Indian IT industry has a high stake in the outsourced business from US and EU, UK markets. A good part of this outsourced business involves processing of “Personal Data” of data subjects of the respective country. As regards US, India has many processors who process health data and are accustomed to complying with HIPAA and HITECH Act. India has its own ITA 2000/8 which also imposes protection of both personal data and sensitive personal data. Now the EU has upped the stake in privacy protection by pushing the GDPR (General Data Protection Regulation) that replaces the Data Protection Act which has been in place for the last two decades. UK is now under transition where it is out of EU but is yet to adopt the regulatory mechanisms in its own name. However, UK is also expected to adopt GDPR in toto.
The Challenge for Indian data processors is that GDPR regulation requires them to appoint a “Representative” in any one of the EU countries if they have a stake in the processing of data related to EU residents. This makes them directly exposed to the risks on non -compliance in addition to the clauses that may be found in the Business Associate Contract where the data processor agrees to an indemnity clause with the data controller to compensate him for any losses caused to him on account of any data breach.
What is important for Indian Companies to realize is that the penalties payable under the GDPR by the data controller may be humongous since the GDPR speaks of upto 20 million Euros or 4% of the world wide turnover which ever is higher. If the Indian companies blindly agree to complying with the GDPR along with an open indemnity clause, they will be signing their death warrants.
The Boards of Indian Companies exposed to GDPR risk should therefore disclose in their financial statements what precautions they are taking to protect the interest of the share holders. The first thing that a share holder would like to know is whether the Company has an exposure to GDPR and if so whether an impact assessment has been made. If so, the share holders would like to know if the Company has obtained Cyber insurance against losses arising out of any data breach and whether the quantum of such insurance is adequate. If not, the Company needs to justify to its share holders why they think they are insulated from this risk.
Additionally, it is necessary for the Indian Companies to
a) Identify if they are exposed to GDPR risk and if so where and how the GDPR data exists in their data environment, who have access to them and how are they secured.
b) A risk assessment should be undertaken to identify the risks of data breach
c) Policies and procedures should be put in place to ensure compliance
d) Accountability for the compliance requirement should be documented through an appropriate technical and other measures.
e) A proper testing and audit environment should be available to check from time to time if the compliance measures are holding and any corrections are required.
The deadline for implementation of GDPR is 25th May 2018. However, if any EU Company is processing data with an Indian Company, then it would be interested in freezing their compliance documentation much before May 2018 since if the Indian Company is unable to meet the stringent standards, the EU company needs to find an alternate supplier and build the technical bridges that are required for the transfer of business. It would therefore be reasonable for such companies to start their negotiations today if they have not already started.
At the same time, it is also prudent for the Indian companies to introspect their systems and procedures and be ready to face any questions that the EU client may raise. It should be able to face an audit from the customers if the stakes are high.
GDPR Audit will therefore be required to be undertaken by Indian Companies who have any relationship with an EU Company with the likelyhood of undertaking data processing involving EU data.
GDPR requires “Privacy By Design” which may mean that the EU Client may require some process changes in data processing which may impact the cost of processing and also involve some time for implementation. If the data processor has himself sub contracted any of its processes, there is a need to ensure that the compliance requirements are also implemented at the sub contractor’s level which is another huge responsibility. In most cases the data processors may have to take up the currently sub contracted work in house. This will again change the cost profile of the service.
In most cases of sub contracting it will be inevitable to introduce “Deidentification” or “Pseudonomisation” of data with attendant technical issues. This would be yet another reason for cost escalations and data breaches due to failure of technical controls.
In view of these implications beyond the technical aspects of preserving the Confidentiality, Integrity and Availability, the Information Security professionals of Indian Companies need to immediately start internal discussions with the top management for rolling out the process of GDPR compliance.
The very first step in GDPR compliance is the designation of a senior person as the “Data Protection Officer” who may have to take up the next step of creating “Awareness” firstly among the top management so that further implementation steps can be undertaken.
I would urge all Indian Companies to start a review to see if they cross these two steps before actual implementation challenges can be identified for further action.
During the next month or so, most of the large IT Companies will have their shareholder’s meetings and financial audits by the audit firms. I urge shareholders to raise questions in the AGM about the action taken by the Company for meeting the GDPR non compliance risk and for all CA firms involved in financial auditing to ensure that suitable qualifications are made to the disclosures as may be required on account of the GDPR risk not having been identified and adequately covered.
Naavi