How can Indian organisations prepare for the GDPR regime?
By: Sivarama Krishnan, Leader, Cyber Security, PwC India
On 27 April 2016, the EU General Data Protection Regulation (GDPR) was adopted. And on 25 May 2018, it will come into full effect, thereby marking a milestone in data protection laws across the EU. The nucleus of the GDPR is to strengthen and unify data protection for individuals within the EU as well as address the export of personal data outside the European Union (EU), which means it protects the misuse of personal identifiable information (PII) of any kind of EU citizens.
The development will not only change the business landscape in the EU but also influence global markets and multinationals. Organisations had two years to understand, comprehend and implement the regulation in spirit and, as a consequence, demonstrate compliance. But with the May go-live date coming closer, it is important for organisations to assess their readiness for the new regime in order to avoid heavy penalties or fines.
The Indian industry landscape and impact of the GDPR
Europe is a substantial marketplace for the ITeS, BPO and pharmaceutical industry in India. The size of the IT industry in the top two EU member states (i.e. Germany and France) is estimated to be around 155–220 billion USD. Thus, for the Indian IT industry to keep continuing to do business in Europe, it needs to comply with the GDPR.
The GDPR imposes a penalty structure of 20 million EUR or 4% of global turnover (on the higher side) in cases of non-compliances.
The regulation requires a programmatic approach to data protection and a defensible programme for compliance will be required to prove that you are acting appropriately. As part of these efforts, answers to the following questions need to be sought:
- What is our data footprint in the EU (e.g. data about employees, consumers and clients)?
- Are we prepared to provide evidence of GDPR compliance to EU or US privacy regulators who may request it?
- Do we have visibility of and control over what personal data we collect? How do we use it? With whom do we share it?
- Do we have a privacy-by-design programme, with privacy impact assessments (PIAs), documentation and escalation paths?
- Do we have a tested breach-response plan that meets GDPR’s 72-hour notification requirement?
- Have we defined a roadmap for GDPR compliance?
- Have we identified a Data Protection Officer (DPO) as required by the GDPR?
- Have we adopted a cross-border data transfer strategy?
Organisations need to look at the following aspects as part of their compliance efforts:
- Develop a vision and strategy for compliance with the GDPR.
- Assess gaps between your current compliance programme and the requirements of the GDPR, and analyse risks.
- Create an accountability framework for data protection compliance.
- Develop the operational structures needed to facilitate compliance.
- Document processing activities and data flows.
- Review lawful processing bases and third-party contracts.
- Create processes for privacy by design and privacy impact and risk assessments.
- Identify and prioritise key remediation activity to reduce your risk profile.
Areas which need focus under the GDPR are:
- Data processing
- Notice and consent
- Data subject rights
- Lawful basis of processing
- Cross-border data transfer
- Third-party and vendor management
- Transparency of information and communication
- Data security, storage, breach, breach notification
- Training and awareness
- Weak data protection law in India: India’s outsourcing industry, which is estimated to be worth over 150 billion USD, contributes nearly 9.3% of the GDP. The EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws make us less competitive than other outsourcing markets in this space.
- Cross-border restrictions: Largely inflexible, the GDPR reduces the extent to which businesses can assess risks and make decisions when it comes to transferring data outside the EU. Indian companies would need to implement sufficient safeguards, as required under the GDPR, in order to transfer personal data outside the EU, thereby further increasing compliance costs.
- Greater risk of penalties and litigation: Article 3 (Territorial scope) of the GDPR makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties on failing to do so.
- Business opportunity rather than compliance burden: Indian IT companies serving the EU market, their second largest after the US, would be required to comply with the GDPR. However, rather than seeing this as an additional burden in terms of compliance, Indian companies should see it as a massive business opportunity knocking at their doors.
- Opportunity to stand out: Over the years, India has become a technology hub equipped with deep expertise and a talented resource pool. The GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions.
- Developments in India’s privacy landscape: The ‘adequacy requirements’ under the GDPR allow the European Commission to consider whether the legal framework prevalent in the country to which the personal data is sought to be transferred affords adequate protection to data subjects in respect of privacy and protection of their data. In the wake of recent developments and the Supreme Court verdict, a data protection framework has been proposed by the Srikrishna Committee. It will be interesting to see how the forthcoming legislation shapes up and whether it will satisfy the criteria laid down under the GDPR.
How should Indian companies prepare for the GDPR?
Indian companies need to carefully look at the requirements for GDPR compliance. They need to:
- Review policies, procedures and existing privacy programmes;
- Conduct data discovery exercises and maintain documentation in order to demonstrate visibility of the personal data processed;
- Impart data privacy training to employees or subcontractors;
- Implement processes to perform data protection impact assessments (DPIAs), manage data subject requests, privacy by Design, etc.;
- Review/update contracts signed with third-party vendors.
- In addition to the above, organisations should focus on changing the technologies they use and should consider:
- Pseudonymisation and encryption required while processing personal data;
- Reviewing and updating configurations of data loss prevention (DLP), Security Information and Event Management (SIEM) and other technical solutions;
- Equipping the security ecosystems with effective identity and access management (IdAM) solutions;
- Reviewing data retention schedules, cross-border data transfers, privacy notices, consent, etc.;
- Logging monitoring and incident management solutions.
- Investing in systems to carry out data discovery exercises to determine what/how/where PII (specifically unstructured data i.e. PII stored on local workstations, emails, file servers, etc.) is handled within the organisation will help Indian companies to enter the GDPR regime smoothly.