GDPR — How much worth is your privacy?

By June 2017, 51% of the world population is having access to internet and the rate of increase is going to double in the coming decade according to many leading reports. So, can we claim the success party for the Information Revolution which had started in late 19th century? Probably not, because our burgeoning online presence is going to become prominent at the cost of significant ignorance of our personal data security. Industrial Revolution’s negative impacts revolved around blue collar labor segment and hence the noise is universally considered with moderate importance till today. But, Information Revolution has spanned across all colored collars society (unfortunately internet is a democratic entity) and hence, the attention to its impacts will be globally greater.

As per Ponemon Institute report on the global cost of data breach, the loss stands approximately 4 million USD in the last 2 years which is likely to spike in the coming years. This is a Pavlovian moment for the Governments to presume proactive before things get worse and hence a new regulation is born out of European Union — General Data Protection Regulation (GDPR). This is a multi folded superlative version of Data Protection Act of 1998 with a gravitational focus on the personal information security of an internet user at its core.

What is GDPR ?

GDPR is a regulation from European Parliament which demands all internet businesses to protect the personal data and privacy of the EU citizens (including U.K.) and non-compliance to this legislation would lead to a immense penalty. The applicability of this regulation to any organization is -

• If its business has a presence in EU
• Even if don’t have presence but if it happens to process Personal data of EU residents

Personal data : Any information pertaining to an identified or identifiable natural person (data subject) which can be used to identify directly / indirectly by reference to an identifier such as name, identification number (Social security number, UIDAI etc.,), location data, an online identifier one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person or data subject (email address, credentials, IP address, device details, geography details etc).

Does the scope interpretation paints a legal color to your thinking? Yes, even the GDPR demands to contemplate from a legal entity’s standpoint to achieve the compliance and titling the responsible person as Data Protection Officer (DPO). Per the legislation, hiring a DPO is mandatory if your organization has more than 250 employees who will be the sole owner of organization’s data protection & privacy. If not, any security leader to wear the hat of a DPO to own the responsibility.

Why is this sudden buzz?

In the recent months, GDPR has promoted to the salient forum discussion agenda from a coffee table topic for most of the global security leaders. A PwC report substantiates the fact that 92% of US businesses have started considering GDPR compliance as their top priority for the coming quarters. Out of which 68% decided to spend $1 million to $10 million to stay resistant to GDPR risk exposure and 9% expected to spend more than $10 million. The heat is gaining momentum because of two reasons.

1. The D day is nearing and its May 25th 2018
2. The breach penalty is either 20 Million EUROs or 4% of global annual turnover whichever is HIGHER

Now, you can imagine the worth of your privacy protection and hence it is imminent that tech giants will navigate their focus towards GDPR in the next two Quarters.

What an organization is expected to do?

Every organization needs to understand the horizontal journey of the data of all their vertical business units (Sales, Marketing, HR, Engineering, Customer Support, Infrastructure, etc.,) and follow the below instructions.

1. Identify the ‘Personal data’ involved in all the gathered data journeys / flows
2. In the data flows, cautiously label yourself as ‘Data Controller’ , ‘Data Processor’ or ‘Data Sub-processor’ according to the context (Read here to learn more on the responsibilities of DC and DP)
3. Treat them specially by introducing a watch/control on its handling , processing, storing and retaining. Recommended methods — Data masking, Pseudonymization, secure filing etc., (Read here to learn more on Security practices to be followed)
4. Document in detail — a 360 degree data protection & privacy notice encompassing all the metrics mentioned as a part of the regulation

There is a lot of hunch everywhere as there is no entitled body as of now to certify any organization as GDPR Compliant. So, Organizations can claim that they are compliant after careful implementation of all the policies of the regulation as per the applicability. Fundamentally, GDPR is a risk assessment & mitigation exercise to safeguard your business by equipping your security team to align with the Internet age commandment — ‘End user is the King!’ . Today, its GDPR from EU. Tomorrow, every country will coin a similar regulation with some tangential changes per the geography to fuel the importance of Data protection.

It is high time that technology leaders to adapt Security by design methodology while building any products and services! Also, business leaders to consider the data security as a part of their organizational strategy!

Jack Ma has recently told that ‘Data’ is the new age ‘Electricity’ and Mukesh Ambani always considers ‘Data’ as today’s ‘Oil’. This is just a snapshot on how the global businesses leaders consider data in their future journey. Any glamorous tech trend viz., ‘Artificial Intelligence’, ‘Machine Learning’, IoT would justify all business forecasts only when the data is properly utilized with no absolute compromise. Investors, Customers, competitors and partners are motivated to be a part of this exercise in the business community to support the Government.

Grab a cup of coffee and gear up for this wind! The clock is ticking!