The rise of General Data Protection Regulation (GDPR): Is your business prepared? May 2018

Transcription

1 The rise of General Data Protection Regulation (GDPR): Is your business prepared? May 2018

2 Contents Introduction to privacy Introduction to privacy by design Drivers of privacy by design adoption Implementing privacy by design Adoption of privacy by design The way forward The rise of General Data Protection Regulation (GDPR): Is your business prepared?

3 The rise of General Data Protection Regulation (GDPR): Is your business prepared? 3

4 4 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

5 The rise of General Data Protection Regulation (GDPR): Is your business prepared? 5

6 6 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

7 Foreword As digital disruption continues to challenge privacy norms across the world, cloud, social media and mobile technology advancement is fundamentally altering the personal and professional lives of people across the globe. The constantly changing threat landscape driven by the connected world is forcing law enforcement agencies to enhance the privacy legislation regime regularly. Today, this is one of the biggest challenges encountered by many organizations as they grapple with the introduction of newer legislations and frameworks around data privacy. The concerns around data privacy impact both consumers and enterprises alike. While consumers are concerned about the misuse of personal and sensitive information, organizations are worried about having a dampening impact on their reputation, brand value, consumer trust as well as revenues. With the GDPR coming into force from 25 May 2018, organizations will need to evaluate where they stand in their data privacy journey as the onus of accountability shifts from regulators to organizations. Privacy by design is a key concept of the GDPR. Privacy by design means thinking about data privacy and its implications when you re developing products, features, and even marketing campaigns based on personal data. fi implement appropriate technical and organizational measures to ensure that, by default, only personal data which are fi fi appropriate technical and organizational measures to ensure that privacy and the protection of data is no longer an after-thought and is embedded in in the early stages of any project and then throughout its lifecycle. In our view, many organizations are welcoming this opportunity as a serious initiative to drive data privacy beyond just mere compliance. In light of recent events on data privacy, this is an enterprise wide initiative to will help companies across the globe to be secure and stay secure. With best wishes, Jaspreet Singh Partner, Cybersecurity, EY Sibjyoti Basu Partner & National Business Development Leader, EY India The rise of General Data Protection Regulation (GDPR): Is your business prepared? 7

8 01 In Introduction to privacy a world where more than half the population is online, everything is becoming digitized. Customers today are sharing and receiving information on various portals for entertainment, banking, healthcare, and utility puposes, continuously adding to a large pool of data. 8 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

9 Digital around the world Total population Internet users Active social media users Unique mobile users e-commerce market for consumer goods billion 55% Urbanization billion 53% Penetration billion 42% Penetration billion 68% Penetration US$ Trillion +16% YoY Data created in the world is growing rapidly 180 ZB 4.4 ZB 44 ZB fi fi data to create value and insights. On 14 April 2016, the Regulation and the Directive were adopted by the European Parliament. The new rules are applicable for two years. maintaining privacy. With a view on the data priorioties of organizations and to safeguard rights of customers and inbibe a sense of accountability in the way personal data is shared and used by organizations. Emergence of GDPR On 15 December 2015, following three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the EU General Data Protection Regulation (GDPR). The aims of the GDPR are to reinforce data protection rights of individuals, fl reduce the administrative burden. The GDPR replaces the 1995 General Data Protection Directive and applies directly to each of the 28 EU Member States. fi of the new General Data Protection Regulation was published On 12 March 2014, the European Parliament voted overwhelmingly in favour of new data protection laws On 15 December 2015, the EU Commission, Parliament and Council of Ministers reached an agreement on the GDPR fi Journal of the European Union year implementation phase Regulation starts to apply We are Social 2018 Stats, World Economic Forum, The rise of General Data Protection Regulation (GDPR): Is your business prepared? 9

10 What is the GDPR? The EU data protection reform was adopted by the European Parliament and the European Council on April 27, The European Data Protection Regulation will be applicable as of May 25, 2018 and replace the Data Protection Directive (95/46/EC). The GDPR is an omnibus regulation by which the EU intends to strengthen and unify data protection within the European Union. The GDPR applies to any organization, regardless of geographic location, that controls or processes the data of an EU resident. It fi fail to protect the data for which they are responsible. Why is the GDPR receiving increasing attention? The EU GDPR introduces a number of new rights for data subjects and several obligations which will directly impact data controllers and data processors, non-compliance with which will lead to tough penalties as high as 20,000,000 or 4% of annual global revenues. Scope of GDPR GDPR focuses on the processing of data by automated means but fi system. GDPR applies in three circumstances: Establishment and processing of personal information in the union The monitoring of the behaviour of data subjects as far as their behaviour takes place within the Union. Organization offering of goods or services, irrespective of subjects in the Union. GDPR applies globally and companies outside the EU will have to comply with the Regulation if they process EU persons personal data Does the company have a presence in EU? Yes GDPR applies No Yes Is the company s customer an EU citizen? Yes Does the processing relate to offering goods or services in the EU? No Does the processing relate to monitoring the behavior of persons in EU in Union? No No GDPR does not apply activities will be directed to EU data subjects relevant 10 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

11 Key changes proposed by the GDPR Hefty penalties: Breach of the GDPR will result in substantial fi turnover, whichever is greater Expanded scope: Applies to all data controllers and processors established in the EU and organizations that target EU citizens an ator appointment of ata rotection Officers Os DPOs must be appointed if an organization conducts large scale systematic monitoring or processing of large amount of sensitive personal data Ob igator breach notification Notify supervisory authority unless the breach is unlikely to be a risk to individuals. If there is a high risk to individuals, they must also be informed ata breach notification process Breach Awareness of breach Investigate breach Notify Supervisory Authority (if likelihood of risk to individuals) Notify data subject (if likely to result in risk to individuals) Without Without undue delay undue delay (no later than 72 hours) Data processors must report personal data breaches to data controllers Data controllers must report personal data breaches to their supervisory authority and in some cases, affected individuals, in each case following fi Data controllers must maintain an internal risk register Non-compliance can lead to an a ministrati e fine What is a data breach? Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed 72 hours is the timeline within which breach fi authority Reference Stringent consent requirements: fi fl In addition to basic data protection principles, consent is subject to further conditions under the new Regulation Where relying on consent as the basis for lawful processing, it must be additionally ensured that: agreements or declarations Provision of services is not made contingent on consent where it is not necessary for the service to be supplied Data subjects are informed of the right to withdraw consent at any time (through simple methods) Separate consent is obtained for distinct processing operations information The rise of General Data Protection Regulation (GDPR): Is your business prepared? 11

12 Risk based Privacy Impact Assessments: Organizations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data Broadened data subject rights: Organizations should have processes to manage the below given new rights: The right to be forgotten: The right to ask data controllers to erase all personal data without undue delay in certain circumstances fi Right to notice Object to processing Restriction of processing Right to erasure Right to portability Right to rectification Right to access Right to information Data subject Adequate protection for cross-border transfers: guarantee on data protection is provided such as standard contractual clauses or binding corporate rules (BCRs) Obligations on processors: fi regulated entity Privacy by design and default: Data protection safeguards must be built into products and services from the earliest stage of development. Privacy settings must be set at a high level by default. Data protection by default notion includes data minimization principles Accountability and data governance: Organization must prove they are accountable by: Establishing a culture of monitoring, reviewing and assessing data processing procedures Building in safeguards to data processing activities Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory fl 12 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

13 Principle of Accountability Controllers are responsible for the compliance of their processing operations with data protection rules Controllers should have documentation ready and be able, at any time, to demonstrate compliance with data protection provisions to data subjects, to the general public and to supervisory authorities Personal Data Lifecycle Management Adopt policies and implement appropriate measures to ensure personal data is secured throughout the entire data lifecycle Appropriate collection of data Relevant use of data Managed disclosure Appropriate retention and disposal Review privacy Ensuring the accuracy of personal data fi that the personal data held by them is accurate and can be corrected if errors occur Limiting the storage of personal data: Organizations will need to ensure that they retain personal data only for as long as necessary to achieve the purposes for which the data was collected ns ring sec rit integrit an confi entia it of personal data. The organization must take steps to keep personal data secure through technical and organizational security measures Incentives beyond GDPR compliance The organizations which have started their compliance journey have been successful in differentiating themselves from their competition by proactively developing trust with their customers on handling their sensitive data. These stronger customer relationships present opportunities for organizations to retain or increase their revenues from customers dealing with personal data from EU. Further, compliance with GDPR presents compliance as well as business incentives. On the compliance front, GDPR transformation program is helping organizations avoid distraction and business disruption arising fi recovery from breaches and potential lawsuits. Also, compliance with GDPR will lead to effective management of increasing pressure from the regulators Similarly on the business front, privacy has become one of the key drivers to enhance brand reputation and to ensure privacy and trust while the added value of new digital propositions are realized. These initiatives help organizations to meet stakeholders privacy as ethical responsibility towards clients Create a new business line in the form of GDPR-as-a-service or DPO-as-a-service The rise of General Data Protection Regulation (GDPR): Is your business prepared? 13

14 Key safeguards to be adopted by organizations The GDPR has undelined multiple changes, however there are certain key safeguards that organizations can take to ensure that they start their compliance journey for GDPR. Gap assessment to identify current state Implement privacy by design and default Data protection Impact Assessments (DPIA) fi of processing activities fi availability and resilience of processing services 14 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

15 The rise of General Data Protection Regulation (GDPR): Is your business prepared? 15

16 02 The Introduction to privacy by design personal data collected requires a governance plan as there are risks of exposure, unauthorized access, and hacks. Hence, to address this ever-growing data and privacy risks, the idea of privacy by design was developed in the 90s. It is now being embraced by regulatory authorities to safeguard user privacy 16 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

17 Privacy by design has seven principles which should be applied in order to maintain privacy (Figure 1). efinition Privacy by design (PbD) is a concept which enables organizations to have privacy embedded in the design and architecture of information systems, business processes and networked infrastructure. Figure : Foundation Principles 2 Proactive not reactive, preventative not remedial Anticipate and prevent privacy invasive events before they happen. The aim is to prevent them from occurring Privacy by default IT system or business processes Embed privacy into design Privacy measures embedded in the IT systems and business processes and not as an add-on Full functionalitypositive sum, not zero sum fi End-to-end securityfull lifecycle protection All data should be securely retained as needed and destroyed when no longer needed Visibility and transparencykeep it open Assure all stakeholders that business processes or technology involved, are operating according to the fi Respect for user privacy keep it user centric Keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options 2 fi The rise of General Data Protection Regulation (GDPR): Is your business prepared? 17

18 03 Implementation Drivers of privacy by design adoption of privacy by design is primarily driven by two factors, the stringent privacy regulations coming into force and rising data breaches and associated costs. 18 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

19 Regulatory requirements: Privacy by design in the past was not mandated by any law, rather it was seen as an approach to ensure compliance. However, in 2016, European Union General Data Protection Regulation adopted the approach and gave a deadline for implementation by 25 May Article 25 of the regulation covers - data protection by design and by default. It prescribes the following: Privacy by design: Companies must put technical and organizational measures such as pseudonymisation in place to minimize personal data processing. Privacy by default: Companies must implement appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each fi fi fi fi greater. The regulation will impact organizations across the globe that do business within the fi What is personal data as per GDPR? 3 Personal data means any information relating to an fi as the following: Name fi Location data fi fi physiological, genetic, mental, economic, cultural or social identity Companies which were till now only mandated to protect personal data, now need to embed privacy across the life cycle of data. There will be legal implications for wrongful data collection, fi is one of the biggest drivers for companies to implement privacy by design. Messaging service provider changed minimum age of users to comply with GDPR In April 2018, a global messaging service provider raised minimum age for users from 13 to 16 across the EU. The GDPR has a processing data of children below 16 years of age to get consent from the holder of parental responsibility. In line with this policy, the messaging service provider has also suspended its policy change wherein it could share phone numbers and other information with social media sites for effective target advertisements. Technology company refunded for wrongful in-app purchase fi refund a large amount for kids in-app purchases to its customers in a settlement with the Federal Trade Commission (FTC). In the complaints made by users, the technology company was charged with violating the FTC Act by not telling users that entering a password to approve an initial in-app purchase would allow 15 minutes of additional purchases without further authorization needed. As a part of the agreement, company was also asked purchase. Rising data breaches and associated costs: There has been a disturbing trend of rising personal data breaches (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data). The key reason is organizations do not have instead on proactive policies. With the growing number of breaches, customers are concerned about protecting their privacy and identities more than ever before. 68% 4 of the customers do not trust brands to handle their personal information appropriately, such as name, , location or marital status. In 2017, a total of 1,765 5 breach incidents occurred of which fi two major type of breaches. According to Ponemon Institute s million. There are also post data breach costs which include help desk activities, inbound communications, special investigative identity protection services and regulatory interventions. fi reputational damage that may lead to abnormal turnover or churn rates as well as a diminished rate of new customer 69% would boycott a company known to 55% of respondents would avoid giving data to a company they know had been selling or misusing it before The rise of General Data Protection Regulation (GDPR): Is your business prepared? 19

20 Consumer credit reporting agency lost million user s personal data In 2017, a global consumer credit reporting agency witnessed bureau s website software. The hack granted attackers access fi names, dates of birth, Social Security numbers, and other personal information of million US consumers. With the stolen identity details, attackers can apply for lines of credit in the victims names. The company faced widespread criticism and the share prices dipped 34% within eight days after the breach disclosure. Health app compromised 150 million users data resulting in decline in share value In 2018, data from about 150 million users of a health app was compromised sending the value of shares of the company down 3% in after-hours trade. The stolen data included account user names, addresses and scrambled passwords for the app. However, Social Security numbers, driver license numbers and payment card data were not compromised. Social media giant lost credibility and share value due to data sharing scandal In 2018, a global social media giant came under the scanner for a data breach wherein the personal data of 87 million users around fi fl them. Post the incident, the company s reputation fell dramatically share value within 10 days of news of the scandal. Multinational technology company paid US$17 million due to a privacy breach fi their consent or knowledge. The case involved the technology company bypassing the privacy settings in a well-known web browser to use cookies for targeted advertisement. 20 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

21 The rise of General Data Protection Regulation (GDPR): Is your business prepared? 21

22 04 A Implementing privacy by design major change caused by implementing privacy by design is that companies would need to consider privacy at the very start of product development. Privacy has to be an integral part of the company strategy and needs to run through processes via policies and procedures. 22 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

23 Regulatory requirements: To start with, both privacy by design and privacy by default of new products and services to have enough basic knowledge on privacy. The guidance should be in simple language for everyone to understand and hold training sessions should be held. functions to insert and monitor privacy. Clear policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to assist in While implementing privacy by design, the following should be considered: Conduct Data Privacy Impact Assessment (DPIA) to enable organizations to analyze how a particular project or system will affect the privacy of the personal data involved. It is similar to a risk assessment for privacy. fl strategy. It focuses on minimizing the amount of personal data that is collected, processed, stored and disseminated; hiding fi how their personal data is used. EY has developed a privacy program model (Figure 3) which focuses on program, operations and the monitoring of privacy in an organization. Program: Device strategy wherein roles and responsibilities of fi accountability is established with governance processes and data owners are made to understand their responsibility for classifying and protecting sensitive information. Operations: Data privacy programs rely heavily upon the implementation of strong policies and processes to enforce and respond to incidents in timely manner. Monitoring: Teams and tools supporting data privacy and protection programs should be integrated to allow for correlation organization. Effectively linking to security programs and implementing privacy by design will allow for early detection of privacy breaches and non-compliance issues. EY s Privacy Program Governances Supporting governance roles Privacy strategy/charter Privacy policy Training and awareness Regulatory reporting Executive reporting Managing public perception IT and information security Legal and compliance Communications and crisis management Operations Privacy by design Risk management Incident management 5 Review of privacy expectations Privacy life cycle 1 Appropriate collection of data Managed lines of defence CPO/Privacy Office Vendor due diligence Consumer request/complaints Data classification Personal data inventory management 4 Appropriate retention and disposal 2 Relevant use of data Risk and compliance Audit Cross border data management Managed 3 disclosure Regulatory expectations Internal expectations Sustenance Privacy audit Data flow management Data owners Data processors Data collectors Source: EY Privacy by Design GDPR, May 2017 The rise of General Data Protection Regulation (GDPR): Is your business prepared? 23

24 EY s data privacy transformation approach, integrates all data privacy-related services into a single offering. It focuses on fi e major pi ars as gi en be o Program: It focuses on aligning the current framework with policies and procedures, privacy policy, reporting and training and awareness of employees and key stakeholders. Supporting governance roles: The framework focuses on establishing a governance framework with roles and governance and overall compliance. Privacy lifecycle: The framework will concentrate on the end fl disclosure, transmission, retention and disposal) and will fl Privacy by design: As privacy by design is one of the key elements of GDPR which focuses on embedding GDPR into the DNA of an organization, the EY framework will ensure that all processes/functions having personal data incorporate privacy by design and default. Monitoring: To run a successful privacy program, it is pivotal fi metrics for periodic monitoring and continual improvement. The model is self-evolving and agile to accommodate the unforeseen changes and adapt accordingly to the organization s needs. 24 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

25 The rise of General Data Protection Regulation (GDPR): Is your business prepared? 25

26 05 A Adoption of privacy by design combined push from regulators and customers to have a stringent check on personally identifiable data storage and usage has led to companies acting on privacy by design certified platforms and apps. The initiatives are also being supported by governments to promote implementation of PbD by companies. 26 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

27 Industry Initiatives Healthcare Secured mobile health apps: European Data Protection Supervisor (EDPS) announced the launch of a contest to design mobile health (m-health) applications implementing Privacy by Design and by Default principles. Patient data anonymization: A Hospital in Barcelona collaborated in the CLARUS project for a privacy-by-design approach to protecting healthcare-sensitive information using Encryption and Anonymization. Technology Development of software privacy ecosystem: An Indian Tech Company partnered with GDPR solutions provider fi PbD compliant mobile advertising service: fi and advertising service utilizing customer base of global network operators to create a secure, anonymised, Privacy by Design database of carrier derived data. Government E-Government initiative utilizing PbD: Australian Government implementing Privacy by Design in Govpass, digital fi fi and other information. Blockchain based identity management: An Indian State government s information technology arm is developing a proof of concept on using blockchain technology for identity management utilizing Privacy by Design. PbD compliant social media analytics portal: Media The rise of General Data Protection Regulation (GDPR): Is your business prepared? 27

28 Till now privacy was more of an afterthought rather than an effort to embed it into the project or application lifecycle but in future this will change. Going forward privacy is going to be a key area of action for government and companies, as the unlawful use of personal data could not only hamper the users but also governments and companies across the globe. of large organizations will have a privacy management program fully integrated into the business, up from 10% in 2017.By 2019, half of the world s larger companies that process personal data will perform privacy impact assessments; fi process. 1 Privacy by design will bring in a change in mindset and lead to the responsible use of an individual s data. This will result in increased trust of users with the organizations, their applications and systems delivering positive-sum outcomes. In the future, implementing privacy by design can both demonstrate compliance and create a competitive advantage for companies. The way 06 forward 28 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

29 Contact us EY GDPR/Privacy Team: Jaspreet Singh Partner - Cyber Security, EY India Jaspreet.Singh@in.ey.com Sibjyoti Basu Partner & National Business Development Leader, EY India Sibjyoti.Basu@in.ey.com Lalit Kalra Senior Manager Cyber Security, EY India Lalit.Kalra@in.ey.com EY Knowledge (EYK) Team: Gaurav Sharma Assistant Director, EYK Gaurav.Sharma1@in.ey.com Ankita Singh Assistant Manager, EYK Ankita.Singh1@in.ey.com Shweta Verma Assistant Manager, EYK Shweta.Verma@in.ey.com The rise of General Data Protection Regulation (GDPR): Is your business prepared? 29

30 In a future where data is everywhere, who will keep it out of the wrong hands? To find out, participate in the EY GDPR readiness survey today by visiting ey.com/in and be a part of the GDPR preparedness journey. 30 The rise of General Data Protection Regulation (GDPR): Is your business prepared?

31 EY offices Ahmedabad 2nd floor, Shivalik Ishaan Near. C.N Vidhyalaya Ambawadi Ahmedabad Tel: Fax: Bengaluru 12th & 13th floor U B City Canberra Block No.24, Vittal Mallya Road Bengaluru Tel: Fax: (12th floor) Fax: (13th floor) 1st Floor, Prestige Emerald No.4, Madras Bank Road Lavelle Road Junction Bengaluru India Tel: Fax: Chandigarh 1st Floor SCO: Sector 9-C, Madhya Marg Chandigarh Tel: Fax: Chennai Tidel Park 6th & 7th Floor A Block (Module 601, ) No.4, Rajiv Gandhi Salai Taramani Chennai Tel: Fax: Delhi NCR Golf View Corporate Tower B Sector 42, Sector Road Gurgaon Tel: Fax: rd & 6th Floor, Worldmark-1 IGI Airport Hospitality District Aerocity New Delhi , India Tel: Fax th & 5th Floor, Plot No 2B Tower 2, Sector 126 NOIDA Gautam Budh Nagar, U.P. India Tel: Fax: Hyderabad Oval Office 18, ilabs Centre Hitech City, Madhapur Hyderabad Tel: Fax: Jamshedpur 1st Floor, Shantiniketan Building, Holding No. 1, SB Shop Area, Bistupur, Jamshedpur Tel: Kochi 9th Floor ABAD Nucleus NH-49, Maradu PO Kochi Tel: Fax: Kolkata 22, Camac Street 3rd Floor, Block C Kolkata Tel: Fax: Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (west) Mumbai , India Tel: Fax: th Floor Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai , India Tel: Fax: Pune C 401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune Tel: Fax: The rise of General Data Protection Regulation (GDPR): Is your business prepared? 31

32 Ernst & Young LLP EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata Ernst & Young LLP. Published in India. All Rights Reserved. EYIN ED None This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. About ASSOCHAM The Associated Chambers of Commerce and Industry of India (ASSOCHAM), India s premier apex chamber covers a membership of over 4 lakh companies and professionals across the country. ASSOCHAM is one of the oldest Chambers of Commerce which started in ASSOCHAM is known as the knowledge chamber for its ability to gather and disseminate knowledge. Its vision is to empower industry with knowledge so that they become strong and powerful global competitors with world class management, technology and quality standards. ASSOCHAM is also a pillar of democracy as it reflects diverse views and sometimes opposing ideas in industry group. This important facet puts us ahead of countries like China and will strengthen our foundations of a democratic debate and better solution for the future. ASSOCHAM is also the voice of industry it reflects the pain of industry as well as its success to the government. The chamber is a change agent that helps to create the environment for positive and constructive policy changes and solutions by the government for the progress of India. As an apex industry body, ASSOCHAM represents the interests of industry and trade, interfaces with Government on policy issues and interacts with counterpart international organizations to promote bilateral economic issues. ASSOCHAM is represented on all national and local bodies and is, thus, able to pro-actively convey industry viewpoints, as also communicate and debate issues relating to public-private partnerships for economic development. The road is long. It has many hills and valleys yet the vision before us of a new resurgent India is strong and powerful. The light of knowledge and banishment of ignorance and poverty beckons us calling each member of the chamber to serve the nation and make a difference. JS EY LinkedIn EY India EY India careers ey_indiacareers