Sizing Up the Impact of GDPR in IndiaInfosys's Privacy Chief Srinivas Poosarla Offers Compliance Insights
The European Union's General Data Protection Regulation, or GDPR, which will be enforced starting next May, imposes steep penalties for organizations that handle Europeans' data and fail to meet its requirements.
"It's this potential financial impact that is making organizations relook at the rigor of data privacy controls deployed and leave no stone unturned," says Srinivas Poosarla, vice president and head, global privacy and data protection at Infosys. "We see this being discussed in various forums, conferences related to data privacy, data security, law and IT."
In this interview (see edited transcript below), Poosarla discusses:
- GDPR requirements that may be challenging to implement;
- How the requirements will affect Indian organizations;
- How GDPR will lead to prompt breach notifications.
At Infosys, Poosarla plays active role in privacy initiatives both in India and internationally. He is a designated expert in the data privacy working group of International Organization for Standardization committee and is convener for Bureau of Indian Standards' National Core Group constituted to draft a data privacy standard for India. He is also member of the Asia Advisory Board of the International Association of Privacy Professionals.
(The views expressed by Poosarla are his own and do not necessarily reflect those of the organization where he works.)
India's Preparedness for GDPR
SUPARNA GOSWAMI: What's the impact of GDPR on Indian organizations, particularly on the Information Technology companies? Any thoughts on their preparedness?
SRINIVAS POOSARLA: With GDPR, organizations will be required to make changes to the way they process personal data and deploy stricter data privacy controls, some of which are not easy to carry out. There is some uncertainty on how GDPR will be enforceable on organizations that do not have any presence in EU.
The requirements of GDPR are widespread and touch all major facets of an organization, including people, process and technology. While the approach and steps for an organization to achieve compliance to GDPR will depend on factors such as the size, number of operational locations, nature of data processing, extent of decentralization of data processing, current privacy maturity and organization structure, typical steps would be:
- Create a data privacy officer reporting to top management. Provide that office with resources, empower it and make it accountable for ensuring data privacy compliance;
- Since data processing and privacy in organizations cut across various internal functions such as sales and marketing, CIO, HR, CISO, among others, establishing a cross-functional program management office may help in coordinated efforts;
- Identify and establish, if not already available, personal data inventory and processes;
- Involve various stakeholders, such as customers, vendors, employees and any third parties, and determine GDPR requirements applicable to the organization - both as a data controller and data processor. And conduct a gap analysis against the requirements;
- Implement necessary changes to close the gaps, using tools and technology to the extent practicable, and while taking into consideration the organization's risk appetite;
- Introduce privacy principles into the design of personal data-related processes, solutions and products;
- Ensure that there are mechanisms to fulfil various data subject rights
- Get independent audits conducted to verify compliance.
Privacy & Compliance
GOSWAMI: How do practitioners handle privacy and compliance issues as part of the regulation?
POOSARLA: The whole industry has taken GDPR seriously. And given the potential financial impact for noncompliance, it will surely be a board agenda item for most organizations with physical or market presence in the EU. We see this being discussed in various forums, conferences related to data privacy, data security, law and IT. The data protection officer's role is being created by organizations, where not present. Insurance is also one of the measures organizations may take, but it is surely not a substitute for a rigorous data privacy program; it can, at best, complement.
With [less than a year] to go [before enforcement begins], there is a lot to be done, particularly for those organizations which were so far not having a focus on data privacy compliance. Moreover, since unlike security, where we have standards such as ISO 27001, which, when achieved, give a sense of comfort to the CISO and the board, in case of GDPR, the absence of a code of conduct or standards as of now makes it difficult to determine how much rigor and depth of implementation of practices is required to be compliant to GDPR.
Doing more will put pressure on cost; doing less may increase the risk of breaches. Either way, it is about financial impact, and hence, the key is for organizations to determine their exposure to privacy risks depending on the nature of data processing involved and accordingly develop a plan of action on GDPR.
Data Protection Officer
GOSWAMI: GDPR recommends having a data protection officer. How does it apply to the Indian environment?
POOSARLA: Today we see many organizations in India not having a dedicated DPO function, in the absence of a regulatory requirement, and they would have left it on chief risk officer [CRO], general counsel, or CISO to handle any data protection related matters. IT (sec 43A) Rules 2011 mandates appointment of a grievance officer, but the purpose was more to handle any discrepancies and grievances of data subjects. With GDPR, even organizations in India will have to create a DP function if they either undertake large-scale processing of sensitive personal data [of Europeans] or do systematic monitoring of individuals located in EU.
Two major challenges in achieving this are the skills shortage and DPO positioning in the organization. There is visible skill shortage, especially since data privacy is not a specialization offered yet in universities, and India never had a job market for such professionals.
DPO positioning will require cultural change within the organization, since GDPR mandates independence of the function and reporting to the top management, which is difficult to achieve if the DPO is part of one of the existing functions such as CRO or CISO.
GOSWAMI: How will GDPR's emphasis on reporting breaches influence Indian organizations?
POOSARLA: The breach notification [provision in GDPR] has two primary objectives. The first part is about the requirement to have the organization inform the regulatory body about a security or data breach and the second part is about providing mandatory and prompt information to affected individuals.
In India, while there are few regulations, such as CERT-In's rules and RBI's cybersecurity framework that address [notification of regulators], there are no [regulations] on the latter part - which is extremely important and intended to help individuals contain or prevent damage when their data is leaked.