With less than six months to go before the most comprehensive personal data protection regime kicks in, Indian companies rush to comply with the new provisions. Looks like the IT/ITES and BFSI segments are way ahead
Transparency can never be a bad thing. In fact, it is perhaps the only absolute that organizations should be able to ensure their customers with certainty.
Unfortunately, that’s not always the case. Blame it on the massive data growth today. In 2011 when IDC predicted that the data use was expected to grow by as much as 44 times, it may have surprised some of us. in a recent IDC Data Age 2025 whitepaper, titled 'The Evolution of Data to Life-Critical' it forecasted that the data use is expected to grow to 163 zettabytes (approximately a trillion gigabytes), it only made businesses think about the unique user experiences and a new world of business opportunities that it will unlock.
A lot has changed since 2011 to change the attitude towards how companies want to use the massive consumer data being generated from a multitude of sources such as social media, internet of things, mobile and real-time data.This user-generated information is the truth of our data-driven worlds. There’s a significant gap between the amount of data being produced today that requires security and the amount of data that is actually being secured –and this gap will widen.
According to IDC’s recent whitepaper, by 2025, almost 90% of all data created in the global datasphere will require some level of security, but less than half will be secured – and that is highly disconcerting.
Statistics reveal that some of the worst security breaches (amounting to 20) have taken place in the last 5 years; thus pushing the governments to act.
The General Data Protection Regulation (GDPR) is a result of one such implication imposed by the European Union (EU) for organizations across the globe. The EU’s GDPR puts the onus of specific privacy requirements in the hands of the entities collecting, storing, analyzing, and managing personally identifiable information. Firms subject to the GDPR will have to demonstrate their compliance with the requirements by May 25, 2018.
For long, the fleeting mention of GDPR in India came up only at the time of reporting a security breach. Until in 2016, Indian regulators namely The Reserve Bank of India and Securities and Exchange Board of India (SEBI) issued frameworks to strengthen cyber security in the BFSI sector. “Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks,” RBI explicitly highlighted in the framework under section subtitled ‘Ensuring Protection of customer information’.
In September 2016, SEBI also asked commodity derivatives exchanges to put in place a framework to safeguard systems, networks and databases from cyber attacks. It also announced the appointment of a new Chief Security Officer who will be responsible for strengthening SEBI's regulatory policy framework in the area of cyber security.
Going a step further in April 2017, the Insurance Regulatory and Development Authority of India (IRDAI) tightened the noose on CEOs and CMDs of all insurance firms, giving them a period of about a year to ensure that adequate mechanisms are put in place to address the issues related to information and cyber security.
The icing on the cake this year was the Supreme Court's landmark verdict on the right to privacy. Additionally, India is now moving towards legislation on data protection. The central government had set up an expert committee to study the different issues relating to data protection in India and make specific suggestions on principles underlying a data protection bill.
These frameworks may not significantly impact GDPR preparedness of companies in India. However, they will certainly keep up their customer data and security vigil.
According to Parag Deodhar, Information Security Leader at a reputed financial services firm, headquartered in EU with subsidiaries spread across the globe, “We have been running a global project for GDPR compliance across the company and are tracking actions across subsidiaries and shared services.”
The global financial services firm has shared services centres outside EU where data for EU is processed, and therefore, has to comply with GDPR.
“We are implementing a data privacy and protection framework with global standards such as ISO / NIST etc. Our framework has been reviewed by reputed audit firms as well as regulators. We have incorporated their recommendations in our framework as well,” said Deodhar.
In India, however, 7 out of 10 BFSI organizations (handling EU customer data/business) we reached out to did not want to comment on their GDPR preparedness. However, all of them had heard of the regulation and its impact of their business, unlike a quarter (25%) of the 700 European companies surveyed by IDC Research on behalf of ESET, admitted they were not aware of GDPR and more than half (52%) of them were unsure of the impact on their organizations.
Research firm Gartner, in a statement issued in November 2017, believes that less than 50% of all organizations impacted will fully comply by that date.
The IT/ITeS sector is the biggest contributor to India’s economy – with 66.1% contribution of services sector to GDP, the information technology – business process management (IT-BPM) sector serves as a major market for IT software and services exports are the US and the UK and Europe, accounting for about 90% of total IT/ITeS exports. Given the criticality of IT–BMP services, “India must do all it can to protect and promote business in this sector. To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. India will have to assess her preparedness and make convincing
changes to retain the status as a dependable processing destination,” - according to a white paper, titled GDPR and India, written by Aditi Chaturvedi for The Centre for Internet and Society.
Capgemini Sogeti India, a fully-owned subsidiary of the Capgemini Group, with total revenues of EURO 6,412 million this year, is a well-known French IT Services and Consulting Organization and has customer across Europe and USA.
According to Harshad Mengle, Director – Cyber Security at Capgemini Sogeti, "we have taken a structured approach and the framework is in place to address GDPR needs.”
“It is important to disclose how we are going to protect our customer’s data, and this in turn, will give more confidence to our EU customers. Some of the challenges include how we will alter our entire ecosystem in order to incorporate data management protection as per GDPR guidelines, how the workflow systems need to be changed, and how IT and monitoring systems need to be aligned with privacy data in order to be compliant,” said Mengle.
“A good compliance- to- privacy framework will help C-suite build strong technological and process control framework which can be also easily integrated with security operation management for privacy breaches,” he added.
The IT services player has already employed a data controller, data processor, and a data protection officer who will take up responsibility of ensuring compliance.
Evalueserve, a knowledge services provider, with estimated annual revenues of more than USD 250 million offers research, analytics, and data management services to Fortune500 companies in the United States and internationally. The company has both clients and employees working from EU and their personally identifiable data will come under the purview of GDPR.
According to Evalueserve’s Chief Information Officer and Chief Information Security Officer, Sachin Jain, we comply with UK/EU data protection act for some of our clients – so it is not going to be a difficult change for us.
“However, the team involved has started working on it proactively to be ready to show compliance to GDPR well ahead of the deadline,” he added.
The GDPR also levies steep penalties of up to EUR 20 million or 4 % of global annual turnover, whichever is higher, for non-compliance. The language in the guideline uses the word “reasonable” to indicate the level of data protection and privacy that companies should observe towards EU citizens.
Jain said that they take “reasonable” as the baseline protection layer or controls one has to deploy to ensure privacy and safety of data.
The concern is natural as the IT/ITeS sector in India has reported the largest increase in data breaches in 2016. The healthcare industry, comes a close second, accounting for 28% of data breaches, rising 11% last year compared to 2015. This calls for stringent measures to protect healthcare records of patients in India. The section 43(a) and section 72 of the IT Act mandates organizations to take reasonable provisions to protect sensitive information and provides a broad framework for the collection, storage and protection of personal information in India – including health conditions, medical records and biometric records.
Other jurisdictions have already enacted sector-specific laws to protect medical information. The Health Insurance Portability and Accountability Act (HIPAA) is the primary law that establishes the US legal framework for health information privacy and gives patients substantial control over their information.
At Alembic Pharmaceuticals, the company has tied with a leading consulting provider to identify areas where it needs to make process and data changes which would be in alignment with GDPR regulations. According to Gopal Rangaraj, its CIO & Head-IT, GDPR is an organic extension and is not a completely new framework. In healthcare, end-patient data safety was always a mandate. Therefore, we capture patient information including demographic data, and how we handle customer complaints handling process in the context of GDPR will be interesting.
Alembic Pharmaceuticals Ltd. is an INR 31.31 billion Indian multinational pharmaceutical company headquartered in Gujarat, India. Alembic Pharmaceuticals Europe Limited, however, is the 100 % subsidiary of the Alembic Global Holding SA, and is located in Malta, Europe.
Rangaraj said that their Indian business does not handle any EU datasets – but didn't fail to add that adhering to the guidelines and making them more bulletproof is how they see the whole thing.
At Wanbury, Jitendra Mishra, its VP-IT and CIO said that the GDPR is an extension of an earlier law 1995 data protection directive. The pharma major is the largest manufacturer of Metformin in the world and exports to over 50 countries – 65% of which comprises of regulated markets.
“We supply 90% of our Metformin to European countries. We have employees as well as contractors across EU –and our chief compliance officer in cooperation with IT security as well as the board – is creating a Standard Operating Procedure (SOP) to ensure how the GDPR is going to impact our business, how we secure personal information of our customers, and how to map all these scenarios to mitigate risks by enforcing policies, technology and creating awareness in the organization.”
Across verticals, businesses in India give an impression that they are in tune with the implications of GDPR. To an extent, they see their data privacy law offering assistance when it comes to tackling GDPR requirements as to how it will help in demonstrating that India is on par with the EU in terms of data protection law. However, almost everyone agrees that it needs careful revision to incorporate few amendments to align with strong protection regulation.
Additionally, they believe that it will also ensure all companies in India have reasonable practices in place. This will give confidence to EU companies with subsidiaries in India or outsourcing work to India. It looks like the data privacy law has come at the right time when some Indian businesses are gearing up for biggest ever overhaul of data protection regulation.