With the enforcement of the GDPR in terms of online data collection, many companies have started raising the bar for collecting personal data of users and obtain their consent for data usage.
Companies like Google, Facebook, Microsoft, among others, are updating terms, rewriting contracts, and rolling out new personal data tools in preparation for a shift in the legal landscape of online data collection.
The Wall Street Journal reports that CIOs and CISOs should give attention to the following six areas.
# Increased record-keeping
# Data protection impact assessments (DPIAs)
# Privacy by design
# Data portability and erasure
# Security for privacy
# Third-party risk management
CIOs at Indian enterprises need to place compliance and data security as a top priority considering the cost for violating these privacy laws. Violation of GDPR can cost up to 20 million Euros or 4 percent of annual turnover, whichever is higher, for intentional or negligent violations.
“With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model. Pragmatic compliance does not need to be an expensive exercise too. Expenses are relatively low if implemented with a common sense approach,” George Chang, VP, APAC, Forcepoint, said.
Enterprise CIOs feel that most business houses are trying to put their house in order to be compliant with the data privacy and data protection related requirements of GDPR.
“Organizations which are equipped with the principles of GDPR would be future-ready for the new Indian legislation,” Supratim Chakraborty, associate partner at Khaitan & Co, said.
The GDPR applies to companies in Europe (specifically those in the EU / EEA) and it will affect an Indian company which has a European office, or is marketing to European customers.
“Companies had a long time to prepare for GDPR, but as the GDPR bar is quite high, many may be struggling to be ready come 25th May 2018,” Arun Balasubramanian, managing director of Qlik India.
Microsoft has over 300 engineers focused on GDPR compliance and adopted over 30 controls based on GDPR.
“We have made significant investments in our products and services to help our customers with GDPR compliance within Azure, Office 365, Windows, EMS, SQL Database and Dynamics 365,” Anant Maheshwari, president of Microsoft India, said.
Google is rolling out new features which allow a user to check what information Google is collecting and storing about them. This will build trust and create an environment that is transparent.
Transparency, in the GDPR sense, means that data processors have to declare which data is being stored, in which way it is being processed, and for what purposes it is being used. User consent terms now include stricter “terms of service” and “click to proceed” formalities for companies to collect data.
The new changes around data security lead to companies providing a client database that is up-to-date, even if someone decides to opt-in and opt-out within the minute.
Big digital companies like Facebook and Google need explicit consent of users before being able to use their data for advertising purposes. GDPR in the Google platform affects different AdWords features and location targeting as used in Google maps, because now users cannot be easily targeted based on geographical proximity.
A new feature from Google allows a user check what companies are collecting about them and it could help solve platform dominance by letting users transfer data between networks. For example, if you want a way to export your Facebook messages to Gmail, the new portability requirements will ensure there’s a way to do it.
With new GDPR, contracts between companies will also be a lot more complicated than previous “I Agree” dialogs. GDPR also states that companies are to comply with subjects’ requests to delete their data if they exercise their right to be forgotten, which gives the power of consent for their subjects. Thus the new regulation creates a platform of trust and confidentiality.
The stringent terms and conditions implemented as part of GDPR will eventually benefit the society. The regulation encourages businesses to re-evaluate and improve their cybersecurity strategy, which builds a healthy data protection practice on their customers. It also improves the security monitoring systems which will help the organizations and their users to reduce any kind of attack.
GDPR emphasizes the importance of being a responsible data controller and for companies it gives an opportunity to become more customer-centric, which is beneficial for maintaining equilibrium in the society. It also encourages companies to make it a priority to ensure that customer data is accurate, up-to-date, and of good quality.
By adhering to GDPR, companies will cultivate the values of data security in their employees and nurture social responsibility in business. GDPR introduces a new mind-set of respecting customer privacy.
Yadawanka Pala
