C&L_December 2017 (1)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cover Story<br />
“In India, however, 7 out 10 BFSI<br />
organizations (handling EU customer<br />
data/business) we reached out to did<br />
not want to comment on their GDPR<br />
preparedness”<br />
The ABC of GDPR<br />
The General Data Protection Regulation<br />
(GDPR) is a law or a regulation, which<br />
was adopted by the European Commission<br />
on 27 April 2016. The GDPR<br />
applies to any organization, regardless<br />
of geographic location, which controls<br />
or processes the data of an EU resident<br />
in a proscribed way. It dictates to what<br />
extent personal data may be collected,<br />
the need for explicit consent to gather<br />
such data, requirements to disclose<br />
breaches of data and stronger powers<br />
to substantially fine organizations that<br />
fail to protect the data for which they are<br />
responsible.<br />
Applicability: Applies to entities —<br />
including third parties that are (i) established<br />
in the EU, (ii) providing goods<br />
or services to EU residents or (iii) are<br />
monitoring the behavior of individuals in<br />
the EU<br />
Building: Privacy-by-design principles<br />
must be incorporated into the development<br />
of new processes and technologies<br />
Empowering Consumers: Organizations<br />
Source: EY’s cyber and privacy insights document<br />
will have to facilitate customers’ and<br />
employees’ right to erasure (of data),<br />
right to portability, and an increased right<br />
of access.<br />
Fines: Up to EUR20 million or 4% of<br />
the organization’s total global revenue,<br />
whichever is greater; also provides individuals<br />
new rights to bring class actions<br />
against data controllers or processors,<br />
if represented by not-for profit organizations,<br />
which heightens litigation risk<br />
Reporting: Organizations will have only<br />
72 hours to report data breaches<br />
Employing People: Most organizations<br />
will need to designate a Data Protection<br />
Officer and a Data Controller<br />
Storage: Organizations will have to<br />
maintain records of processing activities<br />
Security: Organizations will need to<br />
scale security measures based on privacy<br />
risks.<br />
Permissions: Explicit and affirmative<br />
consent will be required before processing<br />
personal data.<br />
For long, the fleeting mention of<br />
GDPR in India came up only at the time<br />
of reporting a security breach. Until in<br />
2016, Indian regulators namely The<br />
Reserve Bank of India and Securities<br />
and Exchange Board of India (SEBI)<br />
issued frameworks to strengthen cyber<br />
security in the BFSI sector.<br />
“Banks, as owners of such data,<br />
should take appropriate steps in preserving<br />
the Confidentiality, Integrity<br />
and Availability of the same, irrespective<br />
of whether the data is stored/in<br />
transit within themselves or with customers<br />
or with the third party vendors;<br />
the confidentiality of such custodial<br />
information should not be compromised<br />
at any situation and to this end,<br />
suitable systems and processes across<br />
the data/information lifecycle need to<br />
be put in place by banks,” RBI explicitly<br />
highlighted in the framework under<br />
section subtitled ‘Ensuring Protection<br />
of customer information’.<br />
In September 2016, SEBI also asked<br />
commodity derivatives exchanges to<br />
put in place a framework to safeguard<br />
systems, networks and databases from<br />
cyber attacks. It also announced the<br />
appointment of a new Chief Security<br />
Officer who will be responsible for<br />
strengthening SEBI's regulatory policy<br />
framework in the area of cyber security.<br />
Going a step further in April <strong>2017</strong>, the<br />
Insurance Regulatory and Development<br />
Authority of India (IRDAI) tightened<br />
the noose on CEOs and CMDs<br />
of all insurance firms, giving them a<br />
period of about a year to ensure that<br />
adequate mechanisms are put in place<br />
to address the issues related to information<br />
and cyber security.<br />
The icing on the cake this year was<br />
the Supreme Court's landmark verdict<br />
on the right to privacy. Additionally,<br />
India is now moving towards legislation<br />
on data protection. The central<br />
government had set up an expert committee<br />
to study the different issues<br />
relating to data protection in India and<br />
make specific suggestions on principles<br />
underlying a data protection bill.<br />
10 CIO&LEADER | <strong>December</strong> <strong>2017</strong>