C&L_December 2017 (1)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Cover Story<br />
tination,” - according to a white paper titled GDPR and India,<br />
written by Aditi Chaturvedi for The Centre for Internet and<br />
Society.<br />
Capgemini Sogeti India, a fully-owned subsidiary of the<br />
Capgemini Group, with total revenues of EURO 6,412 million<br />
this year, is a well-known French IT Services and Consulting<br />
Organization and has customer across Europe and USA.<br />
According to Harshad Mengle, Director – Cyber Security at<br />
Capgemini Sogeti, we have taken a structured approach and<br />
the framework is in place to address GDPR needs.”<br />
“It is important to disclose how we are going to protect our<br />
customer’s data, and this in turn, will give more confidence<br />
to our EU customers. Some of the challenges include how we<br />
will alter our entire ecosystem in order to incorporate data<br />
management protection as per GDPR guidelines, how the<br />
“We have been running<br />
a global project for<br />
GDPR compliance<br />
across the company<br />
and are tracking actions<br />
across subsidiaries and<br />
shared services. Being<br />
an EU headquartered<br />
company, we need to<br />
comply with all the<br />
requirements of GDPR.”<br />
Parag Deodhar<br />
Information Security Leader at a<br />
reputed financial services firm<br />
workflow systems need to be changed, and how IT and monitoring<br />
systems need to be aligned with privacy data in order<br />
to be compliant,” said Mengle.<br />
“A good compliance- to- privacy framework will help<br />
C-suite build strong technological and process control framework<br />
which can be also easily integrated with security operation<br />
management for privacy breaches,” he added.<br />
The IT Services player has already employed a data controller,<br />
data processor, and a data protection officer who will take<br />
up responsibility of ensuring compliance.<br />
Evalueserve Inc, a knowledge services provider, with estimated<br />
annual revenues of more than USD 250 million offers<br />
research, analytics, and data management services to Fortune<br />
500 companies in the United States and internationally. The<br />
company has both clients and employees working from EU<br />
and their personally identifiable data will come under the<br />
purview of GDPR.<br />
According to Evalueserve’s Chief Information Officer and<br />
Chief Information Security Officer, Sachin Jain, we comply<br />
with UK/EU data protection act for some of our clients – so it<br />
is not going to be a difficult change for us.<br />
“However, the team involved has started working on it proactively<br />
to be ready to show compliance to GDPR well ahead<br />
of the deadline,” he added.<br />
The GDPR also levies steep penalties of up to EUR 20 million<br />
or 4 % of global annual turnover, whichever is higher, for<br />
non-compliance. The language in the guideline uses the word<br />
“reasonable” to indicate the level of data protection and privacy<br />
that companies should observe towards EU citizens.<br />
Immediate next steps to tackle GDPR<br />
1. Demanding new privacy rights and obligations Educate key<br />
stakeholders, including the board of directors Risk-assess<br />
(including legal applicability) whether the GDPR applies to<br />
your organization<br />
2. Establish cross-function and cross-business governance<br />
structure for assessment of the GDPR’s applicability to<br />
business operations, evaluation of readiness and management<br />
of your overall GDPR remediation efforts<br />
3. Conduct a privacy impact assessment, with a strong focus<br />
on high-risk data flows of business processes<br />
4. Conduct a GDPR gap assessment, with a particular focus<br />
on governance, policies, technology, external dependencies<br />
(e.g., vendors), existing data flows ("high-risk") and<br />
processing operations<br />
5. Design and execute a prioritized implementation plan to<br />
address gaps based upon risk tolerance, risk priority,<br />
resourcing and investment<br />
Source: EY report titled ‘GDPR: demanding new privacy rights and obligations’<br />
12 CIO&LEADER | <strong>December</strong> <strong>2017</strong>