On 25th of May, 2018, the global IT Industry entered a new age of regulations and compliance with EU GDPR which is being touted to have a huge impact on the market and individual businesses. This virtually changes the playing field, with a need to rethink how enterprises treat their data as arguably intense 4 percent penalties and a damaging blow to the brand image is the last thing any business needs.
As per Wikipedia, the General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that personal data must be stored using pseudonymization or full anonymity and use the highest-possible privacy settings by default, ensuring that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner. The business must allow this permission to be withdrawn at any time.
A processor of personal data must clearly disclose what data is being collected and how is it stored, why it is being processed, how long it is being retained, and if it is being shared with any third parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
Looking into the history of GDPR, it was adopted on the 14th of April 2016, and after a two-year transition period becomes enforceable on 25 May 2018. Because GDPR is a regulation and not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable. The regulation applies if the data controller, processor, or the data subject is based in the EU. Under certain circumstances, the regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU.
IMPACT ON INDIA
Although India has its own regulations governing data privacy and security, the focus now is fully on individual organizations’ ability to embrace GDPR without reservation. This is understandable given the cost impact of noncompliance by companies. In fact, one can safely assume that with this financial year onwards organizations will have a dedicated budget for regulatory compliance and data security. Organizations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model. Pragmatic compliance does not need to be an expensive exercise too. Expenses are relatively low if implemented with a common sense approach. Understanding the parameters of the applicable legislation is key to getting it right. India has evolved to become a technology hub equipped with deep expertise and GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions. WinMagic’s latest survey of nearly 500 IT Decision Makers (March 2018) found that a significant number of businesses were lacking in systems needed to meet the data management requirements of GDPR, continuous encryption of personally identifiable information across cloud and on-premises servers, and data breach monitoring.
You can read up to 3 premium stories before you subscribe to Magzter GOLD
Log in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories, newspapers and 5,000+ magazines
READ THE ENTIRE ISSUE