With less than a year to go until the General Data Protection Regulation (GDPR) comes into effect, now is the time for Indian businesses to prepare for compliance or face potentially crippling fines. Lack of understanding, coupled with unawareness of its implications makes GDPR the latest threat to business. It is crucial for businesses to understand GDPR, embrace the regulation and find the hidden opportunity for compliance now.
Fundamentally, GDPR requires businesses that deal with the European Union (EU) to comply with the laws laid down to ensure security of data. GDPR will come into effect on 25 May, 2018. It requires responsibility and accountability for every business that processes the personal data of individuals in the European Union (EU).
In a bid to reduce the ambiguity surrounding the true applicable meaning of personal data, GDPR has taken a step further by categorically highlighting the definition as “Personal Data is any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
With the legalities addressed, GDPR primarily will be concerned with introduction of new privacy and security regulations on how businesses collect, store and use the personal information of their customers and employees located in the EU. These measures are aimed at minimalizing the risk of breaches and uphold the protection of personal data, in particular across automated gathering and filing systems.
Because of the micro-level involvement, the regulation demands and the high cost of non-compliance, fines of up to €20 million (Over Rs 1.5 billion), or four per cent of global annual revenue, whichever is greater, will be levied. Therefore, businesses can no longer afford to consider GDPR an after-thought.
There is some awareness locally, but there’s still a long way to go until Indian companies can confidently say they are ready. In fact, according to a recent study by the Ponemon Institute and Citrix, 85 percent of Indian businesses consider the GDPR a risk to their IT security infrastructure however, over half (57 percent) haven’t started preparing and don’t have budget allocated for GDPR compliance. (This is as per a global study sponsored by Citrix, The Need for a New IT Security Architecture,conducted by Ponemon Institute which surveyed 4,268 IT and IT security practitioners in Australia/New Zealand, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, Netherlands, United Arab Emirates, United Kingdom and the United States.)
Technology is transforming at an accelerated rate and has resulted in voluminous data being generated and transacted across boundaries. Indian businesses need to consider the GDPR regulations and how equipped they are to deal with the audit process. Technology solutions that allow a holistic view of the network, data, apps and access can help a business become compliant and prepare for the required audit process.
What’s in store for India?
Besides the existing regulations, GDPR will entail added burden of compliance on Indian businesses. Since ‘personal data’ is processed across continents, organisations dealing with data of EU citizens will be held accountable for its treatment. For cross border transfer, Indian businesses will need to either sign Model Clauses between the different entities, or sign the Binding Corporate Rules, or other acceptable methods under the GDPR. Furthermore, being one of the faster technologically growing economies, GDPR’s relevance and compliance becomes a matter of deliberation owing to the interests of the businesses and the existing policy structure.
However, the regulation isn’t entirely restrictive in nature. It presents Indian businesses the opportunity to collaborate with some of the biggest global customers and support their journey to become GDPR compliant. With this as the backdrop, India has been pursuing an ‘adequate status’ for sharing information, accessing data and tagging communication. As a result, discussions continue on the truest definition of ‘personal data’, making tangibles involved and compliance willingness harer to achieve.
According to global digital security firm Gemalto’s ‘Breach Level Index’, more than 36.6 million data records were compromised in India in 2016. Considering the pertinent threat that looms over India’s data reserve, companies are compelled to report data breaches within 72 hours of the event under the revised regulation.
Start now, define and implement a centralised IT framework
To address the challenges of international regulations without impeding productivity, a centralised approach would be good. This will give you the ability to better secure your data, know where it is at all times, greater holistic view of your data, network and manage access to this critical information. Centralising can also make audit reporting simpler and faster:
- Whenever possible, centralise apps and data in the data centre or cloud so sensitive enterprise data is not stored on devices,
- When sensitive data must be distributed, mobilised or used offline, ensure it is protected in a secure place,
- Control access to resources with context-aware policies based on user, device, location, application and data sensitivity,
- Provide visibility and management capabilities that unite your IT infrastructure to deliver application and data-specific security.
At its core, the GDPR is about trust. The silver lining of this regulation is the trust and equity it helps build. GDPR is about companies handling the personal data of their customers, partners and employees with care and respect. It is an opportunity to reinforce relationships with these stakeholders by securing all data, and working with the community to support, implement and manage positive GDPR compliance programs.
In tandem with this premise, GDPR is and will be a game-changer in terms of disruptive data compliance regulations. It is up to Indian businesses to realise its importance, look at the opportunity GDPR presents and accordingly re-shape their strategy such that it opens floodgates for expansion and not constrict their growth trajectory.
The Need for a New IT Security Architecture: Global Study sponsored by Citrix and conducted by Ponemon Institute which surveyed 4,268 IT and IT security practitioners in Australia/New Zealand, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, Netherlands, United Arab Emirates, United Kingdom and the United States.
(The writer is Area Vice President and Country Head, Indian subcontinent, Citrix Systems)
Updated Date: Nov 21, 2017 13:07 PM