GDPR’s breach-reporting mandate can prove to be a challenge: Jaspreet Singh, EY

There’s no denying that GDPR completely redefined business with the European Union as we knew it. 

At IDG Security Day, Jaspreet Singh, Partner – Cyber Security (Africa, India & Middle East) at EY, brought GDPR to the spotlight and helped understand this beast. Singh leads the GDPR practice for EY for two years now and has been instrumental in building out the practice. 

The European commission took seven years to draft the law, and the number of iterations it has gone through – 1562 to be precise – surpasses any other law or regulation in history. GDPR is not something that loomed out of the blue in 2018. The regulatory laws were passed a couple of years ago.

Watch Jaspreet Singh address India’s top-notch security heads at the IDG Security Day & CSO100 Awards. Prefer to read the edited excerpts? Read on.

Singh highlighted that the European Union had a law called EU DPA from 6796. In 2011, the GDPR body was formed and the law was passed in April, 2016. The law came into effect on 25 May, 2018.

“The very definition of personal data has changed. Section 43(A) of the IT Act had six categories of Personally Identifiable Information (PII). GDPR twists this definition on its head – it states anything uniquely attributable to an individual is PII and needs to be kept safe,” he explained.

He stated that the reason why everybody is talking about GDPR is because of the penalties it attracts. In case of a data breach, an organization is liable to pay 4 percent of its global annual turnover as penalty, or € 20 million – whichever is higher. However, Singh pointed out that the penalty is not an absolute number. He highlighted that no organization has paid a penalty of this magnitude.  

In case of a breach, EU legislative authorities will investigate and look at the intent of an organization – that’s the maximum penalty they can enforce. 

Consent and decoding ‘the right to be forgotten’

To highlight the significance of consent, Singh said: “Right to be forgotten is a very interesting clause, but it’s very difficult to implement. If an employee leaves your organization and three years later sends you an email to delete all his data, will you have the capability of locating and deleting all the data?” 

GDPR also chalks out the intricacies of consent – it has to be explicitly and freely given, and it has to be informed. “There are 99 articles within GDPR, and the working paper on consent is the most elaborate document on consent you’ll ever find,” said Singh.

Mandates around breach notifications and appointment of a DPO

Addressing the GDPR guidelines around breach notifications, Singh said that any breach has to be reported within 72 hours. “This becomes a challenge if SOC reporting has been outsourced to vendors,” he said.

GDPR also mandates the appointment of a Data Protection Officer (DPO), and the DPO has to report to the highest level of authority within an organization. Singh further highlighted the importance of CISOs knowing how information enters and leaves an organization. 

Among the challenges faced by organizations in implementing GDPR, Singh said that keeping track of base data for analytics could prove to be a problem. Additionally, GDPR states that if you’re collecting information from an individual, the information can only be used for the purpose for which it was collected. So, people now have to watch out for circulating unsolicited emails.