Is India Inc. ready for GDPR compliance?


General Data Protection Regulation (GDPR)has brought about an unprecedented change in the European data protection laws after more than 20 years. It strengthens the data rights of EU residents and harmonizes data protection laws across all member states, thus designating individual choice as a priority over everything else.

GDPR was enacted two years ago while its enforcement across all 28 EU countries came into effect at midnight on 25 May 2018.

“The GDPR will replace the 1995 Data Protection Directive and is aimed at protecting EU citizens’ personal data in the new digital world. It is a significant, wide-ranging piece of legislation which will, no doubt, have a major effect on the world of cyber security and data protection. GDPR in spirit applies to nearly every organization based in India dealing with the personal data of subjects residing in the EU, regardless of the company’s location,” says Vijay Mhaskar, Chief Operating Officer, Quick Heal Technologies.

More than anything else, GDPR will make it easier and cheaper for companies to comply with data protection rules. The act is going to strengthen the data rights of EU residents and harmonize data protection laws across all member states, making it identical. It will also increase the potential fines organisations face for misusing data, and make it easier for people to discover what information organisations have in them. The EU believes this will collectively save companies €2.3 billion a year. GDPR will govern how organizations within and outside the EU will collect, manage, process, and protect personal data while respecting individual choice.

“As we stand amidst the fourth industrial revolution, maintaining the integrity of personal data has become as imperative to national security as protecting a country’s cyber borders. Organizations are under increased scrutiny, with everybody from lawmakers and investors to employees and consumers examining the relationship between what’s good for business and what’s good for individuals. Regulations like GDPR will begin a dialogue about what nations and multilateral stakeholders can to do to streamline a system of checks and balances on a digital planet,” says Anant Maheshwari, President, Microsoft India.

“25th May – a day where Data will no longer be the same. If you think it only affects your production data, it’s much more complex than that. Managing your secondary data is probably the more difficult challenge for many companies. Organizations need to acknowledge that GDPR compliance is no longer simply an IT or technology issue. This is a chance to improve the efficiency of data governance. A holistic ‘People, Process and Technology’ mantra is still the way to achieve Zen amidst the chaos of complying with increasing Data privacy laws around the globe,”Ramesh Mamgain, Area Vice President, Commvault India & SAARC Region.

“The proactive approach for data privacy and cyber security can result in new business opportunities, along with the trust of your stakeholders. Instead of searching for quick fixes to comply with GDPR, companies should focus upon long term sustainable improvements. Markets must work closely with the legal and IT departments over handling the personal data of customers they need for their strategic business objectives.The regulation simply makes it the organization’s duty to assess and decide what types of measures shall be implemented to comply with the GDPR, and to ensure that all precautions are undertaken to minimize the risk of data breaches by detecting breach attempts,” says Erik Andreson, practice leader of Cyber Security services – F-Secure.
Comments Aniketh Jain, CEO & Co-Founder, Solutions Infini, “GDPR, General Data Protection Regulation is a great step taken by the European Union. With the massive amount of data sharing taking place around us, it’s important now more than ever that a consumer’s data is protected and used only with their permit. The law is well defined and it’s a major change for most of the organizations and it’s good to see that it has been accepted well. The law also has strict penalties which makes sure that companies comply.”

In an official statement released by SophosChester Wisniewski, Principal Research Scientist, Sophos says, “With the EU General Data Protection Regulation (GDPR) coming into force, we wanted to assure you that we are confident in our preparations and adherence to this new legislation.Maintaining privacy is a complicated process and most people don’t even know where to start. When trying to define what privacy should be, the EU GDPR law drones on for 261 pages, not exactly a guide for practice over principles. So what can we do as individuals and organisations?

“In the GDPR era, most business houses are frantically trying to put their house in order to be compliant with the data privacy and data protection related requirements of GDPR. What is most interesting to note is that the GDPR has forced business entities to sit up and take a serious look at the data that they have been amassing. Even the smallest of start-ups struggled to decipher how much data they have collected, where they have been stored and how they were processed. Therefore, I would say it is a good wake-up call which should be emulated by all businesses. The principles of GDPR are beneficial and could be adopted by all business houses whether there is an EU interface or not. Also, this may be helpful because our domestic law on this subject, which is in the making, may largely adopt the principles of GDPR. Therefore, organizations which are equipped with the principles of GDPR would be future-ready for the new Indian legislation,” says Supratim Chakraborty, Associate Partner, Khaitan & Co.

“As regulations catch up, Data Privacy has fast evolved to become a matter of survival for companies. Companies (Boards) that continue to ignore this, risk becoming non-existent almost overnight in the wake of any data breaches. The fast-approaching GDPR enforcement date has already resulted in the undertaking of massive changes to consumer data collection and processing practices, especially in consumer-led markets. As a result, we will continue to see tightening of the regulatory environment with respect to data privacy and enforcement of penalties on firms as well as fiduciary officers in the wake of data breaches resulting out of inadequately protection measures,” says Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto.

Says George Chang, VP, APAC, Forcepoint, “As the capacity to collect, store and analyze data for commercial purposes continue to grow exponentially, GDPR seeks to strengthen and unify personal data privacy and protection – putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner. It’s no surprise that this seismic shift in the way we approach data security has caused a ripple effect across the globe, with many countries following suit and modernizing their own privacy and data protection laws.”

Certainly businesses can take a few lessons from GDPR. GDPR is teaching companies to collect less information from customers, unless they really need it. Businesses save money by having less data to protect and their customers gain the privacy that many desire in the process.


GDPR & India

GDPR presents a good opportunity for India to drive thought leadership in the global market. Organizations can build expertise and capabilities, create new lines of advisory and consulting businesses, develop a market differentiator and be a source of competitiveness. With millions of people going online for the first time, protecting their vulnerabilities cannot be compromised. The Supreme Court of India has already demonstrated its commitment to its citizens when it declared privacy a fundamental right last year, and now with the passage of GDPR, the onus is now upon corporatesto play its part.

India’s Data Protection Law when it comes into effect, is sure to have a major impact on business operations. Organizations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model.

While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practices that will benefit both the individuals and the business. These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost-savings and even fuel innovation. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimize the all too common reputational and financial fall-out of a breach.

Hence, Indian Businesses need to implement more robust data protection measures to prevent and manage data breaches. Businesses should adopt a robust data protection policy which outlines the procedure and designates responsibilities for ensuring complete privacy of consumer information. This should include strong password policy, investment in the right IT security solutions, Data Loss Prevention (DLP) and Encryption, regular data backups, employee awareness programs, and a comprehensive action plan to counteract data breach incidents. This focus on data protection will help them in nurturing greater trust with their European clients and expanding their market footprint within the region.

“Indian businesses are battling severe issues of data protection and cyber security that have larger business implications on productivity and customer confidence,” says Shree Parthasarathy, Partner, Deloitte India. “Embracing GDPR with a strategic roadmap should be the immediate priority for Indian CXOs that would include creating awareness, training as well as constitution of a dedicated data protection framework. GDPR can be a competitive advantage for India, if enterprises understand its relevance and further bring in a risk-based iterative mechanism to their business strategy that is trustworthy secure, and agile in the digital world.”

“The GDPR applies to companies in Europe (specifically those in the EU / EEA), so it will affect an Indian company which has a European office, or is marketing to European customers. In terms of readiness, companies have had a long time to prepare for GDPR, but as the GDPR bar is quite high, many may be struggling to be ready. The biggest challenge in meeting the requirements is understanding not only what personal data companies have in their multiple systems, but also understanding the relationships of that data as well as who has access to it. GDPR is considered by many to be the highest global standard, and many countries have and will continue to strengthen their privacy laws in the near future,” says Arun Balasubramanian, Managing Director, Qlik India.

“As the world is getting more and more digital with proliferation of mobile phones and usage of the internet, it is very important for governing bodies to ensure that their people’s data and privacy are safeguarded. Digital economy can only flourish when you connect people, process, data and things in an ethical, meaningful and secure way,” says Srinivas Rao, Co-Founder & CEO, Aujas.“We feel that GDPR is a step towards that. The toughest aspect of the GDPR is its guidelines to adhere to the security policies by organization handling EU data in and outside of the state. In order to be compliant, businesses must begin by introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences. India has evolved to become a technology hub equipped with deep expertise and GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions.”

According to data from Indeed, the job site, there has been an upsurge in job postings for cyber security roles by 150% between January 2017 and March 2018, along with a corresponding increase of 129% in job searches for the same in the same period. Between January 2017 and March 2018, there has also been a spike in the number of job postings for Data Protection roles, which have seen an increase of 143%, while the number of job searches for the same have risen by 188%.

The implementation of the GDPR law in Europe has thus stimulated Indian companies to fortify their databases, leading to an upswing in the search for cyber security and privacy professionals.
However, despite cyber security jobs having zero percent unemployment, there is a huge dearth of skilled professionals, who can understand the complexities of today’s interconnected world. Cyber security breaches and intricacies have touched all industries and sectors. Hence, it is vital for all organisations to increase their security systems and processes.

And so…
As GDPR comes into effect it will significantly strengthen a number of rights – Individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real teeth, with the maximum fine now reaching the higher of €20 million or 4 percent of the company’s global turnover.