Data protection and privacy is under the spotlight and undergoing a paradigm shift in light of the new General Data Protection Regulation (GDPR), which was adopted on 27 April, 2016. It introduces more stringent and prescriptive data protection compliance challenges, backed by fines of up to 4 % of global annual revenue. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) from 1995. It becomes enforceable from 25 May 2018 after a two-year transition period.

GDPR applies to any organisation, regardless of geographic location, that controls or processes the data of an EU -citizen. It dictates what data can be collected, the need for explicit consent to gather such data, requirements to disclose any breaches of data, and stronger powers to substantially fine organizations that fail to protect the data for which they are responsible.

GDPR introduces a rigorous and comprehensive privacy framework for businesses that operate, target customers or monitor individuals in the EU. Organizations now have just one year left to meet the suite of new obligations imposed under the GDPR and implement compliance programs to protect data subjects and avoid hefty enforcement penalties.

With GDPR, EU citizens will gain more control of their personal data as organizations will have to provide EU citizens with clear and unambiguous information on how their data is being processed and they will have to obtain explicit consent from citizens to process it. Additionally, any organization that markets or provides products or services to EU citizens will be subject to the GDPR. As GDPR empowers the data subject with privileges such as right to be forgotten, right to portability and right to object profiling, organizations will have to ensure that they comply by these new requirements. GDPR also emphasises on the need of appointing a data protection officer, who will be the single source of contact for the supervising authority and will be required to advise upon, and maintain compliance with the GDPR.

GDPR not only highlights privacy requirements during day to day operations, but also emphasizes the need of integrating privacy by design. It advocates a risk-based approach that allows organizations to tailor their privacy protection programs based on the risks that are most material to the organization. Privacy by Design has become an enshrined requirement as it will force organizations to embed privacy protection into every aspect of their business rather than bolting it on as an afterthought. In line with this requirement, organizations will be required to implement security measures that balance the newest technology with the cost of implementation and reflect the severity and likelihood of risks to an individual’s rights and freedoms.

GDPR also underlines that cross-border transfers of data shall be allowed to countries that provide an “adequate” level of personal data protection as determined by the EC. It mandates organizations to report a data breach within 72 hours of the incident. Above all, organisations that violate the basic processing principles of the GDPR may be subject to fines totalling as much as 4% of the organisation’s total global annual revenue.

Implications of the new regulation

The implications of the GDPR for organisations can be summarized simply: every affected organization needs to immediately undertake a significant re-examination of its organisational data strategy related to personal and sensitive personal data. Specific requirements in the GDPR need to be planned for, organisational and technological approaches have to be implemented to resolve problems, and protection policies are to be further strengthened. The regulation makes it difficult for EU businesses to explore outsourcing opportunities and has clauses that can hamper innovation in business and user experience.

Another major implication of the GDPR is for those organisations that were not subject to the earlier EU data protection directive by virtue of not being based in one of the member states. The new, level playing field introduced by the GDPR applies to all firms everywhere if they control or process personal data on EU citizens. For organizations newly impacted by the GDPR, there is a lot of catch-up required.

The proposed regulation brings the Indian service providers directly under the jurisdiction of EU commissioners. Adhering to the regulation leads to opportunity loss for the Indian IT/BPO industry as it further lowers the threshold for data transfer outside EU. Following the regulation significantly adds to the compliance costs for the service providers. These costs are already higher when serving EU-based clients as compared to other markets such as the US.

According to EU policy makers, this new regulation is to not merely protect information but also to authenticate legitimate users. In India, where much communication takes place on low cost systems, end-to-end encryption provides a solution to prevent misuse and ensure security. This shall add to technology implementation cost for the organizations.

The new EU security requirements are complex and demand constant surveillance. It is in this context that companies need to realise that data security is not just an IT problem or a compliance issue, but a significant concern that the entire organisation must work together to address. The EU GDPR has put in place a mechanism where security of data is taken as a given and that businesses work for data protection.

