The rise of General Data Protection Regulation (GDPR): Is your business prepared? May 2018
Contents
1 Introduction to privacy 2 by design
2
|
Introduction to privacy
08 16
3
Drivers of privacy by design adoption
18
4
Implementing privacy by design
22
5
Adoption of privacy by design
26
6
The way forward
28
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
3
4
|
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
5
6
|
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Foreword As digital disruption continues to challenge privacy norms across the world, cloud, social media and mobile technology advancement is fundamentally altering the personal and professional lives of people across the globe. The constantly changing threat landscape driven by the connected world is forcing law enforcement agencies to enhance the privacy legislation regime regularly. Today, this is one of the biggest challenges encountered by many organizations as they grapple with the introduction of newer legislations and frameworks around data privacy. The concerns around data privacy impact both consumers and enterprises alike. While consumers are concerned about the misuse of personal and sensitive information, organizations are worried about having a dampening impact on their reputation, brand value, consumer trust as well as revenues. With the GDPR coming into force from 25 May 2018, organizations will need to evaluate where they stand in their data privacy journey as the onus of accountability shifts from regulators to organizations. Privacy by design is a key concept of the GDPR. Privacy by design means thinking about data privacy and its implications when you’re developing products, features, and even marketing campaigns based on personal data. fi implement appropriate technical and organizational measures to ensure that, by default, only personal data which are fi fi appropriate technical and organizational measures to ensure that privacy and the protection of data is no longer an after-thought and is embedded in in the early stages of any project and then throughout its lifecycle. In our view, many organizations are welcoming this opportunity as a serious initiative to drive data privacy beyond just mere compliance. In light of recent events on data privacy, this is an enterprise wide initiative to will help companies across the globe to be secure and stay secure.
With best wishes,
Jaspreet Singh Partner, Cybersecurity, EY
Sibjyoti Basu Partner & National Business Development Leader, EY India
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
7
01 8
|
Introduction to privacy In a world where more than half the population is online, everything is becoming digitized. Customers today are sharing and receiving information on various portals for entertainment, banking, healthcare, and utility puposes, continuously adding to a large pool of data.
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Digital around the world 20181 Total population
7.593 billion 55% Urbanization
Internet users
4.021 billion 53% Penetration
Active social media users
3.196 billion 42% Penetration
Unique mobile users
e-Commerce market for consumer goods
5.135 billion
US$ 1.474 Trillion
68% Penetration
+16% YoY
Data created in the world is growing rapidly 180 ZB
4.4 ZB 2013
44 ZB 2020
2025
fi fi data to create value and insights.
On 14 April 2016, the Regulation and the Directive were adopted by the European Parliament. The new rules are applicable for two years.
maintaining privacy. With a view on the data priorioties of organizations and to safeguard rights of customers and inbibe a sense of accountability in the way personal data is shared and used by organizations.
Emergence of GDPR On 15 December 2015, following three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the EU General Data Protection Regulation (GDPR). The aims of the GDPR are to reinforce data protection rights of individuals, fl reduce the administrative burden. The GDPR replaces the 1995 General Data Protection Directive and applies directly to each of the 28 EU Member States.
1
fi of the new General Data Protection Regulation was published
2012
On 12 March 2014, the European Parliament voted overwhelmingly in favour of new data protection laws
2014
On 15 December 2015, the EU Commission, Parliament and Council of Ministers reached an agreement on the GDPR
2015
fi Journal of the European Union
2016
2 year implementation phase Regulation starts to apply
2018
We are Social 2018 Stats, https://wearesocial.com/blog/2018/01/global-digital-report-2018; World Economic Forum, https://www.weforum.org/agenda/2018/01/data-is-not-the-new-oil/
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
9
What is the GDPR?
Scope of GDPR
The EU data protection reform was adopted by the European Parliament and the European Council on April 27, 2016. The European Data Protection Regulation will be applicable as of May 25, 2018 and replace the Data Protection Directive (95/46/EC). The GDPR is an omnibus regulation by which the EU intends to strengthen and unify data protection within the European Union.
GDPR focuses on the processing of data by automated means but fi system. GDPR applies in three circumstances:
Establishment and processing of personal information in the union
The GDPR applies to any organization, regardless of geographic location, that controls or processes the data of an EU resident. It
The monitoring of the behaviour of data subjects as far as their behaviour takes place within the Union.
fi fail to protect the data for which they are responsible. Why is the GDPR receiving increasing attention?
Organization offering of goods or services, irrespective of
The EU GDPR introduces a number of new rights for data subjects and several obligations which will directly impact data controllers and data processors, non-compliance with which will lead to tough penalties as high as €20,000,000 or 4% of annual global revenues.
subjects in the Union.
GDPR applies globally and companies outside the EU will have to comply with the Regulation if they process EU persons’ personal data Does the company have a presence in EU?
Yes
No
Is the company’s customer an EU citizen?
GDPR applies
Yes
Yes
Does the processing relate to offering goods or services in the EU?
No
No
GDPR does not apply
activities will be directed to EU data subjects relevant
10
|
No
Does the processing relate to monitoring the behavior of persons in EU in Union?
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Key changes proposed by the GDPR • Hefty penalties: Breach of the GDPR will result in substantial fi turnover, whichever is greater
•
• Expanded scope: Applies to all data controllers and processors established in the EU and organizations that target EU citizens
an ator appointment of ata rotection Officers Os DPOs must be appointed if an organization conducts large scale systematic monitoring or processing of large amount of sensitive personal data
• Ob igator breach notification Notify supervisory authority unless the breach is unlikely to be a risk to individuals. If there is a high risk to individuals, they must also be informed
ata breach notification process Notify data subject Notify Supervisory (if likely to result in Authority (if likelihood risk to individuals) of risk to individuals) Investigate breach
• Data controllers must report personal data breaches to their supervisory authority and in some cases, affected individuals, in each case following fi
Awareness of breach
Without Without undue delay undue delay (no later than 72 hours)
Breach
• Data processors must report personal data breaches to data controllers
• Data controllers must maintain an internal risk register • Non-compliance can lead to an a ministrati e fine
What is a data breach?
72 hours
Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed
is the timeline within which breach fi authority
Reference https://gdpr-info.eu/
• Stringent consent requirements:
fi
fl
In addition to basic data protection principles, consent is subject to further conditions under the new Regulation
Where relying on consent as the basis for lawful processing, it must be additionally ensured that: • •
agreements or declarations
• Provision of services is not made contingent on consent where it is not necessary for the service to be supplied • Data subjects are informed of the right to withdraw consent at any time (through simple methods) • Separate consent is obtained for distinct processing operations •
information
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
11
• Risk based Privacy Impact Assessments: Organizations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data • Broadened data subject rights: Organizations should have processes to manage the below given new rights: • The right to be forgotten: The right to ask data controllers to erase all personal data without undue delay in certain circumstances • •
fi
Right to notice Object to processing Restriction of processing Right to erasure Right to portability Right to rectification Right to access
Right to information
Data subject
• Adequate protection for cross-border transfers: guarantee on data protection is provided— such as standard contractual clauses or binding corporate rules (BCRs) • Obligations on processors: regulated entity
fi
• Privacy by design and default: Data protection safeguards must be built into products and services from the earliest stage of development. Privacy settings must be set at a high level by default. Data protection by default notion includes data minimization principles • Accountability and data governance: Organization must prove they are accountable by: • Establishing a culture of monitoring, reviewing and assessing data processing procedures • Building in safeguards to data processing activities • Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory •
12
fl
|
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Principle of “Accountability” • • Controllers are responsible for the compliance of their processing operations with data protection rules • Controllers should have documentation ready and be able, at any time, to demonstrate compliance with data protection provisions to data subjects, to the general public and to supervisory authorities
Adopt policies and implement appropriate measures to ensure personal data is secured throughout the entire data lifecycle
Personal Data Lifecycle Management
Appropriate collection of data
Relevant use of data
Managed disclosure
Appropriate retention and disposal
Review privacy
• Ensuring the accuracy of personal data fi that the personal data held by them is accurate and can be corrected if errors occur • Limiting the storage of personal data: Organizations will need to ensure that they retain personal data only for as long as necessary to achieve the purposes for which the data was collected •
ns ring sec rit integrit an confi entia it of personal data. The organization must take steps to keep personal data secure through technical and organizational security measures
Incentives beyond GDPR compliance The organizations which have started their compliance journey have been successful in differentiating themselves from their competition by proactively developing trust with their customers on handling their sensitive data. These stronger customer relationships present opportunities for organizations to retain or increase their revenues from customers dealing with personal data from EU. Further, compliance with GDPR presents compliance as well as business incentives. • On the compliance front, GDPR transformation program is helping organizations avoid distraction and business disruption arising fi recovery from breaches and potential lawsuits. Also, compliance with GDPR will lead to effective management of increasing pressure from the regulators • Similarly on the business front, privacy has become one of the key drivers to enhance brand reputation and to ensure privacy and trust while the added value of new digital propositions are realized. These initiatives help organizations to meet stakeholders’ privacy as ethical responsibility towards clients • Create a new business line in the form of GDPR-as-a-service or DPO-as-a-service
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
13
Key safeguards to be adopted by organizations The GDPR has undelined multiple changes, however there are certain key safeguards that organizations can take to ensure that they start their compliance journey for GDPR.
Gap assessment to identify current state
Implement privacy by design and default
ďŹ of processing activities
14
|
Data protection Impact Assessments (DPIA)
ďŹ availability and resilience of processing services
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
15
02 16
|
Introduction to privacy by design The personal data collected requires a governance plan as there are risks of exposure, unauthorized access, and hacks. Hence, to address this ever-growing data and privacy risks, the idea of privacy by design was developed in the 90s. It is now being embraced by regulatory authorities to safeguard user privacy
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Privacy by design has seven principles which should be applied in order to maintain privacy (Figure 1). efinition Privacy by design (PbD) is a concept which enables organizations to have privacy embedded in the design and architecture of information systems, business processes and networked infrastructure.
Figure : Foundation Principles2 Proactive not reactive, preventative not remedial
Anticipate and prevent privacy invasive events before they happen. The aim is to prevent them from occurring
Privacy by default
IT system or business processes
Embed privacy into design
Privacy measures embedded in the IT systems and business processes and not as an add-on
Full functionalitypositive sum, not zero sum
fi
End-to-end securityfull lifecycle protection
All data should be securely retained as needed and destroyed when no longer needed
Visibility and transparencykeep it open
Assure all stakeholders that business processes or technology involved, are operating according to the fi
Respect for user privacy— keep it user centric
Keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options
2
fi
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
17
03 18
|
Drivers of privacy by design adoption Implementation of privacy by design is primarily driven by two factors, the stringent privacy regulations coming into force and rising data breaches and associated costs.
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Regulatory requirements: Privacy by design in the past was not mandated by any law, rather it was seen as an approach to ensure compliance. However, in 2016, European Union General Data Protection Regulation adopted the approach and gave a deadline for implementation by 25 May 2018. Article 25 of the regulation covers - data protection by design and by default. It prescribes the following: • Privacy by design: Companies must put technical and organizational measures such as pseudonymisation in place – to minimize personal data processing. • Privacy by default: Companies must implement appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each fi fi
fi
fi greater. The regulation will impact organizations across the globe that do business within the fi
Companies which were till now only mandated to protect personal data, now need to embed privacy across the life cycle of data. There will be legal implications for wrongful data collection, fi is one of the biggest drivers for companies to implement privacy by design. Messaging service provider changed minimum age of users to comply with GDPR In April 2018, a global messaging service provider raised minimum age for users from 13 to 16 across the EU. The GDPR has a processing data of children below 16 years of age to get consent from the holder of parental responsibility. In line with this policy, the messaging service provider has also suspended its policy change wherein it could share phone numbers and other information with social media sites for effective target advertisements.
Technology company refunded for wrongful in-app purchase fi refund a large amount for kids’ in-app purchases to its customers in a settlement with the Federal Trade Commission (FTC). In the complaints made by users, the technology company was charged with violating the FTC Act by not telling users that entering a password to approve an initial in-app purchase would allow 15 minutes of additional purchases without further authorization needed. As a part of the agreement, company was also asked
purchase.
What is personal data as per GDPR?3 ‘Personal data’ means any information relating to an fi as the following: • Name •
fi
• Location data • •
fi fi physiological, genetic, mental, economic, cultural or social identity
Rising data breaches and associated costs: There has been a disturbing trend of rising personal data breaches (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data). The key reason is organizations do not have instead on proactive policies. With the growing number of breaches, customers are concerned about protecting their privacy and identities more than ever before. 68%4 of the customers do not trust brands to handle their personal information appropriately, such as name, email, location or marital status. In 2017, a total of 1,7655 breach incidents occurred of which fi two major type of breaches. According to Ponemon Institute’s million. There are also post data breach costs which include help desk activities, inbound communications, special investigative identity protection services and regulatory interventions. fi reputational damage that may lead to abnormal turnover or churn rates as well as a diminished rate of new customer
69% would boycott a company known to 55% of respondents would avoid giving data to a company they know had been selling or misusing it before.6
3 4 5 6
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
19
Consumer credit reporting agency lost 147.7 million user’s personal data In 2017, a global consumer credit reporting agency witnessed bureau’s website software. The hack granted attackers access fi names, dates of birth, Social Security numbers, and other personal information of 147.7 million US consumers. With the stolen identity details, attackers can apply for lines of credit in the victims’ names. The company faced widespread criticism and the share prices dipped 34% within eight days after the breach disclosure.
Health app compromised 150 million users’ data resulting in decline in share value In 2018, data from about 150 million users of a health app was compromised sending the value of shares of the company down 3% in after-hours trade. The stolen data included account user names, email addresses and scrambled passwords for the app. However, Social Security numbers, driver license numbers and payment card data were not compromised.
Social media giant lost credibility and share value due to data sharing scandal In 2018, a global social media giant came under the scanner for a data breach wherein the personal data of 87 million users around fi fl them. Post the incident, the company’s reputation fell dramatically share value within 10 days of news of the scandal.
Multinational technology company paid US$17 million due to a privacy breach fi their consent or knowledge. The case involved the technology company bypassing the privacy settings in a well-known web browser to use cookies for targeted advertisement.
20
|
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
21
04 22
|
Implementing privacy by design A major change caused by implementing privacy by design is that companies would need to consider privacy at the very start of product development. Privacy has to be an integral part of the company strategy and needs to run through processes via policies and procedures.
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Regulatory requirements:
EY has developed a privacy program model (Figure 3) which focuses on program, operations and the monitoring of privacy in an organization.
To start with, both privacy by design and privacy by default of new products and services to have enough basic knowledge on privacy. The guidance should be in simple language for everyone to understand and hold training sessions should be held. functions to insert and monitor privacy. Clear policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to assist in
Operations: Data privacy programs rely heavily upon the implementation of strong policies and processes to enforce and respond to incidents in timely manner.
While implementing privacy by design, the following should be considered: • Conduct Data Privacy Impact Assessment (DPIA) to enable organizations to analyze how a particular project or system will affect the privacy of the personal data involved. It is similar to a risk assessment for privacy. •
Program: Device strategy wherein roles and responsibilities of fi accountability is established with governance processes and data owners are made to understand their responsibility for classifying and protecting sensitive information.
fl strategy. It focuses on minimizing the amount of personal data that is collected, processed, stored and disseminated; hiding fi how their personal data is used.
Monitoring: Teams and tools supporting data privacy and protection programs should be integrated to allow for correlation organization. Effectively linking to security programs and implementing privacy by design will allow for early detection of privacy breaches and non-compliance issues.
EY’s Privacy Program Supporting governance roles
Governances Privacy strategy/charter
Regulatory reporting
IT and information security
Privacy policy
Executive reporting
Legal and compliance Communications and crisis management
Managing public perception
Training and awareness
Managed lines of defence
Privacy life cycle
Operations
5
Privacy by design
Review of privacy expectations
Risk management Incident management
1 Appropriate collection of data
CPO/Privacy Office
Vendor due diligence
Risk and compliance
4
Consumer request/complaints
2
Appropriate retention and disposal
Data classification
Relevant use of data
Personal data inventory management
Audit
Managed 3 disclosure
Cross border data management
Sustenance Regulatory expectations Internal expectations
Data owners Privacy audit Data flow management
Data processors Data collectors
Source: EY Privacy by Design – GDPR, May 2017
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
23
EY’s data privacy transformation approach, integrates all data privacy-related services into a single offering. It focuses on fi e major pi ars as gi en be o • Program: It focuses on aligning the current framework with policies and procedures, privacy policy, reporting and training and awareness of employees and key stakeholders. • Supporting governance roles: The framework focuses on establishing a governance framework with roles and governance and overall compliance. • Privacy lifecycle: The framework will concentrate on the end fl disclosure, transmission, retention and disposal) and will fl • Privacy by design: As privacy by design is one of the key elements of GDPR which focuses on embedding GDPR into the DNA of an organization, the EY framework will ensure that all processes/functions having personal data incorporate privacy by design and default. • Monitoring: To run a successful privacy program, it is pivotal fi metrics for periodic monitoring and continual improvement. The model is self-evolving and agile to accommodate the unforeseen changes and adapt accordingly to the organization’s needs.
24
|
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
25
05 26
|
Adoption of privacy by design A combined push from regulators and customers to have a stringent check on personally identifiable data storage and usage has led to companies acting on privacy by design certified platforms and apps. The initiatives are also being supported by governments to promote implementation of PbD by companies.
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Industry
Initiatives • Secured mobile health apps: European Data Protection Supervisor (EDPS) announced the launch of a contest to design mobile health (m-health) applications implementing Privacy by Design and by Default principles.
Healthcare
• Patient data anonymization: A Hospital in Barcelona collaborated in the CLARUS project for a privacy-by-design approach to protecting healthcare-sensitive information using Encryption and Anonymization.
• Development of software privacy ecosystem: An Indian Tech Company partnered with GDPR solutions provider fi
Technology
• PbD compliant mobile advertising service: fi and advertising service utilizing customer base of global network operators to create a secure, anonymised, Privacy by Design database of carrier derived data.
• E-Government initiative utilizing PbD: Australian Government implementing Privacy by Design in Govpass, digital fi fi and other information. Government
• Blockchain based identity management: An Indian State government’s information technology arm is developing a proof of concept on using blockchain technology for identity management utilizing Privacy by Design.
• PbD compliant social media analytics portal: Media
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
27
Till now privacy was more of an afterthought rather than an effort to embed it into the project or application lifecycle but in future this will change. Going forward privacy is going to be a key area of action for government and companies, as the unlawful use of personal data could not only hamper the users but also governments and companies across the globe. of large organizations will have a privacy management program fully integrated into the business, up from 10% in 2017.By 2019, half of the world’s larger companies that process personal data will perform privacy impact assessments; ďŹ process. 1 Privacy by design will bring in a change in mindset and lead to the responsible use of an individual’s data. This will result in increased trust of users with the organizations, their applications and systems delivering positive-sum outcomes. In the future, implementing privacy by design can both demonstrate compliance and create a competitive advantage for companies.
06
28
|
The way forward
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
Contact us EY GDPR/Privacy Team: Jaspreet Singh Partner - Cyber Security, EY India Email: Jaspreet.Singh@in.ey.com Sibjyoti Basu Partner & National Business Development Leader, EY India Email: Sibjyoti.Basu@in.ey.com Lalit Kalra Senior Manager – Cyber Security, EY India Email: Lalit.Kalra@in.ey.com
EY Knowledge (EYK) Team: Gaurav Sharma Assistant Director, EYK Email: Gaurav.Sharma1@in.ey.com Ankita Singh Assistant Manager, EYK Email: Ankita.Singh1@in.ey.com Shweta Verma Assistant Manager, EYK Email: Shweta.Verma@in.ey.com
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
29
In a future where data is everywhere, who will keep it out of the wrong hands? To find out, participate in the EY GDPR readiness survey today by visiting ey.com/in and be a part of the GDPR preparedness journey.
30
|
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
EY offices Ahmedabad 2nd floor, Shivalik Ishaan Near. C.N Vidhyalaya Ambawadi Ahmedabad-380015 Tel: +91 79 6608 3800 Fax: +91 79 6608 3900
Delhi NCR Golf View Corporate Tower – B Sector 42, Sector Road Gurgaon–122 002 Tel: +91 124 464 4000 Fax: +91 124 464 4050
Kolkata 22, Camac Street 3rd Floor, Block C” Kolkata-700 016 Tel: +91 33 6615 3400 Fax: +91 33 6615 3750
Bengaluru 12th & 13th floor “U B City” Canberra Block No.24, Vittal Mallya Road Bengaluru-560 001 Tel: +91 80 4027 5000 +91 80 6727 5000 Fax: +91 80 2210 6000 (12th floor) Fax: +91 80 2224 0695 (13th floor)
3rd & 6th Floor, Worldmark-1 IGI Airport Hospitality District Aerocity New Delhi-110037, India Tel: +91 11 6671 8000 Fax +91 11 6671 9999
Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (west) Mumbai-400 028, India Tel: +91 22 6192 0000 Fax: +91 22 6192 1000
1st Floor, Prestige Emerald No.4, Madras Bank Road Lavelle Road Junction Bengaluru-560 001 India Tel: +91 80 6727 5000 Fax: +91 80 2222 4112 Chandigarh 1st Floor SCO: 166-167 Sector 9-C, Madhya Marg Chandigarh-160 009 Tel: +91 172 671 7800 Fax: +91 172 671 7888 Chennai Tidel Park 6th & 7th Floor A Block (Module 601,701-702) No.4, Rajiv Gandhi Salai Taramani Chennai-600113 Tel: +91 44 6654 8100 Fax: +91 44 2254 0120
4th & 5th Floor, Plot No 2B Tower 2, Sector 126 NOIDA-201 304 Gautam Budh Nagar, U.P. India Tel: +91 120 671 7000 Fax: +91 120 671 7171 Hyderabad Oval Office 18, iLabs Centre Hitech City, Madhapur Hyderabad - 500081 Tel: +91 40 6736 2000 Fax: +91 40 6736 2200 Jamshedpur 1st Floor, Shantiniketan Building, Holding No. 1, SB Shop Area, Bistupur, Jamshedpur – 831001 Tel: 657 663 1000
5th Floor Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai-400 063, India Tel: +91 22 6192 0000 Fax: +91 22 6192 3000 Pune C—401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune-411 006 Tel: +91 20 6603 6000 Fax: +91 20 6601 5900
Kochi 9th Floor “ABAD Nucleus” NH-49, Maradu PO Kochi - 682 304 Tel: +91 484 304 4000 Fax: +91 484 270 5393
The rise of General Data Protection Regulation (GDPR): Is your business prepared?
|
31
Ernst & Young LLP
About ASSOCHAM
EY | Assurance | Tax | Transactions | Advisory
The Associated Chambers of Commerce and Industry of India (ASSOCHAM), India’s premier apex chamber covers a membership of over 4 lakh companies and professionals across the country. ASSOCHAM is one of the oldest Chambers of Commerce which started in 1920. ASSOCHAM is known as the “knowledge chamber” for its ability to gather and disseminate knowledge. Its vision is to empower industry with knowledge so that they become strong and powerful global competitors with world class management, technology and quality standards.
About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
ASSOCHAM is also a “pillar of democracy” as it reflects diverse views and sometimes opposing ideas in industry group. This important facet puts us ahead of countries like China and will strengthen our foundations of a democratic debate and better solution for the future. ASSOCHAM is also the “voice of industry” – it reflects the “pain” of industry as well as its “success” to the government. The chamber is a “change agent” that helps to create the environment for positive and constructive policy changes and solutions by the government for the progress of India.
Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in. Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016
As an apex industry body, ASSOCHAM represents the interests of industry and trade, interfaces with Government on policy issues and interacts with counterpart international organizations to promote bilateral economic issues. ASSOCHAM is represented on all national and local bodies and is, thus, able to pro-actively convey industry viewpoints, as also communicate and debate issues relating to public-private partnerships for economic development. The road is long. It has many hills and valleys – yet the vision before us of a new resurgent India is strong and powerful. The light of knowledge and banishment of ignorance and poverty beckons us calling each member of the chamber to serve the nation and make a difference.
© 2018 Ernst & Young LLP. Published in India. All Rights Reserved. EYIN1805-003 ED None This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. JS
ey.com/in @EY_India
EY|LinkedIn
EY India
EY India careers
ey_indiacareers