The latest reports released by Gemalto indicates rise in the Data Breach Level Index. Reportedly, 2.6 billion records were stolen, lost or exposed worldwide in 2017, indicating an increase of 88% from 2016. Over the past five years, nearly 10 million records have already been compromised, a grave concern for both national security and the economy throughout the world. A majority of countries appear to have woken up to this grim reality and are defining and strengthening regulations to secure data.
General Data Protection Regulation (GDPR), one of such regulations,, has been recently incorporated and implemented by European Union (EU) and European Economic Area (EEA) for ensuring privacy of all individuals within the European Union. Apart from regulating the control and usage of data within the scope of legislation, the regulation also provides for strict controls over the export of personal data outside EU and EEA.
Pawan Duggal, cyber security expert, while addressing a roundtable conference held to discuss the GDPR relevance and implication in India, aptly suggested that though the regulation has been implemented, “no one is actually ready for it”. He said that “though we are hearing about GDPR, we don’t have absolute compliance in place in various jurisdictions, and that is interesting as very few companies would have been 100% GDPR compliant as on 25th May 2018, the date of implementation.
For example, GDPR provides a separate law which bounds data controller to notify the supervisory authority without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33). A simple delay in reporting a data breach can have serious legal implication as happened with Yahoo, which was fined $35 million because it failed to report the 2014 Russian hack.
As stated by Mr. Duggal, “The data security threats are becoming more dangerous, more prolonged and most significantly, more vicious in their approach”. Simultaneously, there is a need felt to address these concerns by various government. However, there is also an urgent need to identify and adopt a balanced approach while designing and implementation of such laws as it may prove to be an important cyber deterrence for national security, but at the same time can affect the commence of the country to a large extent.
India, too, has designed and implemented Data Breach Notification Law. The law provides for mandatory notification requirements on service providers, intermediaries, data centres and corporate entities, upon the occurrence of certain ‘cyber security incidents’. A more comprehensive bill on Data protection is soon to be tabled in parliament once a comprehensive report on the same is presented by B.N Srikrishan Committee.
Various apprehensions have been surfacing in context to the data localisation, data processor and data controller by economic sector. Since most of the national security threats flow in through digital channels with data being an integral part of it, it’s extremely important for government of any country to work with stringent laws of data compliances. We must also ensure that there is clarity on differentiating between personal data and sensitive personal data in order to reach the golden balance ensuring achievement of both business and national security interests.
Securing the country and flourishing business prospects are highly inter-dependent, hence it is important to reach an equifix to ensure interests of both the sectors in terms of compliances, laws and procedures.