A Ready Reckoner to GDPR

In Depth

A Ready Reckoner to GDPR

Kiran Radhakrishnan | June 2018

There has been a lot of buzz around General Data Protection Regulation (GDPR), a new law by the European Union (EU) around privacy of data that came into effect on May 25, 2018. It aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. Considering the far-reaching effects that data theft and data breach have in this digital age, the need to safeguard data has become paramount.

THE NUMBER MANIA

Statistics reveal the sheer magnitude is the crux of this mammoth. Nearly 5 million data records are lost or stolen worldwide every day, according to the Breach Level Index. That’s a staggering 58 records every second as per the 2017 Cost of Data Breach Study conducted by Ponemon Institute and IBM, and each data loss costs $141 on average. With rapid and aggressive digitization along with emergent technologies, the global cost of data breaches will rise to $2.1 trillion by 2019, according to Juniper Research. Breach Level Index, a database maintained by Gemalto, reveals that out of 9727967988 data records stolen or lost since 2013, only 4% of breaches were secure breaches where encryption was used and the stolen data was rendered useless. Incidents involving accidental loss increased significantly from under 250 million in 2016 to nearly 2 billion the following year and identity theft continues to be a major type of data breach and was responsible for 682,506,529 compromised records and 1,222 incidents in 2017, marking the greatest number of incidents among all other data breach types.

THE DIRE SERIOUSNESS

Given this situation, GDPR is expected to reshape/revolutionize the way organizations deal with data protection. GDPR not only applies to the EU residents who will come under the purview of the new privacy laws but also millions of non- EU citizens who are working, studying or simply travelling through the region. This means that any Indian passing through these regions will also be governed by GDPR even if they are still accessing domestic services.

Nearly 5 million data records are lost or stolen worldwide every single day, according to the Breach Level Index. That’s a staggering 58 records every second and as per the Ponemon Institute &IBM 2017 Cost of Data Breach Study each data costs $141 on an average and with rapid and aggressive digitization along with emergent technologies the global cost of data breaches will rise to $2.1 trillion by 2019, according to market analysts Juniper Research. According to a study by Ernst & Young, only 13% of Indian companies are prepared for GDPR. GDPR applies to any organization that collects and processes personal data for its business transactions which has EU ‘establishments’ where personal data is processed ‘in the context of the activities’ of such an establishment, including Indian companies headquartered in India while conducting business or having sales office, branches in EU and/or commerce websites operating out of India but catering to EU region , that means GDPR will apply to an Indian organization even if it doesn’t have office outside India but deals with EU data either while acting as a controller (i.e. determine how and why data needs to be processed), or a processor (i.e. process data on behalf of a controller). GDPR applies globally and companies outside EU will have to comply with the Regulation if they process personal data of EU data subjects in connection with “Offering of goods or services” (payment is not required); or Monitoring” their behavior within the EU, but GDPR won’t be applicable to any data that does not relate to an identified or identifiable person or if data is in nominate in a manner that the data subject is unidentifiable.

It is to be noted that GDPR not only just apply to the EU residents who will come under the purview of the new privacy laws but also millions of non-EU citizens who are working, studying or simply travelling through the region. This means that Indian passing through these regions will also be governed by GDPR even if they are still accessing domestic services.

BASIC DEFINITIONS OF GDPR

Personal Data – any information that can directly or indirectly identify an individual (a name, an IP address, some cookie and/or an internal reference to name a few examples). It includes automated personal data and can also encompass pseudonymized data if a person can be identified from it.
Processing – anything that is done to or with private data (from collection to deletion and everything in-between). Basically, any activity involved with the collation, storage, dissemination, amendment or destruction of data. The concept of ‘data processing’ also requires that it is held safely and securely – a concept that is often referred to by its own term of art, ‘cyber security’.
Sensitive Personal data – information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning health or sex life (these all require being treated differently than “personal data”).
Controller – the organization that determines the purposes and means of processing. A controller is an entity that decides the purpose and manner that personal data is used or will be used. If you hire a person and conclude an employment contract with personal data such as name and bank details, you are considered a Data Controller.
Processor – the organization that processes the data on behalf of the controller. The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
Data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. A data breach encompasses any situation where an outside entity gains access to personal user data without the express permission from the individual. Data breaches can often involve the malicious use of data against users.

The Indian information technology and ITenabled services industry would be the most affected by the new law since it derives almost 30% of its revenues from Europe. Indian IT companies that align themselves with the changing dynamics of personal data management through cutting-edge data analytics can ensure that they are in a robust strategic position to drive continued growth. The size of the IT industry in the top two EU member states — Germany and France — is estimated to be $155–220 billion. The European market for Indian IT is growing rapidly. For India’s $146 billion IT outsourcing industry, which is estimated to grow at 2-3 % year-on-year, 10-30% of revenue is expected to come from Europe. If these IT companies wish to keep growing and continue to register impressive growth compliance with GDPR becomes imperative.

Indian IT is well equipped to take the lead in making their organizations GDPRcompliant while securing more business especially when the rest of the world is comparatively less prepared to tackle the nuances of GDPR. This would help remarket India companies beyond a technology hub equipped with deep expertise and a talented resource pool, but as leaders in providing privacy-compliant services and solutions to global entities.

GDPR need not be perceived as a threat. It is more of an opportunity and definitive path to evolve towards a profitable future void of data misuse and data breach. A lot of companies find GDPR as a rude wakeup call because they failed to do their homework and fall short of appreciating GDPR as a game changer which will reset the benchmark for future international regulations pertaining to data privacy and protection.

ALIGNING FOR GDPR

Companies will experience different levels of impact from GDPR, this depends on a variety of circumstances. Businesses will have to ensure that the many separate elements align with compliance requirements. Achieving GDPR compliance is manageable with a sensible approach and most businesses will find their existing processes and procedures will set them firmly on the road to compliance already. Very few businesses who knowingly or unknowingly engage in data abuse will face the brunt and find themselves starting from scratch.

KEY FOCUS AREAS

Governance (Spread awareness within the organisation)
Data Footprint & Privacy (Maintain records of personal data processing activities)
Individual’s rights (Uphold data subject rights)
Subject Access Requests (Meet data transfer requirements)
Privacy by design/default (Manage data protection impact assessment (DPIA))
Consent (Create/review privacy notices and consent)
Data breaches (Manage privacy incidents)
Third Party (Establish data processor accountability)
Purpose for holding data (Determine the legal basis for processing personal and special categories of data in the EU)

IS THE INDIA INC. READY?

Indian firms servicing European customers such as IT, ITeS and SaaS companies, or servicing customers who do business in Europe, will have to follow the guidelines on data privacy and protection laid down by GDPR. There is no quick fix solution but assessing and building upon your existing data processing infrastructure will lead to tangible results and ultimately help establish a responsible business practice.

Understand the law, know obligations under GDPR related collecting, processing, and storing data, including the legislation’s many special categories
GDPR Gap Analysis – the first step is to do a Gap Analysis when you are uncertain about how much your company complies with GDPR. Gap Analysis should be conducted to get a detailed assessment which will show your organization’s current GDPR compliance position, and a remediation plan to address the gaps and risks.
GDPR Data Flow Audit – get an inventory of the personal data held and shared by the organization in case you are not sure what personal data you hold or where it resides. Get a data flow map of your processes.
Data protection impact assessment (DPIA) – get an assessment of the data protection risks associated with the new process and a remediation plan to mitigate those risks.
GDPR Transition – implement GDPR compliance project by adapting existing data protection program to the GDPR.
Develop a vision and strategy for compliance with the GDPR
Create an accountability framework for data protection compliance.
Identify and prioritize key remediation activity to reduce your risk profile.
Conduct data discovery exercises and maintain documentation in order to demonstrate visibility of the personal data processed;
Impart data privacy training to employees or subcontractors.
Review/update contracts signed with third-party vendors.
Ensure to have systems to enable new data subject rights of individuals, including how one would delete personal data.
Indian companies need to appoint a data protection officer if it’s a data controller or processor.
Organizations need to define the circumstances for managing the personal data transfers while protecting the rights of data subjects when transferring the data to other parties including both external and internal parties.
Conduct data discovery exercises and maintain documentation in order to demonstrate visibility of the personally identifiable information processed.
Document legal basis for processing, communicating privacy notices and recording consent.
Establish a process around periodic GDPR compliance monitoring.
Developing and Implementing centralized incident and breach management solutions to quickly detect/ prevent security incidents and address data breach notification requirements.
Implementation of appropriate organizational measures to ensure pseudonymisation and encryption of personal data; confidentiality and integrity of processing systems; restoration of availability and access to personal data after a physical or technical incident; and regular testing and evaluation of such measures
Implement processes and mechanisms to uphold the rights of data subjects by responding to requests appropriately and in a timely manner.
Establish data processor accountability.
Create a data protection compliance folder on your company file system. This will form the basis of your proof of compliance.
Every step you take towards GDPR compliance should be documented to be used in your defense if necessary.
Have a breach response policy
Create an asset register of the serial numbers of all your computers regardless of contents – you may need to prove to the ICO that a stolen computer could not have had any personal data on it
Consider which individuals should have access to the data on each device
Update your website’s privacy policy (to include identity of the controller purpose of the processing and the legal basis, the legitimate interest, any recipient or categories of recipients of the personal data, the right to withdraw consent at any time, and the data retention period)
You may also want to get specific and mention which cookies are on your website and give users the option to opt-out.
Create a retention schedule for data. When the data has reached the end of its retention period destroy it in accordance with a data destruction policy (minimize the data you hold).
Separate the data into categories – customer prospective customers, staff, third party suppliers, business contracts, prospective employees.
Perform Data Audit frequently

BEING GDPR COMPLIANT

Consent: Terms of consent must be clear. Consent must be easily given and freely withdrawn at any time.
Breach Notification: If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers.
Data Access: Ability to serve customers with a fully detailed and free electronic copy of the data collected about them. This report must also include the various ways customer information is being used.
Erasure / Right to be Forgotten: Also known as the right to data deletion, once the original purpose or use of the customer data has been realized, customers have the right to request that you totally erase their personal data.
Data Portability: Customers must be able to obtain their data from the company and reuse that same data in different environments outside of the company.
Privacy by Design: This section of GDPR requires companies to design their systems with the proper security protocols in place for both controller and processor.
Potential Data Protection Officers: Appointment of a data protection officer (DPO) depending upon the size of the company and at level the company currently processes and collects data.

Failure to comply with GDPR can result in some pretty hefty fines. The fines will range from 20 Million Euros, or up to 4 percent of the offending organization’s annual revenue, whichever is greater. For lesser offences, the fine will be halved to 10 Million Euros, or up to 2 percent of the offending organization’s annual revenue.

KEY ARTICLES IN GDPR

Scope Of The Regulation (Article 3)
Data Protection Principles (Article 5)
Transparency And Notice (Article 12)
Right To Erasure And Other Data Subject Rights (Articles 15-21)
Data Portability (Article 20)
Profiling (Article 22)
Data Protection By Design And By Default (Article 25)
Third Party Contracting (Article 28)
Records Of Processing Activities (Article 30)
Security Of Processing (Article 32)
Accountability (Security Breach Notification) (Articles 33 And 34)
Data Transfers (Article 44-50)
Supervisory Authorities And The One Stop Shop (Articles 51-66)
Fines And Penalties (Articles 83-84).

About Author

Kiran Radhakrishnan

Kiran Radhakrishnan is a skilled negotiator and business law specialist with more than ten years’ diversified experience in providing expert counsel and directing company policy on a broad range of issues. He is currently working with PF Matters as Legal Counsel. He can be reached at [email protected]