EU GDPR bearing on Indian Outsourcing Industry – Part II

      Comments Off on EU GDPR bearing on Indian Outsourcing Industry – Part II

This is a continuation of our multi part blog – EU GDPR. The first part briefly explained the criticality and updates on this stringent privacy regulation. Link: https://blogs.dsci.in/eu-gdpr-part-i/ This part defines the implementation and compliance issues being witnessed and tackled by the industry.

Implementation and compliance

The GDPR has significantly upped the ante when it comes to liabilities and penalties. There are various guidelines notified and mandated by GDPR which has direct liabilities onto the organizations (of any kind processing the personal data of EU residents). Some of them worth mentioning are data breach notifications, identifying lead supervisory authorities, conducting Privacy Impact Analysis (PIA) as desired by supervisory authorities, notifying and explaining the individuals on how to exercise their rights, etc.

In order to comply with these, organizations have started not only reviewing the paper work such as their policies, privacy programs, processes involving PI, contracts with vendors as well service providers, etc. but have also started focusing on various technical measures and defined rules/configurations of tools/technologies required to implement what is written in documents. Following are some of the aspects organizations are focusing on, changing the landscape of technologies being used for implementing privacy & security programs in their respective organizations, in order to comply with GDPR.

  • Level of pseudonymisation and encryption required while processing personal data
  • Extent of changes required in the configuration of DLP, SIEM and other technical solutions being deployed
  • Refinement or updation of contracts, access grant, managed services, collaboration rules, etc. for the purpose of ensuring privacy
  • Review of data retention schedules, cross-border data transfers, privacy notices, consent, etc. on timely basis
  • Equip the security ecosystems with effective IDAM, IAM, Log monitoring and incident management solutions, and identify the required changes
  • Cloud operations managers, specifically, to determine what PI they are currently storing, where it lives, how it flows within the organization and how it is secured

The above list is indicative of various technologies and processes defined at various levels in an organization, while processing the personal data. There are many other technologies, as well, used for various other purposes in an overall information lifecycle in an organization. In order to comply with GDPR requirements organizations are in the process of reviewing all the defined processes and technologies deployed by it at various levels.

Enforcement and penalties

The regulation basically has two levels of fines that can be imposed:

  • The first level is generally related to any non-compliance by a data controller or processor. The maximum fine for this is upto Euros 10 million or 2% of annual global turnover of the organization in the preceding financial year, whichever is greater.
  • The second level is generally related to any breaches that affect the rights and freedoms of data subjects. The maximum fine for this is upto 20 million euros or 4% of global turnover of the organization in the preceding financial year, whichever is greater.

In order to enforce and regulate, every EU Member state is required to have one or more public independent authority – ‘Supervisory Authority’. The role of the supervisory authority is to monitor, guide and ensure the adequate implementation of the GDPR in the geography under their scope. Supervisory authority would also be required to undertake awareness activities, ensure privacy during trans-border data flows, address complaints, investigate data breaches, levy fines/sanctions and all such activities required for regulation implementation and enforcement.

Currently, all further guidelines and clarifications on various topics discussed under GDPR are being published by Working Party (WP29). From May 2018 when the GDPR comes into effect, WP29 will become the European Data Protection Board (EPDB). All supervisory authorities would then be overseen by EPDB and the primary role of the EPDB would be that of an EU-level privacy warden. It is also expected to provide a ‘consistency mechanism’ for supervisory authorities to cooperate with each other and ensure the consistency in the implementation of the GDPR across all member states.

Conclusion

The world is gripped with GDPR and its impact. Different entities and bodies are coming out with guidelines, FAQs and explanatory documents on interpretation of the GDPR and how it needs to be implemented. Some of these are by the WP29 and by supervisory authorities in different EU countries while some are being brought out by other countries outside of the EU who would be impacted as well. In India too, when government is exploring techniques to showcase India as a safe destination for data transfers, industry too is working its own charter to understand, implement and nurture business in EU by complying with their regulation. Though, authorities in India are in continuous talks with EU counterparts to devise methods and adequate approach for helping organizations to conduct safe and secure business while keeping privacy intact, but, the abreast knowledge in the domain would definitely help organizations to deliver business to EU organizations that complies with GDPR. It’s high time now when Indian organizations should not only start comprehending GDPR requirements and formulating the implementation road ahead, but also emerge as front runners, thought leaders and share best practices with the world.