GDPR covers all heads

European Union’s much hyped privacy law, General Data Protection Regulation (GDPR) will take effect on May 25, 2018. If data is the new oil, personal information is the new currency of the digital world argues Cawder Ravikumar Andrews, Senior Consultant and Lead (Enterprise Risk Management) at a top IT firm and also a certified GRCP, PMP and TOGAF professional in a Q&A with Mini Tejaswi of Financial Chronicle.

What are the key highlights of European Union’s much hyped privacy regulation, General Data Protection Regulation (GDPR), which will take effect on May 25 2018?

It’s a very over-arching question, with some 40 days to go for the regulation to come into play. The crux of it is that this regulation will ensure subjects more control over their data. It will clearly define what personal data is and it will articulate the principles and rights of data subjects. The law will emphasis the need having a Data Protection Officer (DPO), carryingout Data Protection Impact Assessments (DPIA), the concept of Privacy by Design (PBD), rules around breach notification, the cost (which is steep) of non-compliance and the evaluation of risk inherent in the processing and preparing the necessary mitigation plans. This may seem onerous but it actually reduces the costs of compliance and leads to substantial benefits and significantly enhances the ease of doing business.

Who all will come under the ambit of this regulation?

All the companies, notwithstanding its location, processes, stores or transmits personal data belonging to EU residents, then it comes under the ambit of the regulation.

What rights are data subjects ensured under this new regulation?

This regulation offers data subjects a bouquet of rights, going by the mnemonic PREPARIO – Right to Portability, Right to Rectification, Right to Erasure, Right to fair Profiling, Right to Access, Right to Restrict Processing, Right to be Informed and Right to Object.

What does GDPR mean for Indian enterprises and clinical trial outfits?

The implications are huge. The entire data life cycle needs to be reviewed in the context of GDPR, examining the need for a DPO, carrying out DPIA, risk assessments to ensure compliance. The key is to demonstrate and evidence the intent to comply. Dealing with data privacy regulations is not new, many organizations already comply with regulations like the Data Protection Act. (DPA) of UK, HIPAA of USA, the PIPEDA of Canada etc.  Indian companies can explore their existing framework, like COBIT or ISO 27001, to quickly align with GDPR requirements. The GDPR compliance will give a competitive advantage to enterprises. To draw a parallel, Basel used to be a compliance issue for banks, but today it gives them a competitive advantage. Therefore contextually better data privacy policies results in higher trust from customer, investors, rating agencies, analysts and market regulators.

Are Indian companies ready with GDPR compliance, or are they lagging behind? What are the steps organisations should follow in the compliance process?

I would expect most originations are at some stage of compliance. Else focus on the basics viz., creating awareness internally, documenting and auditing personal data, review and upgrade existing privacy notices, ensuring rights and principles are covered, reviewing request handling, establishing lawful basis for processing, consent management, reviewing child data, right procedures for breaches, carry out DPIA, DPD wherever necessary andappoint a DPO if necessary.

GDPR proposes to make personal data as a fundamental right to citizens of EU. Will this encourage India to have a solid regulation for data privacy and protection?

India already has certain provisions either explicit or implicit under the IT Act. A committee headed by Justice BN Srikrishna was set up to study various issues relating to data protection in the country and I was fortunate to participate at their open house held in Bangalore. However, we are yet to have a foolproof regulation for data protection and privacy.

How critical are regulations like GDPR in a data dominant world?

Privacy issues are of profound importance. Though regulations by itself is not complete we need to educate and create awareness especially in the Indian context.