C&L October 2017_LR (5)
Feature THE DATA PROTECTION LINGO Data Subject: The individual (natural entity) whose data is being used by the data controller and data processors. The data protection regulations are meant for protecting his/her right Personal Data: Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person Data Controller: The entity that determines the purposes, conditions and means of the processing of personal data Data Processor: The entity that processes data, on behalf of the Data Controller by the definition of EU GDPR but also ‘independently’ by the definition in the private member bill introduced in the Indian Parliament Consent: The explicit permission given by the data subject to the controller to use his/her data for a purpose other than what it was collected for. Usually, that can be withdrawn at any time Data Erasure or Right to be Forgotten: The right of the data subject to have his/her personal data erased by requesting the data controller/processor/third parties associated with them Data Portability: Obligations on data controllers to provide the data subject with a copy of his or her data in a commonly used, machine readable format that can be transferred to another controller with ease Data Protection Authority: Regulators for ensuring data and privacy protection; the body may even be involved in making recommendations to make amendments to the data protection legislation Data Protection Officer: The executive within a data controller or processor accountable for ensuring data privacy and the data protection regulations are complied with Privacy by Design: A principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than a later addition Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person Right to be Forgotten: Also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data Right to Access: The right of the data subject to have access to and information about his/her personal data 6 CIO&LEADER | October 2017
Feature ...Continued from Page 5 and historical research based on data collected and processed. The European Union Regulation of 201629 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data may provide useful guidance in this regard. The State must ensure that,” said Justice Kaul in his judgment. With such unambiguous, unequivocal and forceful recommendation by the highest court of the country, the efforts towards formulating a data protections law are only expected to accelerate. As such, the government had initiated some first steps in that direction. In July, the Ministry of Electronics and Information Technology (MeitY) constituted a committee of experts under the chairmanship of Justice B N Srikrishna, former Judge of the Supreme Court, to identify key data protection issues and recommend methods for addressing them. Its brief also includes creation of a draft data protection bill. Members of the committee include Dr Gulshan Rai, National Cyber Security Coordinator; Prof Rajat Moona, Director, lIT, Raipur and a noted cyber security expert and Ajay Bhushan, CEOof Unique Identification Authority of India among others. Interestingly, a private member bill called Data (Privacy and Protection) has been introduced by Biju Janata Dal MP Baijayant Panda in the Parliament. The draft bill is based on the major issues addressed by the European GDPR. Implications for enterprises The EU GDPR defines a data 'controller' as ‘the natural or legal person, public authority, agency or other body’ which, alone or jointly with others, determines the purposes and means of the processing of personal data. Similarly it defines a processor as an entity that processes data on behalf of the controller. The non-state actors referred to by the judges are typically commercial companies who use an individual’s data for their business purpose. Most commercial agencies, especially those engaged in large scale B2C business, would fall under the definition of data controllers in the EU GDPR definition. And certain category of businesses would typically be classified as data processors. While in the EU definition, a processor is defined as someone who does the processing of personal data ‘on behalf of the controller’, it may not be defined that way necessarily. For example, the private member bill introduced by BJD MP Panda, defines a processor as someone ‘who processes data independently or on behalf of a data controller’. In short, most businesses would fall under one or both the definitions and will have to comply with the new set of regulations. A limited exposure to EU GDPR—such as by companies who do business there or who provide IT or BPO services to European companies—has already resulted in many companies scrambling to comply. A full-fledged Indian data protection regime will result in several compliance requirements. Once that happens, it is a no brainer that the CISOs and CIOs will have to drive this new set of compliance requirements. Here is a look at some of the obligations that may come your company’s way. While you may have some of those in place already if your sectoral regulations require that, most of them would be new for most companies. While all of them may not require you to ‘show’ something (like appointing a Data Protection Officer) immediately, you nevertheless need to ensure that the obligations are met. An Indian draft data protection bill is yet to be ready and is a specific brief for the committee appointed by the Government under the chairmanship of Justice Srikrishna. So, most of the possible requirements that are presented here are taken from European GDPR’s principles, if not its exact regulatory requirements. In the discussion, we will refer to data controller/processors as businesses or enterprises though it may apply to other types of entities as well. Possible Issues/ Requirements Purpose of processing: The controller or processor has to clearly mention the purpose of collecting/processing data. That is because using the data for anything else other than the original purpose for which it was collected has to have explicit consent of the individual concerned, also referred to as data subject. The onus of ensuring that will be on the enterprises. Consent of the individual: One of the requirements of the European GDPR is that “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” It further mandates that the request for consent cannot be fine print as is the case today. It should be very clear and in plain language. Further, the companies should be able to make it easy for the individual to withdraw consent any time. Whether the consent us taken through paper-based documents or electronic means, business organizations have to put the systems in place to make it possible. “Making it easy for the individual’ has to be defined and that may go through change from time to time. Right of access by the data subject: One of the possible requirements from the companies dealing with individual data would be to provide the data subjects with access to their own data as well as additional information like the period for which the data would be stored; who will be provided access to that data, if it would be transferred beyond the boundaries of the country…the list may keep changing. October 2017 | CIO&LEADER 7
- Page 1: INSIGHT Meet the global desi IT lea
- Page 5 and 6: EDITORIAL Shyamanuja Das shyamanuja
- Page 7 and 8: FEATURE 04-08 Are You Ready For A D
- Page 9: Feature stringent regulations for t
- Page 13 and 14: 100 IT Decision makers with 10,000+
- Page 15 and 16: Cover Story TAKING STOCK Organized
- Page 17 and 18: Cover Story from every Indian state
- Page 19 and 20: Cover Story by the K Raheja Corp Gr
- Page 21 and 22: Cover Story 2,0 00 1,80 0 1,60 0 TO
- Page 23 and 24: Vishal Salvi, Infosys Interview thi
- Page 25 and 26: Event Report Sunil Manglore, Managi
- Page 27 and 28: Event Report Experience Analytics a
- Page 29 and 30: Book Review I t is ironic that in a
- Page 31 and 32: Insight Mamatha Chamarthi Chief Dig
- Page 33 and 34: Insight Rahul Samant SVP & CIO, Del
- Page 35 and 36: Insight O Putting cloud first, lite
- Page 37 and 38: Insight The initial driver for the
- Page 39 and 40: Insight G Companies are struggling
- Page 41 and 42: Insight Another important driver fo
- Page 43 and 44: Insight I out of 144 countries 108
- Page 45 and 46: #TheBigPicture 52% of winners from
Feature<br />
...Continued from Page 5<br />
and historical research based on data<br />
collected and processed. The European<br />
Union Regulation of 201629 of<br />
the European Parliament and of the<br />
Council of 27 April 2016 on the protection<br />
of natural persons with regard to<br />
the processing of personal data and<br />
on the free movement of such data<br />
may provide useful guidance in this<br />
regard. The State must ensure that,”<br />
said Justice Kaul in his judgment.<br />
With such unambiguous, unequivocal<br />
and forceful recommendation by the<br />
highest court of the country, the efforts<br />
towards formulating a data protections<br />
law are only expected to accelerate.<br />
As such, the government had initiated<br />
some first steps in that direction.<br />
In July, the Ministry of Electronics and<br />
Information Technology (MeitY) constituted<br />
a committee of experts under<br />
the chairmanship of Justice B N Srikrishna,<br />
former Judge of the Supreme<br />
Court, to identify key data protection<br />
issues and recommend methods<br />
for addressing them. Its brief also<br />
includes creation of a draft data protection<br />
bill. Members of the committee<br />
include Dr Gulshan Rai, National<br />
Cyber Security Coordinator; Prof<br />
Rajat Moona, Director, lIT, Raipur and<br />
a noted cyber security expert and Ajay<br />
Bhushan, CEOof Unique Identification<br />
Authority of India among others.<br />
Interestingly, a private member<br />
bill called Data (Privacy and Protection)<br />
has been introduced by Biju<br />
Janata Dal MP Baijayant Panda in<br />
the Parliament. The draft bill is<br />
based on the major issues addressed<br />
by the European GDPR.<br />
Implications for<br />
enterprises<br />
The EU GDPR defines a data 'controller'<br />
as ‘the natural or legal person,<br />
public authority, agency or other<br />
body’ which, alone or jointly with<br />
others, determines the purposes and<br />
means of the processing of personal<br />
data. Similarly it defines a processor<br />
as an entity that processes data on<br />
behalf of the controller.<br />
The non-state actors referred to by<br />
the judges are typically commercial<br />
companies who use an individual’s<br />
data for their business purpose. Most<br />
commercial agencies, especially those<br />
engaged in large scale B2C business,<br />
would fall under the definition of data<br />
controllers in the EU GDPR definition.<br />
And certain category of businesses<br />
would typically be classified<br />
as data processors. While in the EU<br />
definition, a processor is defined as<br />
someone who does the processing of<br />
personal data ‘on behalf of the controller’,<br />
it may not be defined that way<br />
necessarily. For ex<strong>amp</strong>le, the private<br />
member bill introduced by BJD MP<br />
Panda, defines a processor as someone<br />
‘who processes data independently<br />
or on behalf of a data controller’.<br />
In short, most businesses would fall<br />
under one or both the definitions and<br />
will have to comply with the new set<br />
of regulations. A limited exposure<br />
to EU GDPR—such as by companies<br />
who do business there or who provide<br />
IT or BPO services to European companies—has<br />
already resulted in many<br />
companies scrambling to comply. A<br />
full-fledged Indian data protection<br />
regime will result in several compliance<br />
requirements.<br />
Once that happens, it is a no brainer<br />
that the CISOs and CIOs will have<br />
to drive this new set of compliance<br />
requirements.<br />
Here is a look at some of the obligations<br />
that may come your company’s<br />
way. While you may have some of<br />
those in place already if your sectoral<br />
regulations require that, most of them<br />
would be new for most companies.<br />
While all of them may not require<br />
you to ‘show’ something (like<br />
appointing a Data Protection Officer)<br />
immediately, you nevertheless need<br />
to ensure that the obligations are met.<br />
An Indian draft data protection bill is<br />
yet to be ready and is a specific brief<br />
for the committee appointed by the<br />
Government under the chairmanship<br />
of Justice Srikrishna. So, most of the<br />
possible requirements that are presented<br />
here are taken from European<br />
GDPR’s principles, if not its exact<br />
regulatory requirements.<br />
In the discussion, we will refer to<br />
data controller/processors as businesses<br />
or enterprises though it may<br />
apply to other types of entities as well.<br />
Possible Issues/<br />
Requirements<br />
Purpose of processing: The controller<br />
or processor has to clearly mention<br />
the purpose of collecting/processing<br />
data. That is because using the data for<br />
anything else other than the original<br />
purpose for which it was collected has<br />
to have explicit consent of the individual<br />
concerned, also referred to as data<br />
subject. The onus of ensuring that will<br />
be on the enterprises.<br />
Consent of the individual: One of<br />
the requirements of the European<br />
GDPR is that “where processing<br />
is based on consent, the controller<br />
shall be able to demonstrate that the<br />
data subject has consented to processing<br />
of his or her personal data.”<br />
It further mandates that the request<br />
for consent cannot be fine print as<br />
is the case today. It should be very<br />
clear and in plain language. Further,<br />
the companies should be able<br />
to make it easy for the individual to<br />
withdraw consent any time. Whether<br />
the consent us taken through<br />
paper-based documents or electronic<br />
means, business organizations<br />
have to put the systems in place to<br />
make it possible. “Making it easy for<br />
the individual’ has to be defined and<br />
that may go through change from<br />
time to time.<br />
Right of access by the data subject:<br />
One of the possible requirements from<br />
the companies dealing with individual<br />
data would be to provide the data<br />
subjects with access to their own data<br />
as well as additional information like<br />
the period for which the data would<br />
be stored; who will be provided access<br />
to that data, if it would be transferred<br />
beyond the boundaries of the country…the<br />
list may keep changing.<br />
<strong>October</strong> <strong>2017</strong> | CIO&LEADER<br />
7
Change language