Restoring Trust In The Digital Economy
General Data Protection Regulation separates the world of personal data handlers into enterprises that control personal data and those that process personal data
Exponential rise of digital technologies has truly transformed the way we live. What makes the digital economy thrive is seemingly infinite data processing capabilities of vast enterprises. Big Data technologies help enterprises identify potential consumers, increase loyalty, price products better, cross sell and upsell products to consumers. As data explodes due to billions of connected devices, it is imperative to protect data against any misuse.
Acknowledging the rapid use of data, the European Union adopted the General Data Protection Regulation, GDPR, in April 2016. GDPR comes into effect on the 25th of May 2018. GDPR mandates are very specific on how personal data should be handled, protected and consumed. GDPR is the lawful empowerment for the consumers, who are now in charge of how their own data can be handled by the enterprises they trust and choose to do business with.
GDPR separates the world of personal data handlers into enterprises that control personal data and those that process personal data. Data controllers receive data from European Union residents. Data controllers may pass on personal data to Data Processors to complete business transactions. For example, when applying for a loan a consumer may submit data to a loan agency who is a controller. The agent may pass on this data to a bank who is then a processor. The onus of protecting this data lies with both these types of enterprises. The fines for non-compliance can be up to 4% of an enterprise's global turnover or 20 Million Euros for every major breach. In addition, once a breach has been detected, the enterprise needs to notify supervisory authorities within 72 hours of the breach.
Typically, under the scope of GDPR, organizations will be made to address the following aspects:
" Data loss protection
" Data breach identification and notification
" Data discovery, cataloging and classification
" Cloud storage and sharing services
" Encryption of personal data at rest and in transit
" Regular security testing
The translation of the law into abidance by global enterprises is a complex affair. For example a bank typically interacts with hundreds of other banks, financial institutions, government bodies and third party systems. Compliance to GDPR means identifying where personal data is stored, how it is being transferred to external processors and how it needs to be secured. In an increasingly digitally connected ecosystem of suppliers, vendors and government bodies, GDPR means securing business processes that span multiple organizations. This also means minimizing data exposure by using only bare minimum data required to conduct business, monitoring data centres for breaches, and an ability to reflexively act when a breach does occur. Additionally, an enterprise's staff needs to be sensitized about proper usage of personal data and have documented authorized access to such data. A consumer's consent of usage of data needs to be explicit and may be withdrawn at any point of time.
The last few years have seen exponential growth in adoption of Big Data Analytics, Digitalization and Cloud Computing by businesses. CIOs have aligned themselves around multiple parameters such as finance, human efforts and time; so as to gear up for the digital economy which emphasises on consumer experience, consumer behaviour and predicting consumer actions. Companies such as banks, insurers, telecom operators and retail enterprises are assembling huge amounts of personal data, which is increasingly seen as essential for competing in the new economy.
Reorienting software applications to comply with GDPR is estimated to be a USD 45 Billion opportunity for the IT sector. This complements the important role played by Indian IT service providers in enabling digital transformation for global enterprises. GDPR has opened up new avenues for growth for service providers which specialise in digital security, business process reengineering, software testing, compliance, risk and governance. GDPR will also see increasing use of EU based near shore delivery centres in the short term. There will also be greater demand for enterprises to set up local data centres in the EU region so as to minimize the risk of exposure.
GDPR is the catalyst required to enhance digital capabilities of an enterprise and will boost digital business across the world. GDPR should not be feared. Lack of trust should be.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.