It’s very likely the internet knows more about you than your closest friends do. Social media platforms, e-commerce sites, apps of all kinds and online entertainment networks are all busy collecting your data.
Exactly what they do with that data isn’t always clear, so the European Union has acted to implement strict regulations to protect your private information from misuse.
The landmark General Data Protection Regulation (GDPR) in Europe represents a major step towards greater safeguarding of personal information. The new regulation lays down fundamental principles for handling personal data, keeping the individual’s right to privacy at its forefront.
The reach of the new law is extensive, bringing any global company with European customers under its influence. Those that breach the new regulation could potentially be fined up to 4% of their global revenues.
GDPR should ease concerns over data privacy, but it raises many questions for companies operating under its influence. Sapthagiri Chapalapalli, the Tata Consultancy Services Vice President and Managing Director of Central Europe who led the GDPR Implementation in the UK and Europe, answers some of those key questions.
Why is GDPR so important?
A key objective of any enterprise is to ensure that it complies with the law of the land. This particular law touches on a fundamental aspect of society, so it is very important that companies exhibit not only a respect for the law, but also a responsibility towards individuals and society. Companies must demonstrate that they are a responsible organization in order to be sustainable in the long run.
The second important thing is the explosion of data, and the business models that harness its commercial potential. Individuals care very much what happens to their data and have certain expectations.
Companies with business models that respect and honor these expectations are going to be more successful than those who don’t. Companies can still use the data for commercial purposes, but it has to be in the right way.
What’s the first thing that companies need to do?
The regulations came into force on 25 May, but that is just the beginning of an organization’s journey in perfecting its data privacy strategy.
This journey must begin with each company having a clear view of how personal information is gathered and processed. They also need to understand their purpose for holding it.
Companies also need to have in-depth knowledge of their methods for controlling data, where the data is stored and where and how it is distributed. They will also need to handle fundamental processes defined by the regulation in two areas.
Firstly, whenever there is a discovery of a breach of personal information the company should be able to respond using a well-defined process.
Secondly, customers now have the right to ask what personal data the company keeps about them and where it is kept. They can ask for it to be changed or deleted. The company should be able to respond to those requests in a timely manner.
How can companies leverage technology to make sure they comply?
It all depends on whether their systems and processes were designed with privacy in mind. There are enterprises whose systems do address some of the expectations of privacy. If that’s the case, they may only need to make limited adjustments.
The scope for change for global companies without a headquarters in Europe is potentially much greater. But even within Europe there is a difference between countries. Germany, for example, already has a data protection law. Other countries tend to have a free and open information society.
Technology applications can play a vital role in data control by centralizing data and processes that handle it. If information is decentralized, sitting in someone’s laptop or in a shared folder, then controlling that information and applying the standards required under GDPR will become very difficult.
There are many technology-driven tools that give the level of control required. The most effective have a platform where common standards can be applied and information is secured centrally.
Are legacy IT systems a barrier for compliance?
Yes and no. The truly fundamental thing is the architecture of the systems. If it takes care of privacy by design, then your need for change is very limited. But if the architecture does not have privacy by design, then you are looking at significant upgrades to your systems.
What are the other major challenges?
I would say that mindset change is a more fundamental change than systems and tools.
You could have the most sophisticated and well-controlled systems, but if an employee downloads an excel file full of personal data and emails it to ten people, even if they are in the same company, this could represent a breach.
One of the key aspects of the legislation is that accountability is now spread far and wide. Previously, only the data controller could be held liable, but now the person who actually processes the information is also liable. Fundamentally, everybody needs to be on top of every step where personal information is being processed.
There is also a responsibility to secure information that goes to your supply chain. Companies need to ensure that third parties acting on their behalf are complying with the regulation. It’s the responsibility of the company giving the data to share that information on a contractual basis.
What solutions is TCS providing?
There are many types of solutions we provide to our customers, depending on their level of readiness and maturity.
Our work goes from defining a broader gap analysis and strategic view, to what needs to be done from a systems implementation point of view.
Some companies are in countries where they already have a defined privacy strategy. The next step is then to set up a data management platform to manage personal data in a regulated manner.
Do you think global companies will roll this out across their operations, not just those based in the EU?
Absolutely, the whole concept of protecting individual identity is taking shape all over the world. GDPR is probably the most comprehensive regulation. It is expected that other regions will follow similar concepts.
Most companies operating globally are recognizing that if they can make the changes for Europe, they might as well create similar practices for all their global operations.
This makes sense, because sooner or later all countries are going to implement regulations similar to GDPR.
So yes, many companies are using this as an opportunity to update their processes and systems.