Most companies are not ready for EU GDPR Legislation

A new-data protection law - the General Data Protection Regulation (GDPR) being rolled out on May 25 - is the most comprehensive set of rules being put forward globally to strengthen data protection and privacy of users.

However only a third of India’s IT services firms are compliant with the European data protection law to be effective in May, say analysts, warning that potential damages of any breach of privacy of user data from the continent could cost companies as much as 4per cent of their revenue.

The policy enforces rules and responsibilities for corporations to be more transparent in acquiring user data, stick to unambiguous ways to seek consent and allow the user to withdraw consent. “Only 30-35per cent of all IT/ ITeS companies have started their journey to work towards GDPR compliance,” said Jaspreet Singh, Cyber Security Partner at EY.

For technology services companies, newer policies will conflict with decades-old technologies where their client and record-keeping systems need rework. For instance, a legacy application that does not support any kind of login, will need to put in place a login interface to keep a record of the people who accessed it. This should be open for audit by European authorities.

The data protection regulation may cost dearer to the Indian software service exporters too as they foresee deployment of more resource for compliance and probable rework in client contracts.

Industry analysts suggest even though the GDPR norms will be applicable across all industries, firms that deal with BFSI, retail, utilities and healthcare are likely to invest in greater compliance as they deal with health and financial data of users to provide service on behalf of their clients.

WinMagic, a data security company has released the findings of research that suggests many companies will not be ready when it takes effect on May 25th, 2018.

The research of 482 IT Decision Makers was conducted during March 2018 in the UK, Germany, India and the US by Viga.

India centric Findings -

• 21% of companies in South India do not use automatic geo-fencing to prevent moving of data outside of the legal jurisdiction it resides
• 73% of companies in Central India and 74% in East India do not check whether customers have given permission for their records to move from the companies’ servers to partners’ servers
• 24% of companies in South India using cloud-based services for data know the physical storage location belonging to some services only
• 88% of Indian companies ensure that all personal identification information is anonymized and encrypted across on-premise services and devices
• 63% of companies based in North-East India do not have complete confidence in precisely identifying information that has been exposed during a data breach (internal or external)
• 39% of companies in West India are still cautious about their EU GDPR preparedness and 30% are stressed, while 40% in North-East are feeling nervous about

Across all geos -

• 62% of IT Decision Makers (ITDMs) surveyed describe themselves as ‘confident’ in the build-up, with 1 in 5 (18%) saying they are nervous.
• Only half (51%) of companies say they have all the systems in place that will allow them to remove EU Citizen data from servers upon the request, including back-ups, in accordance with Articles 16 & 17 of GDPR.
• Worryingly, a fifth (21%) do not yet have any systems in place.

In many cases, companies lack the systems and processes to ensure compliance with the new legislation which affects all companies holding and processing EU citizen data. They must have “appropriate technical and organizational measures” in place to safeguard personal data, as well as minimize data collection, processing and storage. Non-compliance can lead to fines of €20 million or 4% of turnover, but this is far outweighed by the reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.

Continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data, and a fragmentation of governance, that leaves companies non-compliant, and at risk of heavy fines.