GDPR Impact on Indian IT — (2 of 6) Security Measures and Breach Notifications
Over the last few years, the European market for Indian IT is growing three times faster than the US market. For many Indian IT companies, it is anywhere between 10–30% of the market and revenue share and growing 2–3% year-on-year. Wipro had a 9.8% Y-o-Y revenue growth from Europe while there was only a 2.8% Y-o-Y revenue growth in the US. The numbers are similar to other IT bellwethers like Infosys, TCS and Cognizant too.
In such a backdrop, enters the radical new EU regulation called the GDPR (General Data Protection Regulation), which will be effective May 25, 2018.
What is the impact of GDPR on Indian IT?
How can Indian IT get ready for GDPR?
In a series of articles, we shall attempt to shed light on the most impactful aspects of GDPR for Indian IT.
This article is the second in the series on ‘GDPR Impact on Indian IT’ and outlines the impact of the ‘Security Measures and Breach Notification’ clauses in the regulation.
Data Breaches on the rise
We have been witness to major data breaches every couple of months in 2017. In September 2017, the Equifax breach exposed sensitive personal data of 143 million people; in July Verizon reported personal data of 14 million customers being exposed; as did Uber and Imgur in November, Deep Root Analytics in June, OneLogin in May, Chipotle in April… the list is never ending.
Considering the size and frequency of exposures and how vulnerable enterprises have been, stronger data protection measures are being mandated by governments. Quite a few of the data breaches this year (like Deep Root Analytics) were not even sophisticated attacks — the unencrypted, unprotected files were freely available on the cloud for people to access for weeks!
Data Security Measures
GDPR imposes stricter obligations on data processors and controllers and offers detailed guidance on appropriate security standards. GDPR puts the obligation on the data controllers (in this context, European enterprises) to work with and engage only those data processors (in this context, Indian IT firms) that implement the necessary technical and organizational measures needed to protect data and to report breaches. GDPR Article 32 describes a full set of measures that a data processor is obligated to undertake.
With previous data protection laws, the interpretation of what was necessary technically was left to the commission, but GDPR is more explicit on the measures that are required (like pseudonymisation and encryption of personal data, the resilience of systems and services etc.).
The impact on Indian IT is direct. There is a huge amount of work required to bring data security standards within Indian IT to international standards. Additionally, the IT firms need to demonstrate their high-security standards with the necessary certification, in order to convince their existing and potential customers to commercially engage with them. All of this requires investment in tools, automation and skill sets for Indian IT firms.
Breach Notifications
GDPR’s definition of ‘data breach’ is the broadest one yet. While previously, data breach laws were triggered only if the exposed information could lead to fraud or identity theft, with GDPR, any breach of data will trigger the data breach laws.
Additionally, data controllers through their Data Protection Officers (DPOs) are mandated to report the data breach to the regulators within 72 hours. While the law applies to data controllers, it has indirect implications for data processors. Data processors will need to inform data controllers within a set time period, and processes need to be established so that data controllers can adhere to the breach notification guidelines.
If you are in an Indian doing business with Europe, expect your customers (data controllers) to demand guarantees from you (data processors) on enforceable SLAs for reporting of data breaches.
