Every year, there are millions of online thefts globally. Individuals from different spheres of life complain about data theft and stolen identity. It is significantly hard for the government to combat this issue.
Early this year, Facebook reported an online breach which affected millions of account including its founder. Facebook is just one of the several companies affected every year. To combat this situation, the European Union refined and amended its General Data Protection Regulation to protect its citizens.
This regulation is put in place to ensure that internet users are aware of what, where, when and how their personal data are used by web and mobile applications. It imposed strict compliance conditions on companies offering businesses in the EU, including companies with clients or located in the EU. It also imposed a stiff penalty on defaulters.
While the GDPR was created to protect the EU citizens, Article 3 added that it has no territorial scope or boundary and as such, can be applied to global companies that deal with any member states in the EU.
Definition- How Would GDPR Be Defined?
The General Data Protection Regulation (GDPR) is a framework of the European Union (EU) which mandates and directs entities on how to protect the individual data privacy and security.
The GDPR is chiefly a Regulation which means that it does not require ratification or enabling legislation from each member states to come into fruition. This is not the case if the GDPR is a Directive.
Although this is an inconsistency based on the history of the Regulations, it is expected not to fault its primary purpose – the protection, privacy and security of individual personal data.
It provides the EU citizens with the rights to have increased ownership and control over their personal information, how it is managed and processed, the customer data assets a business or entities stores or deletes.
The GDPR came into effect on May 2018. It gave the people the powers to have the protection and privacy of their personal data. Web applications and mobile applications were mandated to seek for people’s consent before making use, or storing, or referring their personal data to themselves or to any third party application.
Such personal information includes names, email addresses, physical and mailing addresses, gender, credit card information, location data, IP addresses, browser history, and cookies’ tracking. This information is voluntarily given by the users without an iota of its purpose or use in the long run.
Organizational Requirements defined by the GDPR
There are requirements all organizations must meet as defined by the GDPR. The GDPR cannot be stated and explained but for the basis of general knowledge, below are the requirements organizations must comply with:
The customers are in control. Therefore, an organization cannot access, correct, delete or transfer an individual’s personal data without prior consent. The consent an individual provides enables a business to verify an address or list of addresses through a processor or system including the Amazon Web Server (AWS).
Therefore, without the consent, no entity can access a user’s data. The only exception is when the instruction is contrary to the GDPR directives.
Controller and Processor
The processor of a business or entity offers services and operations that use the personal data of individuals. The information acquired, including email address are always verified by the organization’s applications. This is usually done through a secure connection in the AWS.
Under the GDPR, a complete verification requires delivery of personal data through the secure connection to the users. Once that is done, the process automatically ends.
Organizations are subject to audits and the GDPR gives the users the right to request an audit of facilities and offices. Therefore, whether data are stored offline or not, an individual can easily request for an audit unless the organization has a set of standards or principles it complies with together with the GDPR mandates.
Facilities carry out routine security checks to ensure that its processor and system are not vulnerable or accessible to hackers. If the system, processor and individual data are compromised, the entity must contact the users and the regulators of the GDPR immediately.
There is a 72-hour window where there is a submission of a detailed report on the response, management, assessment and evaluation of the incident.
Record Log List
There is a processing Record Log List. These log lists are for record purposes only and serve as a means of dispute resolution. The Log list creates an audit trail that identifies the date, list name and list of addresses, processing location and total records of processed information. The Log list can be accessed and downloaded by each user.
Data Protection Officer
The Data Protection Officer (DPO) is a senior in the management team and it is required by GDPR. The responsibilities of the title are the training and monitoring of employees in accordance with the stipulations of the GDPR.
The DPO supervises all activities relating to the Information Security program. The Information Security program includes data privacy and security.
To discuss further an organization’s policy, contact the DPO through the appropriate channel of communication.
GDPR Effect on India-
India, with a population of 1.3 billion was expected to reach 500 million internet users. It is also a country with the largest outsourcing market in the world. India outsources talent, resources, and services to America, European Union, Asia, Australia, etc.
Its largest clients are America. The second largest market is the EU. With its staggering number of internet users, added to the figures of internet users in the EU and America, the outsourcing industry contributes significantly to the country’s GDP growth.
Although, the figure is mouth-watering considering the potential revenue that may be generated; this figure also comes with a cost. The cost spans from data mining to data leak, security breach, illegal sale of people’s information, unwarranted tracking, illegal access to web cameras, etc.
The cost may look or sound minimal but in the long run, it is devastating. For instance, there has been a 7.9% increase in data breach from 2017 to 2018. It is estimated by IBM to cost India Rs. 11.9 Crore ($1.7 million) for data breach with an average cost reaching Rs. 4,552.
From the report, it was confirmed that the criminal attacks or malicious attacks are the cause of 42% data breaches, while 30% goes to system glitch and 28% to human error. These attacks significantly increased the per capital cost in India to Rs. 5,106.
According to the IBM study, it was discovered that online theft is a global problem. The study shows that the theft which affected more than 500 global companies cost:
- Stolen records,
- Opportunity Loss,
- Administrative Action,
- Legal Action,
- Customer defections,
- Reputation management,
These discoveries of online data theft occur approximately 188 days after the breach. IBM study depicts that the mean time for discovery of online theft by the Indian companies have jumped from 170 days in 2016 to 188 days in 2018, while it takes the companies around 78 days to rectify the error.
It is no surprise that there is a data breach on over 22,000 Indian websites including 114 government portals.
SWOT of GDPR on India’s Companies-
SWOT is an acronym for the Strength, Weakness, Opportunities, and Threats (Challenges) of the GDPR. Each of these shall be analyzed.
The impact of the Regulation includes:
- The review and implementation of data policies and privacy programs by Indian companies with its employees, staff, third-party vendors, users, and contractors. By complying with the regulations, companies are learning about the term ‘consent’ and how to respect people’s privacy.
- The impact comes with less data breach and online theft. There is a significant decrease in the percentage of data breach since the implementation of the GDPR. The compliance cost put companies on the alert of ensuring that human error is reduced to the barest minimum.
- Training and awareness campaigns for employees, contractors, and subcontractors on privacy issues, data protection compliance and accountability framework.
The weaknesses associated with the Regulation are:
- The inadequacy of skilled talent that understands the concept of notice and consent as defined by the regulation.
- The inadequacy of the privacy budget and increase in the budget for privacy issues. This makes the companies cut the budget from other important sectors of the business.
- Understanding the compliance policy is still a struggle for some Indian companies affected by the GDPR.
Below are the opportunities associated with the GDPR.
- The opportunity for Indian companies to be the trailblazers in privacy compliant services and solutions. India is known for its technology hub, expertise and talent pool. Combining these can create an opportunity to be the leaders in the data privacy and protection.
- With the expertise and knowledge of technology, Indian companies can campaign for an effective data protection law. For instance, the proposal for a data protection framework by the Srikrishna Committee should be developed.
This proposal can create criteria similar to the GDPR but with fewer compliance costs for Indian companies. The main purpose prevalent in all proposals is the protection and transfer of personal data.
- Beyond the compliance burden, the GDPR creates business opportunity especially for one of its biggest outsourcing market, India.
The challenges or threat facing the Indian Companies are as follows:
- India has a weak data protection law and a huge outsourcing industry. The industry’s estimate is more than 150 billion USD, approximately 9.3% GDP. It is one of the biggest markets in the EU. The challenge with the GDPR can be summed as creating less competition through weak laws.
- Restriction of cross-border transfer of data. The EU through the GDPR reduces the assessment of risks and decision making of businesses pertaining to data transfer outside the EU.
This safeguard is put in place to protect the personal data of the citizens outside the EU. Although it is a significant improvement and protection, it increases the compliance cost for Indian companies.
- The increase in compliance costs can amount to penalties and litigation filed against the Indian companies. For instance, the penalty structure imposed by the GDPR is 20 million EUR or 4% of global turnover, whichever is higher.
For Indian companies faced with this challenge, they may result in shutting down businesses rather than complying.
The basic principle supporting the GDPR is the principle of consent and privacy. It is one of the paramount rights of all individuals. Although the GDPR is for the protection of the citizens of the EU, its Article 3 on territorial scope makes it a global phenomenon.
Indian companies may fizzle out if they fail to comply with the wordings of the regulation. The ideal way to remain in business is to see the GDPR from the concept of a business opportunity rather than the perspective of a burden.
To see it as a benefit is the right push needed for the amendment of the Indian Data Protection Law. The end goal is not to sustain businesses at people’s expense or to infringe the rights of the people but to protect the individuals that trust companies to keep their information safe.