Hrishikesh Sivanandhan,
VP & BU Head - Consulting Services
The GDPR outlines a common regulatory framework pertaining to data security, under which all organisations collecting, storing, transmitting, or processing personal data of EU citizens are held accountable for the security of personal information that they handle.
On May 25, 2018, the European Union will formally enforce the European Union General Data Protection Regulation (EU-GPDR), widely considered by experts to be the most comprehensive data protection law to ever be defined. The landmark regulation supersedes the Data Protection Directive and gives EU citizens more power over their private information. Hrishikesh Sivanandhan, VP & BU Head - Consulting Services at Paladion Networks elaborates what it means for Indian businesses.
The GDPR is aimed at enforcing strict policy measures to protect the personal data of EU citizens. Defined as “any information that can be used directly or indirectly to identify an individual” and “must be protected”, personal data is categorised into three major parts: general information, organisational information, and special categories of data.
The GDPR outlines a common regulatory framework pertaining to data security, under which all organisations collecting, storing, transmitting, or processing personal data of EU citizens are held accountable for the security of personal information that they handle. This accountability is applicable regardless of where the organisation is actually based, as long as it handles personal data pertaining to EU citizens. This means Indian businesses handling personal information of individuals hailing from Europe are also governed by this new data protection law.
Provisions are made for strict action against non-compliance and data infringement under the GDPR. Any material/non-material damage caused by a GPDR infringement will see monetary recompense awarded to the affected individual (called the data subject) by the non-compliant entity. Additional administrative fines can also be imposed upon the data processor/controller by the GDPR supervisory authority under two categories:
The levels of these administrative fines depend on various factors. The nature, gravity, and duration of the infringement are all considered, as is whether the infringement was intentional or negligent. Actions taken to mitigate the impact of the breach on data subjects by the controller/processor in question are also taken into account. Other factors considered while determining administrative fines is the degree of responsibility assumed by the data controller/processor in implementing technical and organisational measures, previous record of data infringements, and compliance with approved certification mechanisms or codes of conduct.
The key aspects for Indian organisations to be mindful of, to take stock of their GDPR readiness and to identify major gaps that need to be plugged, are:
Another thing that Indian organisations need to pay attention to here is identifying their role in the data hierarchy, and the corresponding responsibilities. The GDPR classifies data handlers under the following two categories:
Data processors must also sign confidentiality agreements with personnel who work with personal data of EU citizens, and delete/ return all personal data to the controller at the end of service. Ensuring the security, confidentiality, integrity, availability, access control, and resilience of the personal data handled also falls under the ambit of data processor responsibilities.
In addition to their individual responsibilities, controllers and processors share certain common responsibilities under the GDPR. They are required to maintain records of data processing, comply with the code of conduct or with an approved certification mechanism, and to implement appropriate technical and organisational measures to ensure security of personal data. Both controllers and processors are also required to undertake regular risk assessments, testing, and monitoring in order to identify existing or prospective vulnerabilities in their systems, as well as to review and upgrade the technical and procedural safeguards from time to time. Data handlers also need to implement SOPs for identifying potential data breaches.
Getting business operations compliant with the new data protection law requires significant investment of time and restructuring of existing processes and systems. This is where MDR service providers such as Paladion step into the picture. With a four-phase approach, Paladion can help businesses in fast-tracking the compliance efforts, in addition to ensuring regular monitoring and maintenance for continued compliance.
The GDPR is a revolutionary step towards ensuring adequate security and protection for personal data, but meeting its compliance requirements will be difficult for organisations. With many organisations struggling to implement adequate measures, market studies estimate that the EU could end up collecting up to $6 billion in fines and penalties in the first year alone. With Paladion’s high-speed approach, Indian organisations can ensure that they are able to avoid the ignominy of making the non-compliance list by meeting each of the stringent requirements of the articles of the regulation.
This article was originally published by Deccan Chronicle. It can be viewed on https://www.deccanchronicle.com here.
Copyright All Rights Reserved © 2020