Indian firms grappling to comply with upcoming GDPR

Data Privacy

As the European Union (EU) gets ready to implement the much-awaited General Data Protection Regulation (GDPR) to harmonise data privacy laws for its citizens from May 25, most of the Indian organisations are still grappling to comply with the stringent regulation. Containing 99 articles and 173 recitals, GDPR has key requirements that directly impact the way organisations implement IT security, thus addressing the key security tenets of confidentiality, integrity and availability of data.

According to the latest forensic data analytics survey by Ernst & Young (EY), only 13 per cent of the Indian firms have a plan to comply with GDPR by May 25. As India is not present in the list of countries approved for data portability and transfer, GDPR poses an extra challenge for domestic firms that operate in the EU. “It is imperative for Indian firms to plan and continue their journey towards compliance even after May 25, to ensure continuity of business within the EU and avoid hefty penalties because of non-compliance,” said Jaspreet Singh, Partner – Cyber Security, EY.

For Ramesh Vantipalli, Director Systems Engineering, End User Computing, VMware India, the challenge for the Indian organisations facing the GDPR is ubiquitous data which will only increase exponentially in future.

“For Indian companies with operations in the EU, data security measures will now have to work alongside legal and compliance teams to ensure maximum adherence to GDPR. Fortunately, the transition will take place over some time and not overnight, giving Indian companies enough time to get their GDPR strategy in place,” said Vantipalli.

With data privacy concerns on the rise and stringent regulatory requirements like GDPR coming into force, organisations have no choice but to redefine the way they approach data management.

“Organisations should realise that GDPR is about more than just data; it’s necessitating a new playbook for businesses to engage with people,” stressed Akshay Aggarwal, Director, Solution Specialist, Oracle India. Non-compliance with GDPR can result in heavy fines and increased regulatory actions. “Organisations that collect personal data must be able to prove that they consistently and reliably comply with GDPR privacy and security principles. We’re actively working with several Indian businesses in this regard,” he said.

A new study from IBM reveals that nearly 60 per cent of organisations surveyed are embracing the GDPR globally as an opportunity to improve privacy, security, data management or as catalyst for new business models, rather than simply a compliance issue or impediment.

GDPR is a fairly complex piece of legislation with far reaching impact not just within the EU but across the world.

“Indian companies operating in the EU will have to change the way they capture, process and use data of EU nationals. It is a complicated process involving in-depth understanding of privacy laws and policies,” said Prajit Nair, Director Sales – End User Computing, VMware India. Technology alone cannot help organisations understand and transition to GDPR, but it will be a crucial enabler. “Indian companies must put in place a comprehensive strategy involving legal, compliance and IT departments to ensure complete adherence to the GDPR laws, as well as a proactive plan to address breaches and leaks,” he said.

Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto, commented, “The fast-approaching GDPR enforcement date has already resulted in the undertaking of massive changes to consumer data collection and processing practices, especially in consumer-led markets. As a result, we will continue to see tightening of the regulatory environment with respect to data privacy and enforcement of penalties on firms as well as fiduciary officers in the wake of data breaches resulting out of inadequately protection measures. Companies need to realise a breach is inevitable and key stakeholders, their customers, expect them to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately. GDPR mandates this practice for companies that operate in EU or company doing business with EU citizens. Questions remain, however, around implementation, interpretation and administration of the data protection practices – and these will need to be ironed out as the GDPR becomes enforceable. In order to be compliant, a business must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences.”

In fact, the post-GDPR world will see a much closer integration of the law and technology as organisations work out their data protection strategies.

According to George Chang, Vice President – APAC, Forcepoint, India’s Data Protection Law, when comes into effect, will sure have a major impact on business operations. “Organisations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or four per cent of annual turnover, whichever is higher, for intentional or negligent violations. With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model,” Chang informed.

According to Richard Hogg, Global GDPR and Governance Offerings Evangelist, IBM, GDPR applies to all the personal data of any employee or customer who are in Europe. “Whether they are citizens or temporary residences and live there, are just passing through an EU airport for 30 minutes. During this time, potentially GDPR applies to their personal data. GDPR really does have extra-territorial scope. Additionally, it can apply to anyone’s personal data, if you are actively marketing or profiling them From Europe, wherever they are in the world,” informed Hogg.

As the clock ticks down to the deadline to comply with the new GDPR regulations, the Indian firms need to enact strict data protection regulations. “With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimise the financial fall-out of a breach,” added Chang.