GDPR Impact on Indian IT — (5 of 6) Demonstrable Compliance
Over the last few years, the European market for Indian IT has been growing at three times the rate of the US market. Many Indian IT companies derive between 10–30% of their market and revenue from Europe, while the rate is growing at 2–3% year-on-year. For example, Wipro had 9.8% Y-o-Y revenue growth from Europe while there was only a 2.8% Y-o-Y US revenue growth in 2017. The numbers are similar for other IT bellwethers like Infosys, TCS, and Cognizant.
This is why we need to pay attention to the radical new EU regulation, called the GDPR (General Data Protection Regulation), which will be effective from May 25, 2018.
What is the impact of GDPR on Indian IT?
How can Indian IT get ready for GDPR?
In a series of articles we shall attempt to shed light on the most impactful aspects of GDPR for Indian IT.
This article is the fifth in the series on ‘GDPR Impact on Indian IT’ and outlines the impact of the ‘Accountability Principle’ clauses in the regulation and its manifestation as ‘Demonstrable Compliance’ for enterprises.
Importance of Demonstrable Compliance and Action
The Information Commissioner’s Office (ICO) of United Kingdom imposed a $511,000 fine on the TalkTalk Telecom Group in 2016 for failing to do enough to protect user data. Hackers attacked the web pages of Tiscali, an Italian firm TalkTalk had acquired in 2009, using SQL injection exposing the personal user information of 157,000 customers.
The fact that TalkTalk was a victim of hacking did not prevent them from ICO’s fining. The ICO noted that TalkTalk failed to put proper defences in place, and fined them 80% of the maximum allowed fine since it was deemed unintentional.
This case shows that it is imperative for an enterprise to have sufficient and demonstrable security. The regulators consider both intentional and unintentional lapses as failures, and find enterprises accountable for lack of due diligence.
The accountability clauses imply that enterprises must do more for data protection, and also be seen to be doing more. This could mean tracking, logging and recording all transactions and actions involving personal data, being able to access the same as required, identifying people and positions for accountability and staying on top of every known security vulnerability.
Indian IT — a need for built-in accountability
How does the need for demonstrable compliance impact indian IT?
Demonstrability will need to be embedded in at every level of the process. So, a data controller (an enterprise that owns the customer data) in the EU that outsources work to a data processor (an enterprise just processing the data for business needs) in India will need to demonstrate compliance at both the ends.
This would mean ensuring proper contracts are in place, evaluating and auditing the security systems at the data processor on a periodic or continuous basis, and ensuring the regulations in the processor country are demonstrably equivalent.
On the data processor front, this would mean that stringent data protection systems and processes are to be established in a way that their effectiveness can be demonstrated both to their customers in EU and to the regulators. Mechanisms to stay ahead of the curve on security vulnerabilities, and systems to continuously monitor and report on the security framework 24/7 need to be put in place.
An efficient and demostrable data security framework is also a competitive advantage for a data processor, even though it entails some upfront costs to improve the systems.
