GDPR is a replacement of law for the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU. GDPR will significantly strengthen a number of rights of the individuals. In an exclusive conversation with Dataquest, Jaspreet Singh, Partner – Cyber Security, EY, talks about GDPR's effect on organizations, how vulnerable are organizations post 25th May, and How can Indian organizations prepare for the GDPR regime. Excerpts:
Q. Does GDPR affect IT ITes companies more than manufacturing or others? How does that work?
GDPR is a sector agnostic regulation and is applicable to all organizations which process personal information to provide goods or services to with EU residents/citizens within EU. All organizations are equally impacted and they should undertake a risk-based approach to determine the risks and implement controls/frameworks to mitigate the risks identified.
Q. Are their different rules and directions depending on the size of the company?
Majorly GDPR does not differ by the size of the organization, however, there are certain specific requirements for small and medium enterprises, however, they do not differ a lot from big organizations. GDPR focusses on a risk-based approach to be followed by organizations and therefore a small enterprises processing high-risk category of data may be exposed to similar guidelines which a big multi-national will be exposed to.
Q. What is the role of the Data Protection Officer? How many companies have hired professionals for this position?
Data protection officer is a new position mandated by GDPR for organizations which process high risk/volume of data. The DPO shall report to the highest level of authority within the organization and there should not be any conflict in the responsibilities performed by the DPO. There are some specific responsibilities which have been defined in article 37 to article 39. Some of the key responsibilities are:
To inform and advise employees about their obligations to comply with the GDPR and other data protection laws;
a) Act as a single point of contact between the data subjects, supervisory authority and the organization
b) Monitor and report compliance with the GDPR and other data protection laws as applicable;
c) Training employees involved in personal data processing;
d) Monitoring and tracking the implementation of the remediation steps to bridge the gaps identified in the GDPR/privacy audits and assessments;
Q. How vulnerable are organizations post-25th May?
It is a big milestone for the organizations and lot of the organizations are working towards their GDPR compliance journey, however, there are majority of organizations which are yet to embark on this journey and will not be ready by 25th May. This will make the organizations more vulnerable to security and privacy risks from external world, the answer to an extent would be yes, as we believe that cybersecurity attacks would now be more focused on personal data and how the organizations can be held ransom when the personal data is out in the open. However, organizations shall look at what controls have they implemented and what additional controls are required to be implemented to demonstrate compliance.
Q. What if organizations are not 100% compliant by 25th May, will they be allowed some extended/relief time if they have already begun the process?
GDPR was released in April 2016 and going by that the authorities have already given two years to the organizations to become compliant and we not foresee an extension in the deadline. The organizations which will not be compliant by 25th May, shall assess the extent of implementation and prioritise the activities to be completed before 25th May such as notice, consent, privacy policy etc. In case the organization believes that it would not be ready by 25th May, they may reach out to supervisory authorities and share the status of current implementation and the action plan to be compliant at the earliest.
Q What key takeaways does GDPR provide for India?
GDPR is being seen a balanced regulation which provides more power to data subjects and makes the data controllers and processors more accountable to manage data privacy and protection within the organization. As Indian companies, it provides a great opportunity to prepare them for the stringent privacy regulations that may be released in India.
Q. How can Indian organizations prepare for the GDPR regime?
There are some key steps that an organization should undertake to be compliant with GDPR:
1) Assess the applicability and gaps between the existing processes at the organization and GDPR requirements.
2) Based on the gaps identified, prepare a roadmap/implementation plan to close the gaps.
3) Undertake data discovery to identify personal data processed in functions and applications.
4) Undertake data protection impact assessments, and develop mechanisms to support data subject rights and breach management notifications.