GDPR stands for General Data Protection Regulation, and it is an act conceived by the European Union on 25th May, 2018. This act comes as a protective measure after the recent Cambridge Analytica leak that exposed the massive leaks in private information of millions of social media users during Donald Trump’s electoral campaign. Due to the leak being a major violation of the right to privacy of millions of people, the European Union developed and implemented GDPR to safeguard sensitive information of the public.
The GDPR enforces stringent rules in terms of how organisations should process data and private information. GDPR standardizes data protection laws across all the 28 recognized European Union countries. It imposes new strict rules on the controlling and processing of Personally Identifiable Information (PII). It is an extension on protecting the personal data and data protection rights via restoring control to EU residents.
The GDPR replaces the 1995 EU Data Protection Directive, and was enforced on 25th May, 2018. The GDPR also supersedes the 1998 UK Data Protection Act.
The regulation demarks many changes mainly increased fines, breach notifications, opt-in consent and the responsibility for data transfer outside the European Union. As expected, the impacts made by the regulation for businesses is major and permanently changes the way customer data is collected, stored and used.
GDPR is applied to all organizations that hold and process the personal data of EU residents, including Indian Companies. There is also a probability that many organisations based outside the European Union are unaware that they must abide by the GDPR. For eg: Any organisation that offers goods and services or monitors the behavior and activities of EU residents, must abide by the compliance requirements set by the GDPR.
How Does GDPR Affect Indian Companies?
It is common knowledge that the Indian ITeS, BPO and pharmaceutical industries see Europe as a large marketplace. European Union member states Germany and France alone are estimated to be worth around 155-220 billion USD in the IT Industry. So it should come as no surprise that if the Indian IT Industry wants to grow, they will have to comply with the GDPR.
Indian companies that do not comply with the GDPR will incur a penalty of either 20 million EUR or 4% of the global turnover (Whichever is higher). So with a new data privacy bill being written up and the GDPR in effect, here are some of the challenges and opportunities that Indian Companies will face.
Challenges for Indian Companies
In terms of the Outsourcing Industry, India is estimated to be worth over 150 billion US dollars and contributes to around 9.3% of the GDP. As the European Union is one of the biggest markets of the Indian outsource industry, the Indian market is at a handicap compared to competitive markets due to India’s weaker data protection laws.
The GDPR is largely inflexible and restricts businesses to take risks and make decisions in terms of data transfers outside the EU. In order to achieve compliance with the it, Indian companies will have to implement adequate safeguards as decreed. This is because of the process of transferring personal data outside the EU, which would lead to further rising compliance costs.
Article 3 (Territorial Scope) of the GDPR ensures that the regulations provided by the GDPR must be applicable in terms of the processing of data regardless of whether it happens within the EU or not. This means that Indian companies have to abide by the regulations set by the GDPR or they will not be allowed to do business and risk suffering huge penalties and litigation.
The situation is not completely bad as Indian companies have the following positives:
Indian companies need not necessarily see compliance with the GDPR as a burden. While they do have to make many arrangements in order to attain compliance, the GDPR can also be perceived as a means to open doors for business opportunities all over the world.
In the past few years, India has evolved into a technology hub thriving with deep expertise and a large talented resource pool. The GDPR can become the key to Indian companies standing out as global leaders in providing compliant services and solutions.
So How Should Indian Companies Prepare Themselves for GDPR?
Indian companies need to carefully look at the requirements for GDPR compliance. They need to:
- Review policies, procedures, and existing privacy programmes
- Conduct data discovery exercises and maintain documentation in order to demonstrate the visibility of the personal data processed
- Impart data privacy training to employees or subcontractors
- Implement processes to perform data protection impact assessments (DPIAs), manage data subject requests, privacy by Design, etc.
- Review/update contracts signed with third-party vendors