General Data Protection Regulation is a regulation by which European Union (EU) strengthens and unifies the data protection laws for states within it.
Scope: The regulation applies to all organizations using information about European citizen. The law also applies to organizations that are outside the EU region, but still processes/accesses information of the European citizens.
Timeline: This rule has been formally adopted on April 2016 and will come into effect after a transition period of 2 years, i.e. 2018.
Below are some of the key points about the rules:
- Territory is now global: This may affect organizations that are processing /having European citizen’s data
- Accountability & Privacy by Design: GDPR has shifted the onus on the organizations using EU residents’ data. This would require them to timely privacy assessments, implementing data protection techniques using encryption, masking and others
- Consent Requirement: Consent needs to be obtained from the resident on the use of personal data for processing. This includes the explicit statement of data types collected and the intended purposes of the collection.
- Right to forget, verification, data usage, data portability and others.
- Need for a Data Protection Officer: There should be a separate data protection officer in place to monitor for the internal compliances of the organization with the data protection laws. It is not required for organizations having lesser than 250 employees.
- Data breaches: The data protection officer is obligated to notify the supervisory authority without delay (72 hours max). If there is adverse impact to the end user’s data, they should also be notified as well
So what is the big deal about it? It is kind of a big deal as the penalty levied for non-compliance varies from 1 Million Euros to 2% of Annual worldwide sales turnover (whichever is higher). Serious breaches could result in fines up to 4%
Let’s take a peek of what this minuscule 2% represent:
The value at stake is near $170 Billion, and this only includes the top European organizations. If we account for all organizations affected by GDPR, the value at stake seems to be massive.
This calls for action surgical action to all organizations impacted by GDPR to safeguard the revenues.
Where can TCS help organizations?
For starters, TCS is coming up with a control testing assessment frame work to determine the readiness of an organization against GDPR rules. This would serve as a starter to any organization and their CIOs to know the gaps and the approximate investments required to close the gaps and create a tactical group.
TCS also has a host of data privacy tools such as TCS Data Masker, Mastercraft, TCS Crystall Ball and others all addressing pain points problems related to privacy protection and regulations.
Thus GDPR legislation has redefined how to safeguard personal data and TCS understands the very need for GDPR compliance and its implication and tailoring its service offering to best fit customer’s needs.
Authored by Siddharth V
TCS Enterprise Security and Risk Management