With enforcement of the European Union's General Data Protection Regulation beginning on May 25, many organizations in India are still scrambling to achieve compliance in protecting personal data using effective security controls, appropriate data inventory control and data governance mechanisms.
Information Security Media Group assembled a panel of experts to size up regional compliance efforts and offer advice and insights. Organizations worldwide that handle Europeans' data must comply with the EU regulation.
"While a few organizations in India are prepared to comply with GDPR regulation, most are yet to catch up with this stringent regulation, which demands organizations to ensure free flow of data among different entities," says Bengaluru-based Sethu S. Raman, senior vice president and chief risk officer at Mphasis, a business process outsourcing firm. "Toward achieving compliance, the regulation demands organizations ensure effective organizational structure, along with accurate inventory of personal data - a daunting task."
Another panelist, Hyderabad-based Subhajit Deb, CISO at Dr. Reddy's Laboratories, notes that organizations must understand what data they collect, where it resides, who has access to it, what kind of process is involved in mapping it and "what is required to honor and acknowledge data subject rights in the context of the regulation."
Mumbai-based advocate and privacy expert Vicky Shah notes that GDPR strongly emphasizes the need for accountability, auditing and creating an incident response mechanism for organizations. "Organizations must be accountable for protecting, controlling and processing individual data against data breaches," he says.
GDPR stresses the need for data governance, Deb says, especially in light of the need to monitor unstructured data in the cloud and elsewhere.
"Understanding data inventory for structured and unstructured data and having a holistic mapping plan is critical, particularly given the increased adoption of outsourcing and cloud models by organizations," Deb says.
Organizations are implementing new models to govern their data, whether appointing a data protection officer or a chief privacy officer, Shah says. In some cases, they are outsourcing the entire data governance and privacy to a legal team, he adds.
"Some organizations in India are appointing employees who are International Association of Privacy Professionals certified as DPOs, while others are still evaluating eligibility and other criteria to establish who would be ideal to govern personal data and ensure its security," he says.
Raman adds: "We have hired a data privacy officer who's part of the legal team to implement a data privacy framework in protecting individual data. This official is part of the risk organization."
Raman also notes: "Organizations traditionally doing offshore business and servicing western organizations classify the risk as material risk and have security framework and standards like ISO 27000 and similar frameworks as part of commercial controls and compliance. However, what is critical under GDPR is to ensure that organizations identify gaps in the existing system, whether legal, security or compliance, and do a thorough gap analysis to ensure data protection."
Deb points out that while there is no single standard or framework to address GDPR requirements, organizations can fall back on ISO 29151 along with ISO 27001 standards and leverage British standards, such as BS10012 personal information management system, which covers control objectives, he says.
Shah recommends a privacy-by-design approach within the legal and security framework to set the context for GDPR.
Critical steps organizations need to take in building a resilient data protection framework for GDPR, according to the panelists, are:
- Build a data inventory with a clear understanding of where the data resides and then build security controls around it;
- Build data management processes to ensure the rights of data subjects as required by GDPR;
- Have model contracts that clearly articulate data portability clauses;
- Understand what is expected of a data controller and data processor;
- Adhere to Section 43A of IT Act.
Raman, senior vice president and chief risk officer at Mphasis, is a senior risk management professional with 24 years of strategic and operational risk experience in financial and IT sectors across geographies. A veteran of the Indian Army, he formerly worked at CSC and Reserve Bank of India.
Deb, CISO at Dr. Reddy's Laboratories, previously was CISO at Max Life Insurance. He also managed global information security at Bank of America and Sumitomo Mitsui Banking Corp. Deb has more than 16 years of experience in leading and managing global information security, business continuity, risk management and data privacy programs.
Shah, an attorney, started his career at Cyber Crime Clinic, a non-profit organization, as a cybercrime investigation trainer for law enforcement agencies in India. A specialist in supervising and overseeing litigation matters related to computer-related and online offenses, Shah was invited by the RBI to address the high-level committee meeting on governance, risk and compliance.
(Principal correspondent Suparna Goswami contributed to this article.)