What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation to strengthen and unify the data protection of all EU citizens / residents by giving the choice and control of use of their personal data usage, processing and storage by the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. It also applied to organizations based outside the European Union if they collect or process personal data of EU residents. This regulation was adopted by European Parliament, the council of European union and European Commission on 27 April 2016. After two year transition period this becomes enforceable effective May 2018.
"Any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address" definition of "personal data" by GDPR.
Any breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. Further these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. Refer
In Simple words, GDPR regulation will empower EU resident to have ultimate say in how his data will be used, processed and stored by business entities that directly or indirectly have access to his/her personally identifiable information(PII) data even after his/her the association or relationship ends with the controller and/or processor. The control of the PII data of data subject ( synonym used for user ) has following key attributes or controls...( there are much more, detailed in original act )
Right of Access - Data subjects must get access to their personal data and information about how these personal data are being processed. A Data Controller has to provide, upon request, an overview of the categories of data that are being processed as well as a copy of the actual data.
Right of Erasure ( right to be forgotten) - The data subject has the right to request erasure of personal data related to them
Right of Portability ( Data movement or porting) - The data subject shall make an request to transfer their personal data from one electronic processing system to and into another by data controller without preventing them to do so. Their data that has been sufficiently anonymised or masked is excluded, yet data that have only been de-identified but remains possible to link to the individual by providing the relevant identifier, is still considered PII data and will be in the scope of the GDPR regulation. In short, The personal data cannot be transferred to countries outside EEA or systems within unless they guarantee the same level of data protection.
Protection by Design and by Default principle - requires that data protection is designed into the development of business processes, applications for their products and services with high level of privacy settings as default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, storage and retrieval throughout the whole transaction lifecycle, remains compliant with the GDPR regulation.
Direct Marketing and Profiling - In today's scenarios most of the social media, ecommerce and even large enterprises maintain customer profiling for risk score / eligibility criteria and target marketing datasets, The regulation already allows data subjects to opt out of direct marketing, and it requires transparency if there are automated decisions such as declining transactions based on risk scores thus processors will soon lose out on multiple such marketing opportunities / initiatives
Lastly, Records of processing, all records of data processing activities must be maintained, that include purposes of the processing, context of the transaction or categories involved and envisaged time limits or duration of such activities, these entail auditability of all such records by the data controller and/or processor.
Once the data subject send you the request called DSAR, i.e. Data Subject Access Requests, You as a data processor or service provider thereof should do following..
Remember, if you are a business is accredited to certifications such as ISO 27001, and are diligent in the ISMS Reviews and focus on preventive measures it's likely GDPR Compliance will be lot easier and reduces the burden of internal change management without too much of a hurdle.
The biggest challenge that are envisaged is the implementation itself, since GDPR requires comprehensive and complex changes to their processes, systems and extended eco system without jeopardising the current contractual obligation and service levels, especially the companies that are providing support to multiple EU businesses yet reside outside the EEA. These organizations must re-engineer and/or re-design their systems, resources and methods towards compliance.
Another aspect is lack of understanding on "What is takes to comply" and expertise "What needs to change" within and extended value chain of sub-contractors, vendors and service providers. The education and training of entire value chain is a humongous effort and cost and has to be done in shortest possible time.
Even to enforcement of these GDPR regulation will also be equally complex and requires awareness between DPAs and European commission and possible fear of different interpretation of the regulation might still lead to different levels of privacy.
The business impact will be severe for APAC entities who are offering of goods or services to data subjects (individuals) in the EU or even the monitoring of their buying patterns, usage behaviour etc via outsourcing contracts, commercial ecommerce websites or applications may find themselves directly subject to the Regulation, along with a wide array of IT service providers who support European retailers, large corporations etc from India.
In nutshell, The regulation is not flexible. For example, when it comes to transferring data outside the EU, the regulation provides less scope for businesses to assess risk and take decisions. The regulation intents to bring all service providers directly under its purview and very detailed about their responsibilities / accountability, with rigid terms and harsh penalties. Adhering to the regulation leads to opportunity loss for the Indian IT/BPO industry as it further increases the threshold for data transfer outside EU.
For APAC Businesses / service providers, what do you ( as a business) should be doing now?
IT Specific Recommendations
In Conclusion, with GDPR, stakes are high and so are the risks emphasizing the need for businesses, organizations and governments to adopt comprehensive data protection practices at all levels is a divine truth. A risk-based approach to data privacy-data protection by design-latest technology solutions can significantly reduce the potential of non-compliance violations, or worse yet, a breach. APAC business entities must be smart about implementing cost-effective and efficient ways of addressing the level of risk across their IT environment at the shortest possible time, There is no room for error!