15 security leaders reveal what they are doing to comply with European General Data Protection Regulations...
May 25, 2018. It was like any other summer day. Except that for thousands of senior IT and security leaders globally—whose organizations do business in Europe or have anything to do with any personal data of European citizens—it marked a day that would change their lives forever.
The day came and went. We have no way of knowing how prepared the organizations are, except, of course, those that have announced their programs publicly.
GE, for example, has developed a GDPR framework to facilitate its implementation. Bosch has clearly outlined its data protection policy since the GDPR came into effect. So have Philips and a few others.
Most of the European companies would surely have done something to ensure that their customer data is protected as flawlessly as possible. A single breach can make you pay 4% of your annual global revenue.
The regulations apply to any company that handles personal data of European citizens.
In, India, GDPR is big news because of two reasons. One, there’s a whole industry here that is built on providing technology and business services to companies everywhere, Europe being the second largest market after the US. Two, these are the guys (the IT companies) that are helping the European companies in being compliant. That way, it is an opportunity and challenge at the same time.
It must be mentioned here that GDPR does not apply to UK—the European country that India does most business with; but it has its own data protection rules, almost as stringent as GDPR.
So, how are Indian companies doing as far as complying with GDPR goes? We decided to ask the security leaders themselves.
And guess what—we asked them on 25th of May, the day GDPR was kicking in.
“GDPR has certainly upped our level of controls and made us deep-dive into where sensitive and personal data lies. It is helping us understand where the data is flowing. GDPR is bringing a proper method in place because cyber security, privacy and all such concerns are increasing by the hour. Being from the security industry, we want people to be comfortable using products and services and ensure that their data and security is being taken care of. So GDPR is a very welcome move and is positively impacting our business,” says Anuj Tiwari, CISO, HCL Technologies.
The answers were not too surprising. Most companies who had to comply have started in right earnest; there’s no other way. But as with a new initiative, people described action—what they are doing—rather than what they have achieved.
As expected, IT/BPO companies are ahead of the curve.
“Since, we were already certified in ISO 27001, SOX and SSAE 18, it was easy to implement all the GDPR controls. Also, as we are a HIPAA company, HIPAA and DPA controls were also configured along with the 27001 controls. So we were already compliant with the UK Data Protection Act,” says Rajiv Nandwani, Director & VP, Global InfoSecurity, Innodata. GDPR compliance was, hence, a bit easier.
While IT/BPO companies GDPR as a high priority, some of the other companies are learning that they have to comply as well. Take Dewan Housing Finance, a housing finance company in India. Why are they worried about GDPR?
“Since we are dealing with NRI customers,” says Vinod Negi, Senior Chief Manager – Information Security & Risk, “we have to be compliant”.
“We have been speaking to our legal team and figuring out how it can be enforced and also contacting with third-party vendors who will also be under the ambit of GDPR,” he adds.
In India, however, 7 out of 10 BFSI organizations (handling EU customer data/business) we reached out to did not want to comment on their GDPR preparedness. However, all of them had heard of the regulation and its impact of their business, unlike a quarter (25%) of the 700 European companies surveyed by IDC Research on behalf of ESET, admitted they were not aware of GDPR and more than half (52%) of them were unsure of the impact on their organizations.
Research firm Gartner, in a statement issued in November 2017 believes that less than 50% of all organizations impacted will fully comply by that date.
The IT/ITeS sector is the biggest contributor to India’s economy – with 66.1% contribution of services sector to GDP, the information technology – business process management (IT-BPM) sector serves as a major market for IT software and services exports are the US and the UK and Europe, accounting for about 90% of total IT/ITeS exports. Given the criticality of IT–BMP services, “India must do all it can to protect and promote business in this sector. To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. India will have to assess her preparedness and make convincing changes to retain the status as a dependable processing destination,” - according to a white paper, titled GDPR and India, written by Aditi Chaturvedi for The Centre for Internet and Society.
For Indian companies that have to comply with GDPR, it may come as a blessing. India itself is in the process of enacting a stringent data protection law. A committee was formed by the Government of India for working this out; it has already released its discussion paper listing important issues and has got public inputs. A draft policy should follow.
With Supreme Court of India’s landmark verdict on the right to privacy, it is a matter of time before India moves to the new data protection regime. Those who have complied with GDPR should find it much easier to comply with those requirements.
Read our ITNEXT June 2018 Issue