C&L_December 2017 (1)

More documents

Recommendations

Info

Cover Story tination,” - according to a white paper titled GDPR and India, written by Aditi Chaturvedi for The Centre for Internet and Society. Capgemini Sogeti India, a fully-owned subsidiary of the Capgemini Group, with total revenues of EURO 6,412 million this year, is a well-known French IT Services and Consulting Organization and has customer across Europe and USA. According to Harshad Mengle, Director – Cyber Security at Capgemini Sogeti, we have taken a structured approach and the framework is in place to address GDPR needs.” “It is important to disclose how we are going to protect our customer’s data, and this in turn, will give more confidence to our EU customers. Some of the challenges include how we will alter our entire ecosystem in order to incorporate data management protection as per GDPR guidelines, how the “We have been running a global project for GDPR compliance across the company and are tracking actions across subsidiaries and shared services. Being an EU headquartered company, we need to comply with all the requirements of GDPR.” Parag Deodhar Information Security Leader at a reputed financial services firm workflow systems need to be changed, and how IT and monitoring systems need to be aligned with privacy data in order to be compliant,” said Mengle. “A good compliance- to- privacy framework will help C-suite build strong technological and process control framework which can be also easily integrated with security operation management for privacy breaches,” he added. The IT Services player has already employed a data controller, data processor, and a data protection officer who will take up responsibility of ensuring compliance. Evalueserve Inc, a knowledge services provider, with estimated annual revenues of more than USD 250 million offers research, analytics, and data management services to Fortune 500 companies in the United States and internationally. The company has both clients and employees working from EU and their personally identifiable data will come under the purview of GDPR. According to Evalueserve’s Chief Information Officer and Chief Information Security Officer, Sachin Jain, we comply with UK/EU data protection act for some of our clients – so it is not going to be a difficult change for us. “However, the team involved has started working on it proactively to be ready to show compliance to GDPR well ahead of the deadline,” he added. The GDPR also levies steep penalties of up to EUR 20 million or 4 % of global annual turnover, whichever is higher, for non-compliance. The language in the guideline uses the word “reasonable” to indicate the level of data protection and privacy that companies should observe towards EU citizens. Immediate next steps to tackle GDPR 1. Demanding new privacy rights and obligations Educate key stakeholders, including the board of directors Risk-assess (including legal applicability) whether the GDPR applies to your organization 2. Establish cross-function and cross-business governance structure for assessment of the GDPR’s applicability to business operations, evaluation of readiness and management of your overall GDPR remediation efforts 3. Conduct a privacy impact assessment, with a strong focus on high-risk data flows of business processes 4. Conduct a GDPR gap assessment, with a particular focus on governance, policies, technology, external dependencies (e.g., vendors), existing data flows ("high-risk") and processing operations 5. Design and execute a prioritized implementation plan to address gaps based upon risk tolerance, risk priority, resourcing and investment Source: EY report titled ‘GDPR: demanding new privacy rights and obligations’ 12 CIO&LEADER | December 2017
Cover Story “We comply with UK/ EU data protection act for some of our clients so it is not going to be a difficult change for us. However, the team involved started working on it proactively to be ready to show compliance to GDPR well ahead of the deadline.” Sachin Jain CIO & CISO at Evalueserve Jain said that they take “reasonable” as the baseline protection layer or controls one has to deploy to ensure privacy and safety of data. The concern is natural as the IT/ITes sector in India has reported the largest increase in data breaches in 2016. The healthcare industry, comes a close second, accounting for 28% of data breaches, rising 11% last year compared to 2015. This calls for stringent measures to protect healthcare records of patients in India. The section 43(a) and section 72 of the IT Act mandates organizations to take reasonable provisions to protect sensitive information and provides a broad framework for the collection, storage and protection of personal information in India – including health conditions, medical records and biometric records. Other jurisdictions have already enacted sector-specific laws to protect medical information. The Health Insurance Portability and Accountability Act (HIPAA) is the primary law that establishes the US legal framework for health information privacy and gives patients substantial control over their information. At Alembic Pharmaceuticals, the company has tied with a leading consulting provider to identify areas where it needs to make process and data changes which would be in alignment with GDPR regulations. According to Gopal Rangaraj, its CIO & Head-IT, GDPR is an organic extension and is not a completely new framework. In healthcare, end-patient data safety was always a mandate. Therefore, we capture patient information including demographic data, and how we handle customer complaints handling process in the context of GDPR will be interesting. Alembic Pharmaceuticals Ltd. is an INR 31.31 billion Indian multinational pharmaceutical company headquartered in Gujarat, India. Alembic Pharmaceuticals Europe Limited, however, is the 100 % subsidiary of the Alembic Global Holding SA, and is located in Malta, Europe. Rangaraj said that their Indian business does not handle any EU datasets – but didn't fail to add that adhering to the guidelines and making them more bulletproof is how they see the whole thing. At Wanbury, Jitendra Mishra, its VP-IT and CIO said that the GDPR is an extension of an earlier law 1995 data protection directive. The pharma major is the largest manufacturer of Metformin in the world and exports to over 50 countries – 65% of which comprises of regulated markets. “We supply 90% of our Metformin to European countries. We have employees as well as contractors across EU –and our chief compliance officer in cooperation with IT security as well as the board – is creating a Standard Operating Procedure (SOP) to ensure how the GDPR is going to impact our business, how we secure personal information of our customers, and how to map all these scenarios to mitigate risks by enforcing policies, technology and creating awareness in the organization.” Across verticals, businesses in India give an impression that they are in tune with the implications of GDPR. To an extent, they see their data privacy law offering assistance when it comes to tackling GDPR requirements as to how it will help in demonstrating that India is on par with the EU in terms of data protection law. However, almost everyone agrees that it needs careful revision to incorporate few amendments to align with strong protection regulation. Additionally, they believe that it will also ensure all companies in India have reasonable practices in place. This will give confidence to EU companies with subsidiaries in India or outsourcing work to India. It looks like the data privacy law has come at the right time when some Indian businesses are gearing up for biggest ever overhaul of data protection regulation December 2017 | CIO&LEADER 13
Page 1: Insight: Wither Supercomputing? Pg
Page 4 and 5: Insight: Opinion Feature Volume 06
Page 6 and 7: INTERVIEW "Hybrid cloud serves as a
Page 8 and 9: Interview Nitin Mishra, Netmagic co
Page 10 and 11: GDPR: The Countdown to New Regime W
Page 12 and 13: Cover Story “In India, however, 7
Page 16 and 17: Cover Story+ Towards an Indian Data
Page 18 and 19: Cover Story+ Whitepaper on Data Pro
Page 20: Cover Story+ Should there be strict
Page 23 and 24: Insight Measuring the Speed of Spee
Page 25 and 26: Insight AAutomation and intelligenc
Page 27 and 28: Insight AAs many as 96% of senior e
Page 29 and 30: Insight Worldwide IT Services Reven
Page 31 and 32: Insight mechanical systems. When da
Page 33 and 34: Insight D Don’t Fear AI Machine l
Page 35 and 36: Insight AAccording to 2018 Gartner
Page 37 and 38: Opinion WWe live in a time where te
Page 39 and 40: Opinion TTesla has already changed
Page 41 and 42: Feature IIn 1978, Transformational
Page 43: 100 Finance decision-makers of Indi

C&amp;L_December 2017 (1)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?

C&L_December 2017 (1)