By: Sivarama Krishnan, Leader, Cyber Security, PwC India
The size of the IT industry in the top two EU member states—that is, Germany and France—is estimated to be around 155–220 billion USD.1 For the Indian IT industry to continue to do business in Europe, it needs to comply with the GDPR. In the event of non-compliance on the part of Indian companies, the GDPR imposes a penalty of 20 million EUR or 4% of a company’s global turnover.
Read more about what organisations need to do in order to comply with the GDPR here.
Immediate next steps for Indian companies
Indian companies need to carefully look at the requirements for GDPR compliance. They need to:
- Develop/update privacy policies, procedures and compliance programmes.
- Conduct data privacy trainings for all employees.
- Conduct data discovery exercises and maintain documentation in order to demonstrate visibility of the personally identifiable information (PII) processed.
- Document legal basis for processing, communicating privacy notices and recording consent (where applicable).
- Establish processes to:
- Manage data subject requests.
- Enable data breach notification.
- Perform data protection impact assessments (DPIAs) for high-risk processing activities.
- Embed privacy by design requirements into existing/new processes, solutions and technologies processing PII.
- Update vendor governance programmes to include security and privacy due diligence, review/update contracts with GDPR obligations and establish a process around periodic compliance monitoring.
In addition to the above, organisations should focus on updating existing/deploying new technologies to help address key areas and challenges. Some of the leading practices include:
- Investing in systems to carry out data discovery exercises to determine what/how/where PII (specifically unstructured data—i.e. PII stored on local workstations, emails, file servers, etc.) is handled within the organisation.
- Evaluating tools to address challenges around data subject requests, data retention and disposal, cross-border data transfers, consent management, etc.
- Implementing adequate identity and access management (IdAM) solutions, extending coverage of encryption solutions, reviewing and updating configurations of data loss prevention (DLP), security information and event management (SIEM), etc.
- Deploying/updating centralised incident and breach management solutions to quickly detect/ prevent security incidents and address data breach notification requirements.
- Implementing anonymisation and psuedonymisation techniques in applications to better control data processing activities.
To conclude, the regulation and its enforcement may appear to be daunting to many organisations. There is also a cultural change in the way organisations are starting to handle personal data and provide services to their customers. Current developments and changes being proposed in our privacy landscape, coupled with strong technical capabilities, provide great opportunities for Indian companies to align their services and data handling processes to global standards and become market differentiators in the arena of data privacy and protection.