The abbreviation GDPR aka (General Data Protection Regulation) has become no less than an acute forensic for the tech industry. Ever since the European Union (EU) has lit the beacon of ‘Data Protection’ to empower and secure its natives, GDPR has made affirmative and rational headlines. General Data Protection Regulation (GDPR) is all set to come into effect on 25 May 2018. Amidst this buzz, the GDPR has perhaps turned heads of Indian enterprises confiding them to apprehend the term. Today, data-protection in India is non-negligibly and is acting as a new regime. The main concern here is that how prepared are Indian enterprises to hum the melody.
Hence, Let’s Understand What Exactly GDPR Can Churn for India?
Apparently, ‘DATA’ has become the core of every business as it helps businesses differentiate themselves and thus represents a competitive edge. Previously, there were no such regulations to control the data being accessed for marketing purposes and somehow in the end, breach of data across businesses and States were making quite the headline.
Aggrandizing GDPR further, we looped two named veterans from the industry and their take on this new “Data Protection regulation” – or Christine it as ‘GDPR’. Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto elaborated, “As regulations catch up, Data Privacy has fast evolved to become a matter of survival for companies. Companies (Boards) that continue to ignore this, risk becoming non-existent almost overnight in the wake of any data breaches. Post the enforcement of Mandatory Breach Notification in Australia earlier this year, Australian organizations reported 63 breaches in the first 6 weeks. Every breach incident has the potential for long-term reputational damage to the impacted organization.”
The fast-approaching GDPR enforcement date has already resulted in the undertaking of massive changes to consumer data collection and processing practices, especially in consumer-led markets. As a result, we will continue to see tightening of the regulatory environment with respect to data privacy and enforcement of penalties on firms as well as fiduciary officers in the wake of data breaches resulting out of inadequately protection measures,noted Gupta.
Companies need to realize a breach is inevitable and key stakeholders, their customers, expect them to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately. GDPR mandates this practice for companies that operate in EU or company doing business with EU citizens. Questions remain, however, around implementation, interpretation and administration of the data protection practices – and these will need to be ironed out as the GDPR becomes enforceable. In order to be compliant, a business must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences, added Gupta.
Therefore, the new GDPR regulations were made rigid with fines of up to four percent of a company’s annual global revenue. The other strict rules include those pertaining to data breach reporting, the appointment of mandatory Data Protection Officer, and citizens’ right to be forgotten in the digital sphere among others.
What this means for business is that the companies operating in the EU or even outside have to significantly adjust their businesses if they hold or process or transact with data of EU nationals. This involves rewriting contracts with customers as well as service providers.
Plying From EU to India
The Indian IT firm and IT-enabled is most likely to be affected more due to this. As India has embarked on a journey of digital transformation, many things have been changed. Especially highlighting, the Union Budget for 2017 that outlines an ambitious goal of achieving 25 billion digital transactions in 2017-18 — which means the Government will need to ensure security and regulatory compliance of the unprecedented number of websites and web applications offering digital transaction services. Therefore, with the GST coming into effect recently, all businesses will now have to maintain electronic invoices in the cloud. India could draw on an over-arching data protection regime by building on GDPR. However, data protection cannot be in the government realm alone. Businesses in India can also take awareness and bring in strong data protection measures similar to GDPR, which will only enable their growth in the long run.
Small firms may find appointing data protection officers too cumbersome and the compliance costs are as high as one can imagine. The fines, if imposed, could completely wipe out some such firms. But it’s not just the small firms that are facing the heat.
The researchers and reports by Genpact further claimed that only one-third of Indian companies are prepared for the change.
According to ET, the European Commission officials who were on three-city tour of India told ET that the concept of GDPR is being taken too harsh. Ralf Sauer, Deputy Head of the unit for International Data Flows and Protection, Directorate General for Justice and Consumers, European Commission, had told ET, “So (companies should) calm down the anxiety a little bit. It’s not like a new world will appear from day one. “We have tried to create something which balances data protection with other interests, and which is fairly flexible.”
While stating on the new GDPR enforcement, George Chang, VP, APAC, Forcepoint, cited, “As the capacity to collect, store and analyze data for commercial purposes continue to grow exponentially, GDPR seeks to strengthen and unify personal data privacy and protection – putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner. It’s no surprise that this seismic shift in the way we approach data security has caused a ripple effect across the globe, with many countries following suit and modernizing their own privacy and data protection laws.
India’s Data Protection Law when it comes into effect, is sure to have a major impact on business operations. Organizations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model. Pragmatic compliance does not need to be an expensive exercise too. Expenses are relatively low if implemented with a common sense approach. Understanding the parameters of the applicable legislation is key to getting it right, said Chang.
While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practices that will benefit both the individuals and the business. These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost-savings and even fuel innovation. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimize the all too common reputational and financial fall-out of a breach, added Chang.
While, the companies are in a spot right now, there are few more areas to be put under consideration, i.e., the electronic consent architecture in India, which is a global first, but this needs to be inferred further. The scenario would be something like; Indian citizens should be able to claim penalties, if businesses failed to obtain clear consent to use their personal data. Also, there is the question of what constitutes as personal and sensitive data. Freely available data like a person’s name and email ID could be classified as personal data, while information about a person’s net worth or investment decisions, should be treated as sensitive data, which requires stronger governance and compliance measures. Digital marketers should be able to leverage technology to classify data categories based on such rules.
They also need to understand the rules for the flexibility of customer data – what can be shared or not shared; with or without their consent; with the competition or industry at large. The Indian enterprises dealing with customer data also need to store, organize and provide access control to customer data in their possession in accordance to global norms. This will preempt any data protection governance and compliance norms that may be implemented by the Government, which is likely to happen soon.