GDPR, Quick insight on the impact on APAC business entities!

By Rajesh Dangi, February 09, 2018
blog image

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation to strengthen and unify the data protection of all EU citizens / residents by giving the choice and control of use of their personal data usage, processing and storage by the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. It also applied to organizations based outside the European Union if they collect or process personal data of EU residents. This regulation was adopted by European Parliament, the council of European union and European Commission on 27 April 2016. After two year transition period this becomes enforceable effective May 2018.

"Any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address" definition of "personal data" by GDPR.

Any breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. Further these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. Refer

In Simple words, GDPR regulation will empower EU resident to have ultimate say in how his data will be used, processed and stored by business entities that directly or indirectly have access to his/her personally identifiable information(PII) data even after his/her the association or relationship ends with the controller and/or processor. The control of the PII data of data subject ( synonym used for user ) has following key attributes or controls...( there are much more, detailed in original act )

Right of Access - Data subjects must get access to their personal data and information about how these personal data are being processed. A Data Controller has to provide, upon request, an overview of the categories of data that are being processed as well as a copy of the actual data.

Right of Erasure ( right to be forgotten) - The data subject has the right to request erasure of personal data related to them

Right of Portability ( Data movement or porting) - The data subject shall make an request to transfer their personal data from one electronic processing system to and into another by data controller without preventing them to do so. Their data that has been sufficiently anonymised or masked is excluded, yet data that have only been de-identified but remains possible to link to the individual by providing the relevant identifier, is still considered PII data and will be in the scope of the GDPR regulation. In short, The personal data cannot be transferred to countries outside EEA or systems within unless they guarantee the same level of data protection.

Protection by Design and by Default principle - requires that data protection is designed into the development of business processes, applications for their products and services with high level of privacy settings as default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, storage and retrieval throughout the whole transaction lifecycle, remains compliant with the GDPR regulation.

Direct Marketing and Profiling - In today's scenarios most of the social media, ecommerce and even large enterprises maintain customer profiling for risk score / eligibility criteria and target marketing datasets, The regulation already allows data subjects to opt out of direct marketing, and it requires transparency if there are automated decisions such as declining transactions based on risk scores thus processors will soon lose out on multiple such marketing opportunities / initiatives

Lastly, Records of processing, all records of data processing activities must be maintained, that include purposes of the processing, context of the transaction or categories involved and envisaged time limits or duration of such activities, these entail auditability of all such records by the data controller and/or processor.

The Expectation

Once the data subject send you the request called DSAR, i.e. Data Subject Access Requests, You as a data processor or service provider thereof should do following..

  • Stipulate exactly what criteria constitutes personal data and then identify it
  • State exactly what and where that data is and what it is used for ( This is massive if the data is spread over multiple applications, location and media / storage / archival)
  • Determine what can and should be deleted ( And ensure you have ability to do so!!)
  • Extract or Erase the required action of the data and supply the same, or proof of erasure to the data subject
  • Prove that you have done everything to ensure the data is secure
  • Take explicit consent from data subject if he wants to keep the data with you even if his business relationships ceases to exist ( very unlikely!)

Remember, if you are a business is accredited to certifications such as ISO 27001, and are diligent in the ISMS Reviews and focus on preventive measures it's likely GDPR Compliance will be lot easier and reduces the burden of internal change management without too much of a hurdle.

The Challenges

The biggest challenge that are envisaged is the implementation itself, since GDPR requires comprehensive and complex changes to their processes, systems and extended eco system without jeopardising the current contractual obligation and service levels, especially the companies that are providing support to multiple EU businesses yet reside outside the EEA. These organizations must re-engineer and/or re-design their systems, resources and methods towards compliance.

Another aspect is lack of understanding on "What is takes to comply" and expertise "What needs to change" within and extended value chain of sub-contractors, vendors and service providers. The education and training of entire value chain is a humongous effort and cost and has to be done in shortest possible time.

Even to enforcement of these GDPR regulation will also be equally complex and requires awareness between DPAs and European commission and possible fear of different interpretation of the regulation might still lead to different levels of privacy.

The business impact will be severe for APAC entities who are offering of goods or services to data subjects (individuals) in the EU or even the monitoring of their buying patterns, usage behaviour etc via outsourcing contracts, commercial ecommerce websites or applications may find themselves directly subject to the Regulation, along with a wide array of IT service providers who support European retailers, large corporations etc from India.

In nutshell, The regulation is not flexible. For example, when it comes to transferring data outside the EU, the regulation provides less scope for businesses to assess risk and take decisions. The regulation intents to bring all service providers directly under its purview and very detailed about their responsibilities / accountability, with rigid terms and harsh penalties. Adhering to the regulation leads to opportunity loss for the Indian IT/BPO industry as it further increases the threshold for data transfer outside EU.

For APAC Businesses / service providers, what do you ( as a business) should be doing now?

  • Run your GDPR initiative as a "GDPR Transformation programme" ( since it might span across multiple projects) and might result in evolved Operating Model. Adopt a stakeholder-centric approach within your project framework. Don't let it only be a "Technology" project, it involves people and processes much more than technology. Recruit or train an individual who can serve as your Data Protection Officer, or identify an external resource who can serve as an expert to compliment that role in effect.
  • Conduct Readiness review, action plan on the shortcomings via creating checklists, new policies or updating the old in force, internal processes and governance structure put in place specially for security incident reporting and management, prioritize privacy impact assessments and risk evaluations. Identify the organization's potential risks for noncompliance in all assessed areas. ( in ISO2k we call it risk register)
  • Prepare for compliance and find an EU representative, if applicable. Following the regulation will significantly add to the compliance costs for the service providers. These costs are already higher when serving EU-based clients as compared to other markets, thus management must ensure adequate budgets and contingency funds are secured, budgeted and disbursed timely.
  • Review data protection compliance language / legal verbiage in contracts that will be in effect in May 2018 and later. Negotiate alterations in current contracts to assess risks and limit the exposure thereof as much as possible. Inline review product and marketing plans for the European market for possible compliance issues.
  • Validate if there a cyber Insurance policy that will cover the sanction in case of Information security breach, data theft and strengthen information security protection at all levels of the IT Infrastructure and upskill the IT team.
  • Data backups, kept on tapes and offsite locations will need revamp along with applications that must support "Right of Erasure" by granular design and data must be cleaned and confirmations to be provided as soon as the data subject sends requests for data erasure after termination of business relationship with principle and subsidiaries thereof. This will create flux of efforts (likes of Y2K) to dig out the archives and remove PII references from all digital records and backups / archives of data subject. Many latest technologies offer indexing and data transformation capabilities on legacy data thus making enterprise IT tech refresh inevitable.
  • IT policies that allow BYOD, "Work from Home" for employees might get impacted since the exposure of data theft or unintended data loss ( even if the devices are lost with data) will be a substantial risk since EU GDPR holds companies responsible for keeping their data secure and can impose sanctions. If case of unavoidable situation implement DLP ( read, Data Loss Prevention) solutions at protect endpoints, web proxy and email gateways.
  • Stay informed on the changes and amendments of applicability and addendums that might extend the scope and coverage of the regulation further when implementation glitches make policy makers to rethink additional controls and penalties thereof.

IT Specific Recommendations

  • Map users to their data along the entire information management lifecycle, create baseline via DPIA - Data protection Impact Assessment via third party auditors / agencies having the GDPR expertise.
  • Data Strategy - Review your enterprise ISMS policy & data strategy in the GDPR perspective again to help..
    • Enable freeze, encapsulation / anonymization, redaction and erasure if not isolation of data assets and granular control of data
    • Secure and Encrypt data in transmission while you may have all precautions for data at rest ( Read, Encrypted storage and archival).
    • Remember data thefts are difficult to trace while and after the incident. Reward the reporting of incidents to inculcate transparency
  • Educate and Enable your entire ISMS & IT team towards...
    • Identification, Classification Security ( read, encryption) , Analysis, Action of all information assets & resources.
    • Governance of incidents, false positives, technology aids, audits requirements, Compliance ( Read, Breach detection, response and reporting ) and transparency.
    • Privacy should never be trade-off for innovation, all use cases must support "Privacy & Innovation" hand in hand...
  • Assessment of Applications, Databases, Infrastructure components, DLP tools & policies, Access & Identity management systems, Backup, Restoration & Replication tools ( that support granular data encryption, retrieval, erasure and freeze capabilities) for all internal and extended IT systems ( external IT systems will involve vendor or SaaS services integrated via API and are typically hosted on external private cloud) yet have bearing on the data assets of the data subjects.

In Conclusion, with GDPR, stakes are high and so are the risks emphasizing the need for businesses, organizations and governments to adopt comprehensive data protection practices at all levels is a divine truth. A risk-based approach to data privacy-data protection by design-latest technology solutions can significantly reduce the potential of non-compliance violations, or worse yet, a breach. APAC business entities must be smart about implementing cost-effective and efficient ways of addressing the level of risk across their IT environment at the shortest possible time, There is no room for error!