Co-Author: Pranay Prakash
The Chain Reaction
The GDPR directive, introduced in April 2016, has opened a Pandora’s Box for organizations that are struggling to get themselves General Data Protection Regulation compliant by the deadline of May 25, 2018. On the other hand, nations across the globe positively reacted to news of the General Data Protection Regulation, revaluating their existing policies and tweaking laws to address the flagrant exploitation of one’s personal information. Data privacy and personal data protection according to General Data Protection Regulation norms, undoubtedly, are the need of the hour.
The UK was actively involved in the formulation of the EU GDPR compliance norms. The country, post Brexit, is expected to have a law similar to General Data Protection Regulation for protecting the personal data of its citizens. In the interim period, the UK has agreed to GDPR compliance, though it will also release its updated version of the Data Protection Act in the medium to long run.
Mexico ratified a General Law to protect personal data in possession of Obliged Subjects. The General Law commands the basis, principles, and processes, guaranteeing individuals rights to protect their personal data. ‘Obliged Subjects’ include entities which benefit from public funds, such as political parties and trusts, apart from federal, state, and municipal authorities.
In the not-so-distant past, the land of the kangaroos — taking cognizance of the importance of protecting personal data — has tweaked its existing Privacy Act, 1988. The Australian parliament passed the Privacy Amendment (Notifiable Data Breaches) Act, 2017 (NDB scheme), on February 13, 2017. All entities covered by the Australian Privacy Principles (APPs) will have clear obligations to report eligible data breaches from February 22, 2018.
Not trailing far behind, on February 7, 2017, Russia enacted a law initiating amendments to the Russian Code on Administrative Offences, which increase the amounts of fine imposed on violation of Russian data protection laws and differentiates among the types of offense.
Considering stringent data privacy laws across the world, global enterprises are in a state of flux on being right regarding GDPR compliance. The data protection laws have caused an essential change in how data controllers and data processors tackle personal data. Instead of an ‘add on’ or afterthought within business operations, algorithms to protect personal data will now have to be incorporated into the very fabric of data processing systems, indicating entities will need to revisit how they consider deploying technology in their organizations for GDPR compliance. Moreover, sanctions in case of a data breach are exorbitantly high, rights of data subjects have increased, list of classification of sensitive data is more comprehensive, consent management is to be implemented, and limiting enterprises on usage of means like profiling have added to the woes of organizations.
While a majority of enterprises have initiated the program to address GDPR compliance guidelines, there is lot of ambiguity among privacy professionals and internal compliance teams to define an approach to prioritize the implementation roadmap. A few of the key challenges faced by enterprises are:
- Undecided approach to address controls on legacy systems
- How to address historical data collected over years, especially organizations in the B2C segment
- Alignment of business and IT roadmap to address GDPR controls w.r.t. cybersecurity requirements
- Retailers or diverse retail businesses facing challenge to address explicit consent management requirements
- While organizations have carried out questionnaire-based discovery, the depth of the discovery to address requirements from Article 30 is still in early stages of implementation
- Global enterprises are struggling to understand how they can address their business model in the GDPR world and still entail benefits of scale and spread
- Enterprise have realized that GDPR is not a business privacy law but has a significant impact on IT and cybersecurity. Privacy officers are still struggling to maintain the right balance – just a policy definition is not helping organizations to achieve compliance with General Data Protection Regulation
- Risk-based approach to privacy is still in early stages of adoption
We believe that in the digital era, privacy, security, and personalization are the most significant issues facing corporations and individuals alike. Enabling compliances is not just about managing regulatory requirements but can also be a source of competitive advantage. It echoes with the phrase – “Right to do Business – The Right Way.” These regulations aim to protect citizen’s data privacy and data breaches in an increasingly data-driven world.
Data Privacy – The Journey Ahead
For organizations large and small, the rest of the world and us, this was an awakening call. Beyond the ask of the regulation, we believe these regulations are meant to sensitize enterprises on the lawful usage of personal information and strengthen the rights of data subjects. It should be embedded as a principal guiding light for all personal data which is being processed within an enterprise irrespective of geography, laws, and regulations.
Organizations wanting to be ahead of the curve should not approach these changing regulations as a quick fix. Instead, they should plan for broader amendments across the board – as this is just the beginning.
Discuss privacy and GDPR with us
HCL’s comprehensive privacy framework and technology solutions facilitate organizations to prepare for the overhauling of the rules and regulations. Our services provides assistance to customers by –
- Conducting Data Privacy Impact Assessment (DPIA) with respect to GDPR requirements and furnishing relevant information for developing a compliance plan and approach
- Helping customers with eDiscovery and Data Flow Mapping to assess impact of personal data regulations, including GDPR
- Identifying gaps post DPIA, in conjunction with the client’s legal and privacy compliance group
- Assisting the implementation of technology measures to address compliance
HCL helps its clients undertake a seamless end-to-end compliance journey through our unique approach which begins with ‘advisory’ and moves on to ‘implementation.’ This positions HCL as a preferred partner of choice for organizations aiming to achieve regulatory compliance for GDPR data protection.