organizations which are equipped with the principles of GDPR would be future-ready for the new Indian legislation.
Whilst business houses are rushing towards accomplishment of their data privacy and protection related goals pertaining to GDPR, one should remember that 25 May 2018 is merely the starting day of the journey. The GDPR journey would be a continuous one and would have to constantly evolve. The activities laid down in GDPR can never be static. It would require continuous working by organizations. Therefore, it is best not to have a quick fix type of attitude towards GDPR compliance. It is not only about what one writes in the policies and notices but also what they actually follow and practice whilst collecting and processing data. These are interesting times and the ones who plan properly, stay dedicated to the implementation of their plan and also continuously evolve their strategy to adhere to the gold standards of GDPR would come out the winner. GDPR compliance should not only be looked at as an effort and money draining exercise but also as a business advantage which can be a differentiator in the market. An entity compliant with GDPR requirements would definitely command more confidence from customers as compared to those who do not.”
Srinivas Rao, Co-Founder & CEO, Aujas
“As the world is getting more and more digital with proliferation of mobile phones and usage of the internet, it is very important for governing bodies to ensure that their people’s data and privacy are safeguarded. Digital economy can only flourish when you connect people, process, data and things in an ethical, meaningful and secure way. We feel that GDPR is a step towards that. The toughest aspect of the GDPR is its guidelines to adhere to the security policies by organization handling EU data in and outside of the state. In order to be compliant, businesses must begin by introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences. India has evolved to become a technology hub equipped with deep expertise and GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions.”
Laurence Pitt- Security Strategy Director, Juniper Networks
As GDPR (General Data Protection Regulation) comes into play in the European Union on May 25th, enterprises with EU operations are facing a new reality of legal provisions. The way they handle EU customer data and uphold privacy will require a brand new approach, and this will undoubtedly impact their strategy and operations. GDPR governs the use of Personally Identifiable Information (PII) of an EU citizen, so even if a company has a single EU customer, it will need to develop an action plan. Global tech companies have already taken the necessary precautions and several others are also in the midst of determining how they handle, store and erase customer data. In India, the more than 40 million SMEs would also need to act upon this. To some, it may seem like a distraction from their core business, but they cannot overlook GDPR as its impact will be huge. As the Indian ITES industry earns a sizeable chunk of its revenue from Europe, several contracts with customers and service providers will have to be rewritten.
What enterprises need to do:
Hire a Data Protection Officer (DPO) – A data compliance specialist who will oversee the GDPR process and guidelines. The regulation says every company with more than 250 employees needs to hire a DPO, but even companies with less than 250 employees should do so.
Conduct a full data audit – Verify data that the company already owns across its entire lifecycle to see what is encrypted, how safe it is and where it is stored. If steps to secure the data are needed, formulate a plan for that.
Monitor data access – View real-time reports about who accesses what data and from where and through which mediums. Defining accessibility for employees and third-parties can play a vital role for data protection.
Create incident response plans – Determine what happens when a data security alert is raised. GDPR regulations state that any data breach must be reported within 72 hours, and this should be adhered to.
Securing customer data should be a key priority for companies today, and not just the data of EU citizens. GDPR should set the ball rolling on further improvements that companies must adopt voluntarily for ALL citizens universally. In fact, India can take this as the right time to devise its own cybersecurity legislations for the protection of its citizens. It is time to not view GDPR as an operational risk – but as a benefit instead. Companies that proactively value customer data can become pioneers and get a massive boost to their reputation by protecting privacy when it is more important than ever.
Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto
As regulations catch up, Data Privacy has fast evolved to become a matter of survival for companies. Companies (Boards) that continue to ignore this, risk becoming non-existent almost overnight in the wake of any data breaches. Post the enforcement of Mandatory Breach Notification in Australia earlier this year, Australian organizations reported 63 breaches in the first 6 weeks. Every breach incident has the potential of long term reputational damage to the impacted organization.
The fast-approaching GDPR enforcement date has already resulted in the undertaking of massive changes to consumer data collection and processing practices, especially in consumer-led markets. As a result, we will continue to see tightening of the regulatory environment with respect to data privacy and enforcement of penalties on firms as well as fiduciary officers in the wake of data breaches resulting out of inadequately protection measures.
Companies need to realize a breach is inevitable and key stakeholders, their customers, expect them to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately. GDPR mandates this practice for companies that operate in EU or company doing business with EU citizens. Questions remain, however, around implementation, interpretation and administration of the data protection practices – and these will need to be ironed out as the GDPR becomes enforceable. In order to be compliant, a business must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences.
Sanjay Gupta, Managing Director, South Asia, Middle East, NICE
Due to the rapid change in technology, the General Data Protection Regulation (GDPR) places the burden of “continuous risk assessment” on the collecting organizations – data controllers and requires that any outside organization processing data – data processor – be GDPR compliant. A recent survey of IT professionals (ESG research) has revealed that only 11% of organizations are completely prepared for the GDPR, a third of organizations say they are mostly prepared, and 44% are enroute to implementing the processes they would like to have in place to meet GDPR requirements.
For many organizations, the initial transition to GDPR compliance is likely to be a lengthy and challenging process. To combat the challenges, we advocate a collaborative technology vision with a dedicated GDPR solution to simplify processes relating to the rights for the data subject. We try our best to offer seamless security solutions combined with high awareness and actionable threat awareness to the most demanding enterprise environments and have earned the most independent certification for security effectiveness and performance in the industry. These solutions, close gaps left by legacy point products and provide the broad, powerful, and automated end-to-end protection requirement across physical, virtual and cloud environments.
As the digital revolution marches on, it brings about numerous technological advances that is the thrill of the fourth Industrial revolution. However, there is one dimension called compliance and regulation that needs to be addressed and requires re- evaluation based on the continued reassessment of the risks. A broad, powerful, and automated approach to security is required to achieve this.
Prashant John, Co-Founder and CMO at Kwench Global Technologies and Bhabani Panda, CISO, Kwench Global Technologies
The EU-GDPR represents a paradigm shift in the way data can be collected and treated by organizations. The Economist in the May of 2017, proclaimed on its cover that data is the world’s most valuable resource. GDPR plans to ensure that the ones generating that valuable resource also are in control of it and not the technology and service companies that seem to infiltrate into every aspect of one’s life. Data is power and concentration of that power in the hands of a few organizations is not in the larger interest of the world. Inverting that power distribution is the way to ensure that everyone wins in the brave new digital world.
The regulations thus give much more power to the consumer to control how her data is used by companies. At this point in time, it only applies directly to those companies that are established in the EU or offer goods and services to citizens in the EU. But then since the world is flat, like it or not, it also applies indirectly to pretty much all companies in India that aim to operate outside our borders.
So does the GDPR pose a threat to Indian companies or is it a boon?
As with everything else the answer is “it depends.” If you are a company that is lax in data security and thinks spamming people using data from bulk databases is the way to grow business, then GDPR can be a huge existential threat with fines up to 4% of annual global revenue or 20 million Euros. On the other hand, if you are an organization looking to move up the Data Maturity Model and be a trustworthy brand that consumers trust, then GDPR compliance can be an opportunity to stand apart from the crowd.
For Indian businesses the biggest challenges will be in getting the organization mindset to shift from the current Consent Model to a Rights Model. In the discussion document “Beyond Consent: A New Paradigm for Data Protection” Rahul Matthan outlines the fundamental difference thus – In the Consent Model, once the consumer’s consent to collect data is obtained, the controller is free to use the data for the specified purpose and is not liable for the consequences – thereby putting the onus on the consumer to know what she is providing her consent to. The Rights model flips this around and gives the consumer total control over her data. The collector must then ensure that the way they collect and use the data does not violate this fundamental right.
Organizations steeped in decades of operating under the consent model, sometimes with lax oversight and privacy controls are going to find the task of percolating the mindset change down to the last customer-facing employee a tough challenge.