GDPR – Changing the Face of Data Protection in IT Outsourcing
“Security is not a product, but a process” – Bruce Schneier Data security and privacy rights have been a burning concern over the years now. With technology booming each day, the significance of having secured data has increased exponentially. There have been laws and policies defined globally to protect the integrity of data as far as possible. There have been initiatives like the data protection drive implemented in the late 1990s, in the European region. But since almost the last two decades, there has been a thriving rush of data-driven technologies that encourage individuals to provide their personal information to a large extent, to external systems. Keeping in mind a wider and in-depth outlook, the European Union (EU) is all set to implement a highly stringent set of global rules and regulations to protect and secure the personal data of citizens through General Data Protection Regulation (GDPR) standards. This directly implies that any organization that handles data of citizens of the European Union will have to abide strictly by the GDPR norms. About to be implemented in the latter half of May 2018, this data protection act will not only affect European markets but will be globally applicable to all those who are handling personal information of EU citizens. It will offer businesses a transparent legal structure and safeguard personal data against misuse and theft.
General Data Protection Regulation – A Glimpse of What It Is Replacing the existing EU’s data protection directive, the GDPR is a dictate by the EU to guarantee the security of citizens’ personal information, all set to roll on the 25 th of May 2018. Organizations will have to strictly follow a certain set of initiatives – technical as well as organizational to protect privacy rights. Not only that, organizations are supposed to keep data security as a prime component while implementing any procedure. In case of a data breach due to non-adherence, there would be financial penalties imposed, up to Euro 20 million or up to 4% of Global annual revenue whichever is higher. Under GDPR, organizations will have to keep security teams in charge, accountable for safeguarding all information connected to people. There are certain key ideologies that contribute to the entire structure of the GDPR standards:
• • • • • • •
Transparency: Data should be in a simplistic and easily understandable manner Purpose Restriction: Data collection should only be for specific and genuine reasons Time Restriction: Data should be permitted access as per stipulated time limits Data Minimization: Data processing should be limited and restricted as per usage Responsibility: The Sole responsibility for data security adherence is on the data controller and data processor Safekeeping: Data processing should be secured against illegal misuse, loss or theft Accurateness: Data should be available in the modern format with utmost precision
5 Key Terminologies That Need to Be Understood Prior to GDPR Implementation •
Data Controllers The data controllers oversee monitoring the private information of stakeholders, be it employee information or customer information or more. They can have data processors help them in processing the private data, within the stipulated norms of GDPR.
•
Data Processors The data processors oversee processing the personal information based on directives provided by data controllers, within the GDPR rules setup.
•
Data Subject The data subject is ideally the person whose data is being visited. There must be an official agreement before the data is processed or controlled.
•
Data Breaches There are chances of a data breach in an organization, in which case, the organization must inform the GDPR establishments within 72 hours of the occurrence of the incident.
•
Data Protection by Design Organizations need to incorporate data protection strategies right in the designing stage of data management procedures, in accordance with the stated GDPR guidelines.
6 Likely Impacts on IT Outsourcing Sector Owing to GDPR Implementation “Cyber Security is critical to protecting our nation’s infrastructure.” – George Foresman Compliance with the GDPR standards is going to be compulsory for all organizations interacting with the EU’s citizen data. But, what is more, interesting is to see what impact exactly will be created on the IT Outsourcing business – one of the most happening and advancing areas globally. IT solution and service providers will have to take up the security aspect of utmost priority to cope up with the consequences of GDPR. Organizations would already be having their own set of security policies but with this novel change, they will have to expand their horizons to fit in the requisite rules and regulations. There are 6 key areas that will need focus, directives and implementation efforts by the IT Outsourcing sector, to fulfill the finest of compliance to the GDPR standards. •
Specific Training / Hiring of Resources Having Comprehensive Understanding of GDPR Standards The GDPR move is no small one. It is a big leap in the history of data security standards and has an elaborate set of strategies to be adhered to. IT outsourcing units will have to be understand that it just cannot be read and implemented by anyone and everyone in the industry. It needs specialized skills and expertise to do so, which can be achieved by identifying specific resources to master their knowledge into it or hire experts in this arena. These experts need to have a thorough understanding and knowledge of GDPR
Articles and Recitals. Organizations need to appoint a Data Protection Officer who is conversant with the GDPR strategies and can assist in complying of business activities that handle personal information of citizens. •
Assessing and Evaluating Potential Risks at all Levels Risk management was very important even earlier. But now with these standards to comply with, evaluating risks and working out mitigation strategies will be more significant and that too, at different hierarchies within the organization. Organizations will have to work on the different routes that information travels, along with interdepartment and intra-department data flow. All stakeholders, starting from the top management will have to be involved for effective compliance to standards.
•
Gauging Current Technologies In certain organizations, there are chances of legal or protected information traversing between geographies with existing technologies. A thorough study needs to be done to understand if the data transfer between countries abides by the GDPR set of rules or not and if not, what necessary technological steps should be taken to do so.
•
Altering Contractual Clauses Between Data Controller and Processor Because of altered and further detailed clauses in the act, there are chances of many changes that would be needed in the contract between the controller and processor. To have a seamless implementation of the GDPR act, it is important to revise the contractual terms between the two.
•
Enhancing Security Measure with the Aid of GDPR Rules & Regulations Organizations do have their own set of security policies but are they full proof? This is the apt opportunity for them to enhance, update and work on a revised security regime that embeds the new directive as well as offers a comprehensive and fully secure work plan. In case of data residing outside the EU, it must be anonymized so that personal information is not revealed and the data traveling from EU to other geographies and vice versa should be thoroughly encoded.
•
Retaining Data in Data Warehouses Enterprises need to ensure that the data must be retained in storage spaces like Data Warehouses specifically for the time duration that is defined while processing the data. Once the data owner withdraws the consensus for storing data, there should be ways and means to delete/archive the information securely. We, as responsible and well-known IT partners of our customers, have a widespread clientele all over the globe, successfully implementing our bouquet of business solutions and services. We are all set to welcome the GDPR directive in our organization& in our
projects to offer the most secure experience to our clients. Watch out for further details soon, on how SPEC INDIA is ready to imbibe this revolutionary data security policy. Visit us @ https://www.spec-india.com/to request for a POC to test drive our services.