May 25 2018 ( updated at 18:15 IST): The General Data Protection Regulation (GDPR) (EU) 2016/679 --biggest overhaul of data privacy laws in over 20 years, is operational starting today.
It is a regulation in European Union law on data protection and privacy for all individuals within the EU and the European Economic Area. But it also addresses the export of personal data outside the EU and EEA. So it affects the rest of the world -- including Indian companies having any business in the EEU, as well as lay Indians who receive regular mailings, newsletters, and other information from European companies or global information providers.
You may have notices many of your regular business emailers, have sent you an alert of a change in their privacy policy to meet GDPR requirements. Some require to restate your interest in continuing to receive the service. Others say they will continue -- unless you proactively ask for a suspension. Some (like IT infrastructure provider Siemon, make a promise: "We do not - and will not - sell your data to third parties."
Most are coy about making such a flatout promise.
The focus is on the biggies like Facebook and Google whose business model has depended heavily on harnessing user data. Facebook, caught with its pants down after l'affaire Cambridg Amalytica, has been doing a mea culpa in the US and EU and has tried to share its heghtened awareness of proivacy with its millions of users. Google has not felt the need to sound apologetic. But in a worst case scenario, users could impact its lucrative advertisement business by refusing to allow sharing of their personal data. As a resul, some of the adfs would no longer be personalized to their interests and because of reduced clicks cut end up reducing advertiser spending..
GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. A processor of personal data must clearly disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any third-parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.
It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable today, 25 May 2018. Because t GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
Under the General Data Protection Regulation (GDPR), the organisations must have transparent justification for processing personal data. The rules threaten fines of as much as 4 per cent of company revenues for violations, although attorneys and European Union officials have cautioned there will be a grace period. Internet companies that track users online, whether for shopping, banking or other reasons, are set to face significant scrutiny. The new rules require that they have specific justification, such as consent, for using personal information.
GDPR comprises of 99 Articles governing the public policies designed to protect personal data. Only a handful actually relate to IT data protection and cyber-security.
We share some industry viewpoints:
Anant Maheshwari, President, Microsoft India: A tectonic shift in the global privacy paradigm, the data protection law will herald a new era in consumer trust.
As we stand amidst the fourth industrial revolution, maintaining the integrity of personal data has become as imperative to national security as protecting a country’s cyber borders. Organizations are under increased scrutiny, with everybody from lawmakers and investors to employees and consumers examining the relationship between what’s good for business and what’s good for individuals. Regulations like GDPR will begin a dialogue about what nations and multilateral stakeholders can to do to streamline a system of checks and balances on a digital planet.
VMWare: Preparing for the GDPR can appear daunting at first. Business process analysis, data mapping, and gap analysis are just the start. Legal guidance will become part of the “new normal” in IT as data privacy laws become both more stringent and more standardized across the world. Taking an approach across the data lifecycle gives IT the opportunity to do three things; align with the way the business looks at data protection, identify security gaps along the data lifecycle, and help to protect people’s personal information from their devices to the data centre.
Supratim Chakraborty, Associate Partner, Khaitan & Co: Most business houses are frantically trying to put their house in order to be compliant with the data privacy and data protection related requirements of GDPR. What is most interesting to note is that the GDPR has forced business entities to sit up and take a serious look at the data that they have been amassing. Even the smallest of start-ups struggled to decipher how much data they have collected, where they have been stored and how they were processed. Therefore, I would say it is a good wake-up call which should be emulated by all businesses. The principles of GDPR are beneficial and could be adopted by all business houses whether there is an EU interface or not. Also, this may be helpful because our domestic law on this subject, which is in the making, may largely adopt the principles of GDPR. Therefore, organizations which are equipped with the principles of GDPR would be future-ready for the new Indian legislation.
George Chang, VP, APAC, Forcepoint: As the capacity to collect, store and analyze data for commercial purposes continue to growexponentially, GDPR seeks to strengthen and unify personal data privacy and protection - putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner. It’s no surprise that this seismic shift in the way we approach data security has caused a ripple effect across the globe, with many countries following suit and modernizing their own privacy and data protection laws. India’s Data Protection Law when it comes into effect, is sure to have a major impact on business operations. Organizations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model. Pragmatic compliance does not need to be an expensive exercise too. Expenses are relatively low if implemented with a common sense approach. Understanding the parameters of the applicable legislation is key to getting it right. While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practices that will benefit both the individuals and the business.
Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto: As regulations catch up, Data Privacy has fast evolved to become a matter of survival for companies. Companies (Boards) that continue to ignore this, risk becoming non-existent almost overnight in the wake of any data breaches. .. Questions remain, however, around implementation, interpretation and administration of the data protection practices – and these will need to be ironed out as the GDPR becomes enforceable. In order to be compliant, a business must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences.
Laurence Pitt, Security Strategy Director, Juniper Networks: Global tech companies have already taken the necessary precautions and several others are also in the midst of determining how they handle, store and erase customer data. In India, the more than 40 million SMEs would also need to act upon this. To some, it may seem like a distraction from their core business, but they cannot overlook GDPR as its impact will be huge. As the Indian ITES industry earns a sizeable chunk of its revenue from Europe, several contracts with customers and service providers will have to be rewritten. Securing customer data should be a key priority for companies today, and not just the data of EU citizens. GDPR should set the ball rolling on further improvements that companies must adopt voluntarily for ALL citizens universally. In fact, India can take this as the right time to devise its own cybersecurity legislations for the protection of its citizens. It is time to not view GDPR as an operational risk – but as a benefit instead. Companies that proactively value customer data can become pioneers and get a massive boost to their reputation by protecting privacy when it is more important than ever.
Ramesh Mamgain, Area Vice President, India & SAARC Region, Commvault: 25th May – a day where Data will no longer be the same. Today, GDPR comes into effect. If you think it only affects your production data, it's much more complex than that. Managing your secondary data is probably the more difficult challenge for many companies. Organizations need to acknowledge that GDPR compliance is no longer simply an IT or technology issue. This is a chance to improve the efficiency of data governance. A holistic ‘People, Process and Technology’ mantra is still the way to achieve Zen amidst the chaos of complying with increasing Data privacy laws around the globe.
Aniketh Jain, CEO & Co-Founder, Solutions Infini: GDPR, is a great step taken by the European Union. With the massive amount of data sharing taking place around us, it’s important now more than ever that a consumer’s data is protected and used only with their permit. The law is well defined and it’s a major change for most of the organizations and it’s good to see that it has been accepted well. The law also has strict penalties which makes sure that companies comply
Sashi Kumar, Managing Director, Indeed India: Globally, the increasing number of cyber crimes has made it imperative for companies to keep pace in hiring the right talent to combat them. Therefore, companies across the world are gearing up to ensure compliance to GDPR and ePrivacy requirements. While the larger technology giants are more or less equipped to comply, it is the mid-size and smaller firms that are seeking professionals to help them cope with the requirements the new laws entail.