With GDPR enforced and similar Indian Data Protection Regulations on the way, CIOs need to make tectonic shift in how they take care of their organizational data, adopting a culture of security and a proactive approach with a holistic design towards minimizing risk.
“Indian CIOs, CISOs should treat data with much more care. A pro-active approach is desired especially towards data gathering, data management, data access, data storage, data retrieval and overall data protection.”
Founder and CEO
From a perspective of a business and its CIO, what exactly does GDPR compliance entail?
The General Data Protection Regulation (GDPR) is a revolutionary change as far as data protection is concerned. To my mind this is a de-facto gold standard globally and is one of the most advanced and strictest data protection regulations It has two fold objectives, one is that of accountability, where organizations are required to be more accountable by complying with GDPR and secondly enforcement – ensuring the member states rigorously enforce GDPR, else any non-compliance to GDPR will cost the business a penalty of up to €20 million or 4% of annual turnover. This is surely a heavy cost to pay, besides the impact on the stock value, loss of customer trust and erosion of brand value. Hence, the key focus of a CIO is to ensure compliance.
Now, to address as to what GDPR compliance entails, As per European Union General Data Protection Regulation, GDPR is a regulation that applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition encompasses personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people. GDPR not only applies to organizations located within European Union but also organizations outside the European Union who offer services/goods to/or monitor the behavior of EU data subjects.
How is GDPR implemented and enforced? What are the facets of information exchange that fall under GDPR umbrella?
Implementing GDPR requires a cultural change. It will require businesses to transform the GDPR legal requirements into compliant and a sustainable organizational and operational behavior. The implementation should focus on the GDPR principles of lawfulness, accuracy, fairness and transparency, integrity/confidentiality, purpose limitation and storage limitation.
Successful implementation of GDPR is based on factors such as organizational readiness (and active engagement of stakeholders, readying a team to address the GDPR compliance, educating the stakeholders across business functions, maintain relevant personal registries, procedural adherence and implementation of procedures aligned with GDPR guidelines, and maintain consistency and accountability in the long run.
GDPR provides individuals eight rights – right of being informed, right to access, right to erasure, right to rectification, right to restrict processing, right to data portability, right to object, and rights related to automated decision making. Detection of data breaches (if any) and immediate notification of the same within the defined period of 72 hours is one key aspect of the regulation. Appointing a skilled and seasoned Data Protection Officer (DPO) – either full time (or) otherwise can be a key to implantation. In case the CIO, CDO collaboration is very important to achieving the compliance objectives.
How can CIOs and CISOs ensure good security practices to keep information safe at the organizational level?
CIOs and CISOs need to collaborate to draw out policies and procedures for protecting data and minimizing risk. Prevention is better than cure goes the adage – hence it is important to have a risk matrix, build perimeter protection and threat prevention (through sandboxing), robust access management procedures, password management (2-step verification), effective vulnerability management, timely patch management, endpoint security, data loss prevention, threat scanners etc. It is important to enhance the skills of people through effective training to pro-actively address the challenges. All key data managed by the business including personal information of customers, their source, type, storage, retrieval, organizing and protecting is key to successful compliance.
Deployment of tools such as SIEM, device encryption, anti-virus can address compliance. To protect infrastructure firewalls, WAF etc can be deployed. Threat modeling, forensics (malware), threat intelligence tools can be leveraged to avoid breaches. Lastly, enterprise data leakage and protection, data discovery, data encryption, application control(s), predictive and behavior analytics can play a key role in keeping the data protected.
How do you see GDPR and similar regulations formulate the information landscape going forward?
We need IDPR (Indian Data Protection Regulation) for India similar to that of GDPR in European Union. Now, as you are aware we had several issues of data leakages from several social media sites in India. It is estimated that over half a million Indian Facebook users may have been affected in a recent data breach – this has truly compromised the privacy of the affected Indian citizens. Therefore, data protection is the key, however, it could have an impact on a country’s economy affecting the trading of services/products especially in a digital economy – overtly stringent protection (or) insufficient protection – both can have adverse effect on the businesses, customer confidence and economy resulting in adverse impact on the economy. Secondly, a data protection regulation requires every business to comply with stringent guidelines by deploying processes, procedures, tools to ensure privacy of citizens in that country.
What is the role of IT/ITES service provider in ensuring compliance for their customer organizations?
Indian IT, ITeS companies operate in Europe – together they enjoy revenue of approximately $200 billion in the region. It is necessary all of them to stay compliant. As shared earlier, non-compliance to GDPR shall attract for a penalty of €20 million or 4% of global turnover, whichever is higher. Hence, they require to ensure hundred percent compliance to GDPR, and thereby protect revenues, business growth and above all customer trust and confidence.
What is your advice to Indian CIOs and CISO’s in terms of ensuring their enterprise information security in the GDPR era?
Indian CIOs, CISOs should treat data with much more care. It will require a tectonic shift. A pro-active approach is desired especially towards data gathering, data management, data access, data storage, data retrieval and overall data protection. It requires a cultural change as mentioned earlier combined with stringent internal policies aligned with the enforced regulation(s). An eagle watch is required to ensure privacy protection of customers – more so in the digital world. Lastly, they ought to make people accountable, enforce stringent access controls, deploy risk mitigation tools, review customer personal privacy rights more deeply, and cobble the data collection policies carefully, foresee the unforeseeable data breaches and plan accordingly, and most importantly adopt a proactive privacy-by-design approach.