Involving ground-level employees in implementing GDPR is a challenge: Bhabani Panda, Kwench Global

The countdown to EU-GDPR implementation has begun; but has India Inc. overcome the challenges to adhere to the deadline? Bhabani Panda, CISO of Kwench Global reveals measures and how to handle the implementation process.

As the talk and intensity around privacy increases, there is another countdown approaching. The much needed and dreaded EU-GDPR.
To summarize in a single sentence any operation performed on personal data such as collecting, recording, structuring, storing, using, disclosing by transmission, erasing and destroying is applicable under EU-GDPR regardless of whether the processing takes place in EU or not. In simple words, any organization having access to EU users information need to clearly define their role as Data controller or Data Processor and accordingly ensure compliance.

Bhabani Panda, CISO, Kwench Global Technologies says that the company largely works as a data processor and has been working since the last couple of months to ensure compliance before the clock ticks on 25th May 2018. In an exclusive with, Panda tells all about the measures to be GDPR-compliant, challenges ahead, and what Indian companies should do to adhere to the deadline.

What measures have you taken to be GDPR compliant?

For us the key stakeholders are:

1. Data controller/clients: From which we receive data.
2. Internal business process/employees: Where personal identifiable information(PII)/Sensitive information are stored/processed.
3. Sub-processor/third party vendor: Where we may share the information for further processing.

We have been working to put policies, procedures and monitoring mechanisms in place in accordance with the defined guidelines of EU-GDPR to ensure all legal areas are covered. Already being an ISO 27001:2013 certified company helped us a lot during implementation phase as the basic security aspects were in place and we had to clearly focus on new requirements instead of starting from scratch.

You can broadly define the implementation into 6 phases:

1) Understand what you are up to: We have taken help from an external CERT-IN empaneled consultant firm having proper experience in EU-GDPR regulations to make sure we are following the right path. The next step was to define the roles and responsibility of Data Protection Officer (DPO) and team to lead the work and audit.

2) Drafting the policy and framework: Drafting policy with the underlying theme “Privacy by Design” was another tricky part where you have to clearly define the data classifications and handling procedures required by the law. For PII and Sensitive information, it should be crystal clear in terms of policies and procedures - What are you capturing?, how is the data transmission happening?, how are you storing?, how long are you storing?, how are you taking approval from data subjects before using the data?, authority to data controller/subject for right to access, right to erasure, data portability and breach notification.

3) Data privacy impact assessment (DPIA)/Risk assessment and treatment: The most critical part of implementation was to conduct Data Privacy Impact Assessment (DPIA) and involve ground level employees during assessment procedures.

Simple Mantra for all of us - capture what is required - nothing more, nothing less; tell clearly why you need; where and how you will use it; and finally stick to it and keep it secure.

The DPIA was conducted in discussion with each process owner who have access to personal information/sensitive information based on the following principles - Lawful and fair-full process, purpose of collection, data adequacy, data accuracy, data retention, data processing, data Security, and data Transfer. This helped us to get an overall view of where we lack and what are the measures needed to be taken to ensure privacy and safety of data. Next part was preparing the treatment plan and executing for the risks identified involving each process owner and team member.

4) Updating privacy policy and Terms of Use: After having the internal policies and procedures ready, we created new privacy policy and terms of use with the help of our legal experts. As part of standard privacy policy change procedure, it was updated on the website along with notification to the users.

5) Legal/contractual changes: Change in contract with controllers (clients) and sub-processors (vendors) to put required relevant clauses based on GDPR requirements. One of the best law firms in India helped us to draft the agreements for this purpose.

6) Institutionalization of process: It requires detailed documentation and proper assignment of roles and responsibility along with monitoring mechanism to ensure the success of the process in a long run. GDPR is not a one-time project that you do it in a project mode and gets over. It has to be the culture of the organization, philosophy of business model and how you work on day-to-day basis. We need to stay compliant always and to ensure that each process owner is made responsible for his/her business process. It is the responsibility of CISO to inculcate the culture throughout the organization by arranging periodical training sessions, discussions with process owners and conducting audits.

What challenges are you facing?

When it comes to an organizational level process implementation, there is always a disconnect from management to last level employees.

We have to imbibe the culture of security and privacy as primary rule of the organization. To implement EU-GDPR compliance you need specific expertise; expecting to build those capabilities overnight is not possible. Therefore, it is always better to take help from experts until you build internal capabilities.

In terms of employee mindset, business requirement takes always the first priority and any other process feels like, a management’s demand. Involving ground level employees to understand the gravity of the situation and making them follow the guidelines was the toughest part of the implementation.
The second challenge was following up with clients and vendors for contractual changes. In India, financial year is April to March and last quarter everyone is busy with business closures. It was a bit of a challenge for getting time from clients and vendors to discuss the requirements and amend the existing contracts.

Do Indian companies have the right information and guidelines to be compliant before the deadline approaches?

Recent data breach from multiple large organizations worldwide have been an eye opener for companies. In fact, Indian companies have taken it seriously and are trying their best to comply with the guidelines. Multiple business industries like IT, ITES, BPO have strong presence in EU region and legal teams really understand the criticality of the situation. 

Few months ago we received couple of queries from our clients to ensure that we are also preparing to be GDPR-compliant. Recently, we have talked with different law firms in India and they have been extremely busy in consulting different organizations to make them ready for GDPR compliances. This shows the overall awareness and the trend shift in the Indian market. In terms of availability of information, I do not think nowadays access to information is a problem to anyone, implementation is a key challenge.

What would you suggest your peers do to be GDPR-compliant and adhere to the deadline?

In terms of business practices, we have to imbibe the culture of security and privacy as primary rule of the organization.

6 phases of GDPR  implementation

1) Understand what you are up to

2) Drafting the policy and framework

3) Data privacy impact assessment (DPIA)/Risk assessment and treatment

4) Updating privacy policy and Terms of Use

5) Legal/contractual changes

6) Institutionalization of process

In this era where data is the new oil, we need to make sure to put up a separate budget and process owner for security, not just an on-paper guideline. Gone are the days when you can capture any data of users for any purpose be it marketing or big data analytics.

It would be interesting to see how most of the firms are updating their operating procedure and seeking lawful approval from data subjects. To implement EU-GDPR and any such compliance you need specific expertise and expecting to build those capabilities overnight is not possible for most of the companies. Therefore, it is always better to take help from experts until you build internal capabilities. During the implementation phase, involve mid-level managers and employees for effective and sustainable implementation.

Adherence to the deadline is must and if you want to be in business and serve EU users you have to be compliant with GDPR terms, there is no escape to it. We all know the penalty and it is huge. Simple Mantra for all of us - capture what is required - nothing more nothing less, tell clearly why you need, where and how you will use it, finally stick to it and keep it secure.