IS INDIA INC. READY FOR GDPR COMPLIANCE?

General Data Protection Regulation (GDPR) has brought about an unprecedented change in the European data protection laws after more than 20 years. It strengthens the data rights of EU residents and harmonizes data protection laws across all member states, thus designating individual choice as a priority over everything else.

GDPR was enacted two years ago while its enforcement across all 28 EU countries came into effect at midnight on 25 May 2018.The new act is going to strengthen the data rights of EU residents and harmonize data protection laws across all member states, making it identical.

“The GDPR will replace the 1995 Data Protection Directive and is aimed at protecting EU citizens’ personal data in the new digital world. It is a significant, wide-ranging piece of legislation which will, no doubt, have a major effect on the world of cyber security and data protection. GDPR in spirit applies to nearly every organization based in India dealing with the personal data of subjects residing in the EU, regardless of the company’s location,” explainsVijay Mhaskar, Chief Operating Officer, Quick Heal Technologies.

More than anything else, GDPR will make it easier and cheaper for companies to comply with data protection rules. It will also increase the potential fines organisations face for misusing data, and make it easier for people to discover what information organisations have in them. The EU believes this will collectively save companies €2.3 billion a year. GDPR will govern how organizations within and outside the EU will collect, manage, process, and protect personal data while respecting individual choice.

“As we stand amidst the fourth industrial revolution, maintaining the integrity of personal data has become as imperative to national security as protecting a country’s cyber borders. Organizations are under increased scrutiny, with everybody from lawmakers and investors to employees and consumers examining the relationship between what’s good for business and what’s good for individuals. Regulations like GDPR will begin a dialogue about what nations and multilateral stakeholders can do to streamline a system of checks and balances on a digital planet,” cites Anant Maheshwari, President, Microsoft India.

Says Chester Wisniewski, Senior Security Advisor, Sophos, "Maintaining privacy is a complicated process and most people don't even know where to start. Certainly businesses can take a few lessons from GDPR. GDPR is teaching us to collect less information from our customers, unless we really need it. Even if you don't need to comply with GDPR, this is simply a good practice. Your business saves money by having less data to protect and your customers gain the privacy that many desire in the process. Humans will do what is easiest, so it is our job to make privacy as easy as possible."

“25th May – a day where Data will no longer be the same,” reiterates Ramesh Mamgain, Area Vice President, Commvault India & SAARC Region. “If you think it only affects your production data, it's much more complex than that. Managing your secondary data is probably the more difficult challenge for many companies. Organizations need to acknowledge that GDPR compliance is no longer simply an IT or technology issue. This is a chance to improve the efficiency of data governance. A holistic ‘People, Process and Technology’ mantra is still the way to achieve amidst the chaos of complying with increasing Data privacy laws around the globe.”

Comments Aniketh Jain, CEO  & Co-Founder, Solutions Infini, "GDPR, General Data Protection Regulation is a great step taken by the European Union. With the massive amount of data sharing taking place around us, it’s important now more than ever that a consumer’s data is protected and used only with their permit. The law is well defined and it’s a major change for most of the organizations and it’s good to see that it has been accepted well. The law also has strict penalties which makes sure that companies comply."

Says George Chang, VP, APAC, Forcepoint, “As the capacity to collect, store and analyze data for commercial purposes continue to grow exponentially, GDPR seeks to strengthen and unify personal data privacy and protection - putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner. It’s no surprise that this seismic shift in the way we approach data security has caused a ripple effect across the globe, with many countries following suit and modernizing their own privacy and data protection laws.”

Supratim Chakraborty, Associate Partner, Khaitan & Co. observes that in the GDPR era, most business houses are frantically trying to put their house in order to be compliant with the data privacy and data protection related requirements of GDPR. “What is most interesting to note is that GDPR has forced business entities to sit up and take a serious look at the data that they have been amassing. Even the smallest of start-ups struggled to decipher how much data they have collected, where they have been stored and how they were processed. Therefore, I would say it is a good wake-up call which should be emulated by all businesses. The principles of GDPR are beneficial and could be adopted by all business houses whether there is an EU interface or not. Also, this may be helpful because our domestic law on this subject, which is in the making, may largely adopt the principles of GDPR. Therefore, organizations which are equipped with the principles of GDPR would be future-ready for the new Indian legislation.” 

As regulations catch up, Data Privacy has fast evolved to become a matter of survival for companies. According to Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto,companies (Boards) that continue to ignore this risk will become non-existent almost overnight in the wake of any data breaches. “The fast-approaching GDPR enforcement date has already resulted in the undertaking of massive changes to consumer data collection and processing practices, especially in consumer-led markets. As a result, we will continue to see tightening of the regulatory environment with respect to data privacy and enforcement of penalties on firms as well as fiduciary officers in the wake of data breaches resulting out of inadequately protection measures.”

The proactive approach for data privacy and cyber security can result in new business opportunities, along with the trust of a company’s stakeholders. Instead of searching for quick fixes to comply with GDPR, companies should focus upon long term sustainable improvements. 

Says Erik Andreson, practice leader of Cyber Security services - F-Secure, “Markets must work closely with the legal and IT departments over handling the personal data of customers they need for their strategic business objectives.The regulation simply makes it the organization’s duty to assess and decide what types of measures shall be implemented to comply with the GDPR, and to ensure that all precautions are undertaken to minimize the risk of data breaches by detecting breach attempts.”

However a recent survey of IT professionals (ESG research) has revealed that only 11% of organizations are completely prepared for the GDPR, a third of organizations say they are mostly prepared, and 44% are enroute to implementing the processes they would like to have in place to meet GDPR requirements.

Sanjay Gupta, Managing Director, South Asia, Middle East, NICE puts forward his observation. “For many organizations, the initial transition to GDPR compliance is likely to be a lengthy and challenging process. As the digital revolution marches on, it brings about numerous technological advances that is the thrill of the fourth Industrial revolution. However, there is one dimension called compliance and regulation that needs to be addressed and requires re- evaluation based on the continued reassessment of the risks.A broad, powerful, and automated approach to security is required to achieve this.”

Surendra Singh, senior country director, India, Forcepoint also observes that the GDPR does not provide a prescriptive path to compliance. He says, “It is not just a CISO or a CIO issue. It is recommended that a leadership team is formed that involves CIO, CISO, legal and HR to have a shared understanding of the regulation’s requirements and alignment on how it would affect their company.”

He further continues, “In the end, every company will have their own version of GDPR compliance; it is important to have common understanding across the company, better communication between leadership team, quick anticipation and implementation of right technologies to protect against data incidents.” 

Todd Wright, Global Lead GDPR Solutions – SAS opines that many people in the EU are already exercising their GDPR rights in the form of either opting out or in some cases already lodging complaints. “According to a recent SAS survey, organizations should consider these challenges - The ability to understand where all personal data might reside, acquiring the proper skills within the organization to manage the GDPR, dealing with consent management, and ensuring that the use of profiling done on individuals is free of biases,” he says. 

Todd also says that GDPR should be treated more than just an IT issue. “It is very much a legal and compliance driven regulation and organizations should staff up now with those individuals that can not only interrupt such regulations but work with the IT department to lead what efforts they need to take on a tactical level to ensure compliance.”

Microsoft began work on GDPR as soon as it was adopted by the European Union, and was compliant before the deadline. “We have had over 300 of our full time engineers dedicated towards GDPR compliance and adopted over 30 controls based on GDPR,” says Keshav Dhakad, Director and Assistant General Counsel – Corporate, External and Legal Affairs (CELA), Microsoft India. “Through significant investments in our products and services, we have helped customers comply with GDPR within Azure, Office 365, Windows, EMS, SQL Database and Dynamics 365. Our cloud products are designed with industry-leading privacy policies and security measures to safeguard customer data in the cloud, including the categories of personal data identified by the GDPR. Additionally, we have provided the best data governance, security, and privacy tools in the market to our customers to help simplify the compliance process and have also supported many large global companies in GDPR compliance.”

To provide intelligent response to new GDPR requirement, Guardtime has developed its solution for GDPR compliance, named as Volta which utilizes KSI blockchain technology. It provides mechanism for companies to demonstrate Privacy by design, Privacy by default and lawful processing, required for GDPR with the added benefits of trust, transparency, integrity and provenance that are inherent to a blockchain solution.

Inspira along-with Guardtime works with the client to ensure that all GDPR events associated with PII across the organization (i.e. consent, access, modification, copy etc.) are tracked in VOLTA and anchored in the KSI blockchain. By leveraging industrial scale and low-latency transaction registration process of KSI, VOLTA runs in near real time, offering an automated immutable GDPR compliance service. Guardtime’s KSI blockchain provides the proof, provenance and trust required to satisfy compliance and audit requirements of GDPR and third parties such as regulators, auditors and the PII affected individuals.

GDPR Governance Service from Crayon is a comprehensive GDPR management and risk mitigation solution. Aligning to the required policies & process frameworks for GDPR can save organisations from potential risks. Says Rajesh Thadhani, Director Crayon Software Experts P. Ltd, “Failure to prepare for the regulation could have serious consequences, not only to your bottom line, but also to your customer relationships and brand image.”

GDPR & India

GDPR presents a good opportunity for India to drive thought leadership in the global market. Organizations can build expertise and capabilities, create new lines of advisory and consulting businesses, develop a market differentiator and be a source of competitiveness. With millions of people going online for the first time, protecting their vulnerabilities cannot be compromised. The Supreme Court of India has already demonstrated its commitment to its citizens when it declared privacy a fundamental right last year, and now with the passage of GDPR, the onus is now upon corporatesto play its part.

GDPR is sure to have a major impact on business operations. Organizations in India need to place compliance and data security as a priority, considering the cost for violating privacy laws is about to get very expensive. GDPR can cost businesses up to 20 million Euros or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With these kind of stakes, investing in compliance now is the only right move for a sustainable business model. 

While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practices that will benefit both the individuals and the business. These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost-savings and even fuel innovation. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimize the all too common reputational and financial fall-out of a breach.

Hence, Indian Businesses need to implement more robust data protection measures to prevent and manage data breaches. Businesses should adopt a robust data protection policy which outlines the procedure and designates responsibilities for ensuring complete privacy of consumer information. This should include strong password policy, investment in the right IT security solutions, Data Loss Prevention (DLP) and Encryption, regular data backups, employee awareness programs, and a comprehensive action plan to counteract data breach incidents. This focus on data protection will help them in nurturing greater trust with their European clients and expanding their market footprint within the region. 

“Indian businesses are battling severe issues of data protection and cyber security that have larger business implications on productivity and customer confidence,” says Shree Parthasarathy, Partner, Deloitte India. “GDPR is a welcome step towards addressing privacy issues, as it now brings data protection at the forefront. Embracing GDPR with a strategic roadmap should be the immediate priority for Indian CXOs that would include creating awareness, training as well as constitution of a dedicated data protection framework. GDPR can be a competitive advantage for India, if enterprises understand its relevance and further bring in a risk-based iterative mechanism to their business strategy that is trustworthy secure, and agile in the digital world.”

“The GDPR applies to companies in Europe (specifically those in the EU / EEA), so it will affect an Indian company which has a European office, or is marketing to European customers,” says Arun Balasubramanian, Managing Director, Qlik India. “In terms of readiness, companies have had a long time to prepare for GDPR, but as the GDPR bar is quite high, many may be struggling to be ready. The biggest challenge in meeting the requirements is understanding not only what personal data companies have in their multiple systems, but also understanding the relationships of that data as well as who has access to it. This includes monitoring the consent and tracking of who opted in or out in for campaigns, newsletters, or petitions. GDPR is considered by many to be the highest global standard, and many countries have and will continue to strengthen their privacy laws in the near future.”  

“As the world is getting more and more digital with proliferation of mobile phones and usage of the internet, it is very important for governing bodies to ensure that their people’s data and privacy are safeguarded. Digital economy can only flourish when you connect people, process, data and things in an ethical, meaningful and secure way,” says Srinivas Rao, Co-Founder & CEO, Aujas.“We feel that GDPR is a step towards that. The toughest aspect of the GDPR is its guidelines to adhere to the security policies by organization handling EU data in and outside of the state. In order to be compliant, businesses must begin by introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences. India has evolved to become a technology hub equipped with deep expertise and GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions.”

The implementation of the GDPR law in Europe has thus stimulated Indian companies to fortify their databases, leading to an upswing in the search for cyber security and privacy professionals. This has also resulted in an upsurge of job postings for cyber security roles. According to data from the job site, Indeed,cyber security job postings have risen up by 150% between January 2017 and March 2018, along with a corresponding increase of 129% in job searches for the same in the same period. Between January 2017 and March 2018, there has also been a spike in the number of job postings for Data Protection roles, which have seen an increase of 143%, while the number of job searches for the same have risen by 188%.

Agrees Basawaraj Vastrad (Technical Director of BD Soft, Country Partner of Bitdefender), "Indian companies are likely to face increased compliance costs or risk huge penalties if they fail. They should review their policies, procedures and existing privacy programmes. Developing a solid understanding of what the GDPR entails means to fully review your data, understand where it’s located and how it’s structured, how it flows and, most importantly, what it contains."

However, despite cyber security jobs having zero percent unemployment, there is a huge dearth of skilled professionals, who can understand the complexities of today’s interconnected world. Also, with cyber security breaches and intricacies having touched all industries and sectors, it is vital for all organisations to increase their security systems and processes.

And so…
As GDPR comes into effect  it will significantly strengthen a number of rights - Individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real teeth, with the maximum fine now reaching the higher of €20 million or 4 percent of the company’s global turnover. 

Certainly businesses can take a few lessons from GDPR. GDPR is teaching businesses to collect less information from its customers, unless they really need it. Even if some businesses don't need to comply with GDPR, this is simply a good practice. Business saves money by having less data to protect and customers gain the privacy that many desire in the process.

Samrita Baruah
samrita@varindia.com