As regulations catch up, Data Privacy has fast evolved to become a matter of survival for companies. Organizations that continue to ignore this, risk becoming non-existent almost overnight in the wake of any data breaches. Post the enforcement of Mandatory Breach Notification in Australia earlier this year, Australian organizations reported 63 breaches in the first 6 weeks. Every breach incident has the potential of long term reputational damage to the impacted organization.
GDPR enforcement has already resulted in the undertaking of massive changes to consumer data collection and processing practices, especially in consumer-led markets. As a result, we will continue to see tightening of the regulatory environment with respect to data privacy and enforcement of penalties on firms as well as fiduciary officers in the wake of data breaches resulting out of inadequately protection measures.
Companies need to realize a breach is inevitable and key stakeholders, their customers expect them to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately. GDPR mandates this practice for companies that operate in EU or company doing business with EU citizens. Questions remain, however, around implementation, interpretation and administration of the data protection practices – and these will need to be ironed out as the GDPR becomes enforceable. In order to be compliant, a business must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences.
Essentially, any company that is based out of India but having an online presence that targets its products and/or services to EU subjects has the exposure to GDPR.
It is a very common misunderstanding that the impact of GDPR is for only those companies that do business in Europe. Think of any Airlines in India who will end up having EU citizens on their flights. Or hotels in India that will be booked by EU citizens for their stay in India. How about any hospitals in India that end up having any EU citizen as their patients? Or any expats that are EU citizens, buying on any of the eCommerce sites in India? So, the impact of GDPR is far more than one would imagine.
Hiring a Data Protection Officer
Whether you need to appoint a Data Protection Officer or not is a mute-point. The real question is whether you think you need to pay attention to Security and Privacy related issues in your business. This is the question that boards need to answer. If the answer to that is YES then they need to figure out as to who at the Board Level carries the responsibility of this. Whether this responsibility then is executed through a dedicated employee in the organization OR through a part time consultant will always depend upon the size and complexity of the business. The current reality is that Data Protection is a complex issue and it requires dedicated attention of its own and hence the need for defined responsibility of Data Protection at the Board level.