When it was passed, this piece of legislation sent shockwaves across the IT industry. 20 million Euros or 4% of global revenue, whichever is higher. The penalties are terrifying. It’ll hurt a large company and destroy a small one. So how can Sri Lankan companies deal with GDPR? That’s what we went to learn at ShoutOUT Connect.
“In Sri Lanka, we don’t have adequate data protection laws,” said Samantha de Soysa – Attorney-at-Law/Barrister at Lincoln’s Inn. These were among her opening words at ShoutOUT Connect. And because we don’t have data protection laws, it’s important to learn from what other countries are doing. In recent times, the most important lesson has become GDPR.
In case you’re lost, The General Data Protection Regulation (GDPR) is a regulation in EU law regarding data protection and privacy for individuals in the EU & EEA. It came into effect in May earlier this year. It was passed with the aim of giving individuals control of their data along with simplifying and unifying regulations across the EU.
GDPR was a heated issue when it came to effect because of its steep fines. Violators could face a fine of 20 million Euros or 4% of their annual global revenue, whichever is highest. It’s been said that such fines were aimed at companies like Google and Facebook, which have been collecting vast amounts of personal data. Interestingly, Google is now being accused by 7 countries of violating GDPR.
Samantha added that your personal data is more valuable than you might think. As per the Universal Declaration of Human Rights, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.” As such, your right to privacy should be protected by law. This is why Samantha stated that data protection shouldn’t be taken for granted by any Sri Lankan.
At ShoutOUT Connect, Samantha defined it as, “A set of privacy laws, policies, and procedures that aim to minimize the intrusion into one’s privacy caused by the collection, dissemination, and storage of personal data.” Internationally, GDPR is one of the strongest data protection policies. Other countries like the UK, Hong Kong, Australia, and the Philippines have passed similarly comprehensive data protection legislation.
Unfortunately, this is not the case in Sri Lanka. The only solaces a Sri Lankan has are the Computer Crimes Act and the Right to Information Act. Yet, these laws don’t do enough to protect your data. While a hacker would get arrested for stealing your data, this isn’t the case with public officials.
If a Sri Lankan police officer wanted to access your tax records, they could do so freely. Yet in countries, which have strong data protection laws, this isn’t the case. Estonia is a prime example where citizens can view who accessed their records. If an Estonian citizen identifies someone having accessed their records without authorization, they can report it as an invasion of Personal Privacy & Data Security.
But in Sri Lanka, we can do nothing. That’s what data protection and the lack of it means for you. With strong protection legislation like GDPR, your right to data protection becomes enshrined in law. As such, you have the power to take action against absolutely anyone (including the state) for misusing your data. Samantha argued that this is the global trend and one we must also accept.
Currently, there are two main types of companies defined by GDPR. The first of these are data controllers. A data controller determines why personal data is collected and how exactly it will be collected. Employees within the company processing personal data, fulfill the tasks of the company as a data controller. Additionally, they should also appoint a data protection officer.
The second of these are data processors. These companies process data on behalf of data controllers. As such, they’re usually an external third party. However, in the case of groups of undertakings, one undertaking may act as the processor for another undertaking. Additionally, it’s imperative that such companies have a data protection agreement with controllers.
GDPR requires there be clear agreements between data controllers and processors. These agreements must clearly list out the responsibilities of the two parties. But there are instances where companies can also be classified as a joint controller. This is where two organizations jointly determine the reasons for collecting personal data and how it’ll be collected.
Samantha shared at ShoutOUT Connect that the regulations come into effect whenever a Sri Lankan company or entity of any nature does any commerce in the EU. This includes instances where the person whose data is being collected, doesn’t need to pay for the goods and services. Another instance GDPR comes into effect is when the monitoring of the behaviors of EU citizens inside the EU.
Once GDPR becomes applicable, there are six key principles that apply to the data. They are as follows:
OneTrust is a tool that Asanka recommended for Sri Lankan companies to know what cookies a website is using. He added that ShoutOUT used this tool and was surprised to find how many cookies their website used. But it must be possible for that consent to be withdrawn as easily as it is given.
Additionally, for children under 13, parental consent is necessary. But once consent is given, companies must ensure the data they collect is adequate and limited. How does one define this? Asanka answered this by saying, “The adequate level of data is defined by the processes you do.” And these processes must be clearly defined in your privacy agreements.
Of course, it’s tough to define what constitutes as easy to understand. But in the event of a data breach or violation, the courts will debate this. Furthermore, in the event of a breach, a company has 72 hours after it becomes aware. Within this timeframe, it must notify the supervisory authority without undue delay. If the company is a data processor, then it must notify every data breach to the data controller.
However, companies don’t need to inform users unless their data has been affected. The official GDPR website states, “If the data breach poses a high risk to those individuals affected then they should all also be informed unless there are effective technical and organizational protection measures that have been put in place or other measures that ensure that the risk is no longer likely to materialize.”
As such, organizations need to take security seriously due to GDPR. This doesn’t simply mean ensuring technical security measures are in place. It also requires non-technical measures to ensure accountability and governance. This ranges from having clear contracts with data processors to clear documentation of systems.
Most importantly, Sri Lankan companies and those globally that want to enter the EU market now need to prioritize data protection when designing software. Asanka shared the basics of how this can be done at ShoutOUT Connect. The basic technical tips he shared were:
Ultimately, GDPR doesn’t list out any specific technical and other measures. This has given many companies freedom but also has resulted in some confusion. Asanka admitted at ShoutOUT Connect that this is a challenge. Yet, a simple way to overcome it, which he suggested was to meet the requirements of security certifications. Some examples of certifications he shared were ISO 27018, ISO 27001, and PCI DSS.
But when it comes to the technical details we can’t ignore cloud computing. Over the years, we’ve seen cloud providers like AWS become a popular choice for software infrastructure for many Sri Lankan companies. However, since it came into effect, GDPR has stated that the data of EU citizens must be stored within the EU.
But at ShoutOUT Connect, Asanka pointed out an exception that your data can be stored in any country. In some countries, the data can be stored and transferred outside the EU without any additional safeguards. This is the because these countries have been declared as offering an adequate level of protection through a European Commission decision.
But if a country has not received this declaration, a data transfer can still take place. But as per the official GDPR website, this can only be, “through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals.”
It’s also possible to store your data in a country without meeting the above requirements. In such instances, the GDPR official website states, “a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.”
To quote Asanka, “GDPR is still new and court cases are still ongoing. With these hearings, the laws will be amended over time.” Yet despite the challenge, Asanka looks at it as an opportunity. Samantha agreed and added that Sri Lankan companies should ensure that their employees are ready to protect the data of their customers. And since we lack any form of data protection laws, it’s somewhat comforting to know that private companies will take our data more seriously. Even if it’s only because they wish to enter the lucrative European market. For more information about GDPR click here.
Venture Frontier Lanka is bringing experts in entrepreneurship from around the country to cities throughout Sri Lanka to train local entrepreneurs to think differently about the ventures they will start.
Venture Frontier Lanka is bringing experts in entrepreneurship from around the country to cities throughout Sri Lanka to train local entrepreneurs to think differently about the ventures they will start. A caravan stop consists of different sessions about creating unique ideas for startup ventures and strategies for financing those ideas.
Come join the sessions on the 19th of December, starting with 2 pm at Sri Lanka Institute of Information Technology.
The event is free of charge! REGISTRATION is mandatory for this event
(Wednesday) 2:00 pm - 6:00 pm
SLIIT, New Kandy Road, Malabe
Early Bird till the 16th of Dec: 20% discount Likuid Members: 20% discount Female/Social Entrepreneurs (Locals Only): 50% discount Join for a one day workshop where we unchain the collective wisdom and creativity
Early Bird till the 16th of Dec: 20% discount
Likuid Members: 20% discount
Female/Social Entrepreneurs (Locals Only): 50% discount
Join for a one day workshop where we unchain the collective wisdom and creativity to help each other having a more productive digital nomad new year and build better cooperations for teamwork.
During this peer to peer learning session you can share your experiences to help others and learn from other practitioners. Together, dive into the most painful problems and brainstorm on solutions. It’s for you if you resonate with some of these questions:
How do I integrate work, life and travel?
How do I keep motivated to achieve?
How do I keep engaged with a client?
How do I manage my time and energy?
How do I get clients?
How do I find people to collaborate with?
How to deal with time differences?
How can I make human interactions with slack profiles?
How to set realistic goals in constantly changing environment?
What are the best tools & methods for productivity?
What’s the secret of aligned teams?
What are the best skills for a digital nomad?
ABOUT THE METHOD:
“We create space for meaningful conversations, experimental and peer to peer learning. Nothing frontal, no preaching. But space for your very unique questions.”
+ Full-day mentored learning program
+ Breakfast on the roof
+ BBQ lunch on the roof
+ Goodie bags & Take-home handbooks
+ Post-event networking
ABOUT THE HOST:
Kitti is a digital nomad herself and a marketing consultant for innovative companies and early stage startups. She is a conversation ambassador for tedxdanubia, hosted meaningful conversations on ideas worth spreading. In the past years she worked in self organized teams, practiced facilitation, joined peer to peer networks, decentralized teams and cocreated a collective of freelancers. She is a cofounder of a sustainability startup that just secured its first round of investment. Worked as a mentor for many startups, and in the meantime she visited more than 15 countries.
Are you a Sri Lankan female entrepreneur or a local social business? Reach out for your discounted tickets!
PRICE IN SRI LANKAN RUPEES:
Regular: LKR 5000
Early Bird till 16th of Dec: LKR 4000
Likuid Members: LKR 4000
Female/Social Entrepreneurs (Locals Only): LKR 2500
(Saturday) 8:30 am - 5:30 pm
5 Charles Place 00300 Colombo, Sri Lanka
Karthik ( Associate Director, DTCC & Co-organiser of Hyperledger Chennai Meetup) will be here for the 2nd Hyperledger meetup. He will share his experience with Hyperledger and Business application of Blockchain
Karthik ( Associate Director, DTCC & Co-organiser of Hyperledger Chennai Meetup) will be here for the 2nd Hyperledger meetup.
He will share his experience with Hyperledger and Business application of Blockchain technologies.
1. Work with Hyperledger Fabric and Explorer.
2. Business use case with Hyperledger Blockchain Framework
3. Q&A session
This is a Free session. Register here
(Friday) 5:30 pm - 8:30 pm
Startup X Foundry
07, Charles Place, Colombo 03, Colombo
Subscribe to our mailing list and get interesting stuff and updates to your email inbox.