Thursday, January 11, 2018

Making GDPR a priority for the year 2018

“ You can resist an invading army; you cannot resist an idea whose time has come,” once said Victor Hugo wisely.

Today, in India, that idea is privacy. To date, privacy has not put up much of a fight; that will change in 2018. After a couple of years of getting fringe interest, privacy has, quite quickly, hit a tipping point.
The advent of EU’s General Data Protection Regulation (GDPR), only adds to that movement. So, how is GDPR going to impact Indian organisations and what should you, the IT leaders, be doing to ensure that your organisation complies with GDPR regulations.
The EU General Data Protection Regulation (GDPR) becomes enforceable by law in May of 2018. It will require global organizations that hold the personal data of European Union residents to adhere to new requirements around control, processing and protection.
GDPR will have a far-reaching impact the digital economy
The GDPR probably won’t affect a large swathe of small and medium Indian businesses. But given the penalties (more on this later), that’s not a chance your business wants to take. Also, it is expected that many countries will follow the EU in terms of updating their regulations to match this new standard for data protection.
If not already, it is time to know if your company has or processes any data of a European company or a European citizen. Remember, the citizen doesn’t have to be residing in a country that’s part of the EU—just that she is a citizen. (Which countries are part of the EU?)
Given, the GDPR comes into force in May of 2018, it leaves Indian companies who haven’t started preparing only about two quarters to do so.
Preparing for GDPR is critical
Delaying preparation for GDPR isn’t the best approach. Procrastinating isn’t going to make the GDPR go away!
Like any law, the worst case only applies if your company has suffered a data breach and is challenged by a European company or citizen--and you can’t prove you have complied with the GDPR.
Any personal data breach impacting a European Union resident will need to be reported within 72 hours. Companies that do not comply will face fines of up to 20 million Euros or 4 percent of global turnover, whichever is higher. Infringements of a more technical nature call for penalties that amount to 2% of annual global revenue, or €10 million.  Those who have not budgeted for the long-term implications of the GDPR will struggle.
Complying with GDPRs Conditions
Our own research shows that complying with erasure (the right of EU nationals to scrubbed clean off your servers and the servers of your partners) is what concerns businesses the most (51%).
That said, there a host of that need to be met; how difficult they are to comply with comes down to maturity of your company’s data practices.
Here’s a slightly long, yet an-easy-to-read, list of changes that the GDPR has brought about.
What Needs to Change?
Plenty. The way your company asks for consent and collects data, how that data is stored and processed, the way your data supply chain is constructed, who your company shares data with, the number of technology partners your company uses for data back-up and archiving, the cloud services it chooses—all of this, and more, needs to change.
The majority of businesses will be stunned by the regulation’s impact on their operations, as it creates security challenges that cannot be solved solely with technology.
Smart companies will see this not just through the compliance lens but as a feature of their security policy. Fundamentally, the GDPR changes the way we look at data security.
Data is important because it belongs to people or is important to people, hence the focus on privacy. GDPR will put humans back at the centre of security debate. And is another idea whose time has come.

No comments:

Post a Comment