General Data Protection Regulation - An Effort to Protect Personal Data in the Age of Digital Disruption

Jaspreet Singh, Partner - Cyber Security, EY

Privacy is an area of concern of the past, the present and the future. The digital ex­plosion and the spread of connected technology will have a potential impact on privacy and thus protection of personal data is being prioritised. Data protection and privacy is gradually gaining the spot­light and is undergoing a paradigm shift especially in light of the new General Data Protection Regulation (GDPR). When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) from 1995. It becomes enforceable from 25 May 2018 after a two-year transition period.

The GDPR applies to any organization, regardless of geographic location, that controls or processes the personal data of a European Union (EU) resident. It dictates what data can be collected, need for explicit con­sent to gather such data, broadened data subject rights, obligatory breach notification, lawful processing and stronger powers to substantially fine organizations that fail to protect the data for which they are responsible.

As per a survey report by IAPP and EY – Governance focussing on privacy, only 40% of the organizations across the globe believe that they would be ready for GDPR by 25th May 2018 and the rest 60% have a long way to cover before being compliant. The survey further points out that with GDPR the investments in privacy programs and skills have increased substantially over the previous year and are expected to increase further.

Other countries including India are also working to­wards developing their own privacy frameworks which would either complement GDPR or make it more stringent, in the end put­ting the power in the hands of the data subjects and making them more re­sponsible for their privacy.

Key GDPR requirements and considerations

The GDPR introduces a rigorous and comprehensive privacy framework for businesses that operate target custom­ers or monitor individuals in the EU. Organizations now have less than one year left to meet the suite of new obligations imposed under the GDPR to implement compliance programs to protect data sub­jects and avoid hefty enforcement penalties.

Organizations will need to understand and document what data is acquired, maintained and processed, and the purpose / legal basis for it. With GDPR, EU residents will gain more control of their personal data as organi­zations will have to provide with clear and unambigu­ous information on how their data is being processed and how they will have to obtain explicit consent from the residents to process it. As GDPR empowers the data subject with privileges such as right to be forgotten, right to portability, right to object profiling, etc. Organ­izations will have to ensure that they have mechanisms in place to comply by these new requirements. GDPR also emphasizes on the need of appointing a data protec­tion officer, who will be the single source of contact for the supervising authority and will be required to advise upon, and maintain compliance with the GDPR.

Privacy by Design has become an enshrined require­ment as it will force organizations to embed privacy protection into every aspect of their business rather than bolting it on as an afterthought. It advocates a risk-based approach that allows organi­zations to tailor their privacy pro­tection programs based on the risks that are most material to the organi­zation. In line with this requirement, organizations will be required to conduct privacy impact assessments and implement security measures that balance the newest technology with the cost of implementation and reflect the severity and likelihood of risks to an individual’s rights and freedoms.

GDPR also underlines that cross-border transfers of data shall be allowed to countries that provide an adequate level of personal data protection. It mandates organiza­tions to report a data breach within 72 hours of the incident. Above all, organizations that violate the basic processing principles of the GDPR may subject to fines total as much as 4% of the organization’s total global annual revenue or 20 million euro whichever is greater.

Implications of the new regulation and the way ahead

The implications of the GDPR for organizations can be summarized simply: every affected organization needs to immediately undertake a significant re-examination of its or­ganizational data strategy related to personal and special categories of data. Specific requirements in the GDPR needs to be planned for, or­ganizational and technological ap­proaches have to be implemented to resolve problems, and protection policies are to be further strength­ened. Adopting recognised stand­ards such as ISO27001, COBIT etc. may help in achieving greater trans­parency over data, and including periodic reviews into such activities may further support compliance go­ing forward. Additionally, the exist­ing IT governance frameworks are needed to be adjusted to encompass all key GDPR requirements.

Another major implication of the GDPR is for those organizations that were not subjected to the earlier EU data protection directive by vir­tue of not being based in one of the member states. The new, level play­ing field introduced by the GDPR applies to all firms everywhere if they control or process personal data on EU residents. The proposed regula­tion brings the Indian service pro­viders directly under the jurisdiction of EU commissioners. Adhering to the regulation leads to opportunity loss for the Indian IT/BPO industry as it further lowers the threshold for data transfer outside EU. Following the regulations significantly adds to the compliance costs for the service providers. These costs are higher when serving EU-based clients as compared to other markets such as the US.

The new EU security require­ments are complex and demand con­stant surveillance. It is in this con­text that companies need to realise that data privacy is not just an IT problem or a compliance issue, but a significant concern that the entire organisation (DPO, CIO/CISO and business teams) must work together to effectively manage the risk.