C&L_December 2017 (1)
Cover Story “In India, however, 7 out 10 BFSI organizations (handling EU customer data/business) we reached out to did not want to comment on their GDPR preparedness” The ABC of GDPR The General Data Protection Regulation (GDPR) is a law or a regulation, which was adopted by the European Commission on 27 April 2016. The GDPR applies to any organization, regardless of geographic location, which controls or processes the data of an EU resident in a proscribed way. It dictates to what extent personal data may be collected, the need for explicit consent to gather such data, requirements to disclose breaches of data and stronger powers to substantially fine organizations that fail to protect the data for which they are responsible. Applicability: Applies to entities — including third parties that are (i) established in the EU, (ii) providing goods or services to EU residents or (iii) are monitoring the behavior of individuals in the EU Building: Privacy-by-design principles must be incorporated into the development of new processes and technologies Empowering Consumers: Organizations Source: EY’s cyber and privacy insights document will have to facilitate customers’ and employees’ right to erasure (of data), right to portability, and an increased right of access. Fines: Up to EUR20 million or 4% of the organization’s total global revenue, whichever is greater; also provides individuals new rights to bring class actions against data controllers or processors, if represented by not-for profit organizations, which heightens litigation risk Reporting: Organizations will have only 72 hours to report data breaches Employing People: Most organizations will need to designate a Data Protection Officer and a Data Controller Storage: Organizations will have to maintain records of processing activities Security: Organizations will need to scale security measures based on privacy risks. Permissions: Explicit and affirmative consent will be required before processing personal data. For long, the fleeting mention of GDPR in India came up only at the time of reporting a security breach. Until in 2016, Indian regulators namely The Reserve Bank of India and Securities and Exchange Board of India (SEBI) issued frameworks to strengthen cyber security in the BFSI sector. “Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks,” RBI explicitly highlighted in the framework under section subtitled ‘Ensuring Protection of customer information’. In September 2016, SEBI also asked commodity derivatives exchanges to put in place a framework to safeguard systems, networks and databases from cyber attacks. It also announced the appointment of a new Chief Security Officer who will be responsible for strengthening SEBI's regulatory policy framework in the area of cyber security. Going a step further in April 2017, the Insurance Regulatory and Development Authority of India (IRDAI) tightened the noose on CEOs and CMDs of all insurance firms, giving them a period of about a year to ensure that adequate mechanisms are put in place to address the issues related to information and cyber security. The icing on the cake this year was the Supreme Court's landmark verdict on the right to privacy. Additionally, India is now moving towards legislation on data protection. The central government had set up an expert committee to study the different issues relating to data protection in India and make specific suggestions on principles underlying a data protection bill. 10 CIO&LEADER | December 2017
Cover Story These frameworks may not significantly impact GDPR preparedness of companies in India. However, they will certainly keep up their customer data and security vigil. According to Parag Deodhar, Information Security Leader at a reputed financial services firm, headquartered in EU with subsidiaries spread across the globe, “We have been running a global project for GDPR compliance across the company and are tracking actions across subsidiaries and shared services.” The global financial services firm has shared services centres outside EU where data for EU is processed, and therefore, has to comply with GDPR. “We are implementing a data privacy and protection framework with global standards such as ISO / NIST etc. Our framework has been reviewed by reputed audit firms as well as regulators. We have incorporated their recommendations in our framework as well,” said Deodhar. In India, however, 7 out 10 BFSI organizations (handling EU customer data/business) we reached out to did not want to comment on their GDPR preparedness. However, all of them had heard of the regulation and its impact of their business, unlike a quarter (25%) of the 700 European companies surveyed by IDC Research on behalf of ESET, admitted they were not aware of GDPR and more than half (52%) of them were unsure of the impact on their organizations. Research firm Gartner, in a statement issued in November 2017, believes that less than 50% of all organizations impacted will fully comply by that date. The IT/ITes sector is the biggest contributor to India’s economy – with 66.1% contribution of services sector to GDP, “We have taken structured approach and Framework is in place to address GDPR needs.” Harshad Mengle Director – Cyber Security Capgemini Sogeti India “We supply 90% of our Metformin to European countries. We have employees as well as contractors across EU –and our Chief Compliance Officer in cooperation with IT security as well as the board – is creating a Standard Operating Procedure (SOP) to ensure how it is going to impact our business.” Jitendra Mishra VP– CIO, Wanbury the information technology – business process management (IT-BPM) sector serves as a major market for IT software and services exports are the U.S. and the U.K. and Europe, accounting for about 90% of total IT/ITeS exports. Given the criticality of IT–BMP services, “India must do all it can to protect and promote business in this sector. To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. India will have to assess her preparedness and make convincing changes to retain the status as a dependable processing des- December 2017 | CIO&LEADER 11
- Page 1: Insight: Wither Supercomputing? Pg
- Page 4 and 5: Insight: Opinion Feature Volume 06
- Page 6 and 7: INTERVIEW "Hybrid cloud serves as a
- Page 8 and 9: Interview Nitin Mishra, Netmagic co
- Page 10 and 11: GDPR: The Countdown to New Regime W
- Page 14 and 15: Cover Story tination,” - accordin
- Page 16 and 17: Cover Story+ Towards an Indian Data
- Page 18 and 19: Cover Story+ Whitepaper on Data Pro
- Page 20: Cover Story+ Should there be strict
- Page 23 and 24: Insight Measuring the Speed of Spee
- Page 25 and 26: Insight AAutomation and intelligenc
- Page 27 and 28: Insight AAs many as 96% of senior e
- Page 29 and 30: Insight Worldwide IT Services Reven
- Page 31 and 32: Insight mechanical systems. When da
- Page 33 and 34: Insight D Don’t Fear AI Machine l
- Page 35 and 36: Insight AAccording to 2018 Gartner
- Page 37 and 38: Opinion WWe live in a time where te
- Page 39 and 40: Opinion TTesla has already changed
- Page 41 and 42: Feature IIn 1978, Transformational
- Page 43: 100 Finance decision-makers of Indi
Cover Story<br />
“In India, however, 7 out 10 BFSI<br />
organizations (handling EU customer<br />
data/business) we reached out to did<br />
not want to comment on their GDPR<br />
preparedness”<br />
The ABC of GDPR<br />
The General Data Protection Regulation<br />
(GDPR) is a law or a regulation, which<br />
was adopted by the European Commission<br />
on 27 April 2016. The GDPR<br />
applies to any organization, regardless<br />
of geographic location, which controls<br />
or processes the data of an EU resident<br />
in a proscribed way. It dictates to what<br />
extent personal data may be collected,<br />
the need for explicit consent to gather<br />
such data, requirements to disclose<br />
breaches of data and stronger powers<br />
to substantially fine organizations that<br />
fail to protect the data for which they are<br />
responsible.<br />
Applicability: Applies to entities —<br />
including third parties that are (i) established<br />
in the EU, (ii) providing goods<br />
or services to EU residents or (iii) are<br />
monitoring the behavior of individuals in<br />
the EU<br />
Building: Privacy-by-design principles<br />
must be incorporated into the development<br />
of new processes and technologies<br />
Empowering Consumers: Organizations<br />
Source: EY’s cyber and privacy insights document<br />
will have to facilitate customers’ and<br />
employees’ right to erasure (of data),<br />
right to portability, and an increased right<br />
of access.<br />
Fines: Up to EUR20 million or 4% of<br />
the organization’s total global revenue,<br />
whichever is greater; also provides individuals<br />
new rights to bring class actions<br />
against data controllers or processors,<br />
if represented by not-for profit organizations,<br />
which heightens litigation risk<br />
Reporting: Organizations will have only<br />
72 hours to report data breaches<br />
Employing People: Most organizations<br />
will need to designate a Data Protection<br />
Officer and a Data Controller<br />
Storage: Organizations will have to<br />
maintain records of processing activities<br />
Security: Organizations will need to<br />
scale security measures based on privacy<br />
risks.<br />
Permissions: Explicit and affirmative<br />
consent will be required before processing<br />
personal data.<br />
For long, the fleeting mention of<br />
GDPR in India came up only at the time<br />
of reporting a security breach. Until in<br />
2016, Indian regulators namely The<br />
Reserve Bank of India and Securities<br />
and Exchange Board of India (SEBI)<br />
issued frameworks to strengthen cyber<br />
security in the BFSI sector.<br />
“Banks, as owners of such data,<br />
should take appropriate steps in preserving<br />
the Confidentiality, Integrity<br />
and Availability of the same, irrespective<br />
of whether the data is stored/in<br />
transit within themselves or with customers<br />
or with the third party vendors;<br />
the confidentiality of such custodial<br />
information should not be compromised<br />
at any situation and to this end,<br />
suitable systems and processes across<br />
the data/information lifecycle need to<br />
be put in place by banks,” RBI explicitly<br />
highlighted in the framework under<br />
section subtitled ‘Ensuring Protection<br />
of customer information’.<br />
In September 2016, SEBI also asked<br />
commodity derivatives exchanges to<br />
put in place a framework to safeguard<br />
systems, networks and databases from<br />
cyber attacks. It also announced the<br />
appointment of a new Chief Security<br />
Officer who will be responsible for<br />
strengthening SEBI's regulatory policy<br />
framework in the area of cyber security.<br />
Going a step further in April <strong>2017</strong>, the<br />
Insurance Regulatory and Development<br />
Authority of India (IRDAI) tightened<br />
the noose on CEOs and CMDs<br />
of all insurance firms, giving them a<br />
period of about a year to ensure that<br />
adequate mechanisms are put in place<br />
to address the issues related to information<br />
and cyber security.<br />
The icing on the cake this year was<br />
the Supreme Court's landmark verdict<br />
on the right to privacy. Additionally,<br />
India is now moving towards legislation<br />
on data protection. The central<br />
government had set up an expert committee<br />
to study the different issues<br />
relating to data protection in India and<br />
make specific suggestions on principles<br />
underlying a data protection bill.<br />
10 CIO&LEADER | <strong>December</strong> <strong>2017</strong>
Change language