Topics In Demand
Notification
New

No notification found.

GDPR: What it means for Indian businesses
GDPR: What it means for Indian businesses

May 17, 2018

428

0

 

 

By: Sivarama Krishnan, Leader, Cyber Security, PwC India

 

The size of the IT industry in the top two EU member states—that is, Germany and France—is estimated to be around 155–220 billion USD.1 For the Indian IT industry to continue to do business in Europe, it needs to comply with the GDPR. In the event of non-compliance on the part of Indian companies, the GDPR imposes a penalty of 20 million EUR or 4% of a company’s global turnover.

 

Read more about what organisations need to do in order to comply with the GDPR here.

 

Immediate next steps for Indian companies
Indian companies need to carefully look at the requirements for GDPR compliance. They need to:

  • Develop/update privacy policies, procedures and compliance programmes.
  • Conduct data privacy trainings for all employees.
  • Conduct data discovery exercises and maintain documentation in order to demonstrate visibility of the personally identifiable information (PII) processed.
  • Document legal basis for processing, communicating privacy notices and recording consent (where applicable).
  • Establish processes to:
  1. Manage data subject requests.
  2. Enable data breach notification.
  3. Perform data protection impact assessments (DPIAs) for high-risk processing activities.
  4. Embed privacy by design requirements into existing/new processes, solutions and technologies processing PII.
  • Update vendor governance programmes to include security and privacy due diligence, review/update contracts with GDPR obligations and establish a process around periodic compliance monitoring.

In addition to the above, organisations should focus on updating existing/deploying new technologies to help address key areas and challenges. Some of the leading practices include:

 

  • Investing in systems to carry out data discovery exercises to determine what/how/where PII (specifically unstructured data—i.e. PII stored on local workstations, emails, file servers, etc.) is handled within the organisation.
  • Evaluating tools to address challenges around data subject requests, data retention and disposal, cross-border data transfers, consent management, etc.
  • Implementing adequate identity and access management (IdAM) solutions, extending coverage of encryption solutions, reviewing and updating configurations of data loss prevention (DLP), security information and event management (SIEM), etc.
  • Deploying/updating centralised incident and breach management solutions to quickly detect/ prevent security incidents and address data breach notification requirements.
  • Implementing anonymisation and psuedonymisation techniques in applications to better control data processing activities.

To conclude, the regulation and its enforcement may appear to be daunting to many organisations. There is also a cultural change in the way organisations are starting to handle personal data and provide services to their customers. Current developments and changes being proposed in our privacy landscape, coupled with strong technical capabilities, provide great opportunities for Indian companies to align their services and data handling processes to global standards and become market differentiators in the arena of data privacy and protection.

 

Footnotes

1. http://www.cioandleader.com/article/2017/05/02/india-gets-ready-eu%E2%80%99s-new-data-regime

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


dionpwc

Comment

images

Just wanted to add one point for the benefit of blog audience - GDPR is critical, not just for Indian businesses doing business in Europe but also for Indian businesses offering their services as third-party vendors to European companies. Indian vendors stand to lose business with European companies if they are not GDPR compliant as it would mean that European companies are liable for their actions. 

© Copyright nasscom. All Rights Reserved.