Indian IT firms not ready for European Union's proposed privacy laws, only a few compliant with GDPR

The article was published in First Post on March 26, 2018.

The GDPR, the EU's new online privacy rules, is designed to protect users' online privacy. The European Parliament has adopted the regulation but European governments have yet to approve the text.

“Only 30-35 percent of all IT/ITeS companies have started their journey to work towards GDPR compliance,” Jaspreet Singh, Cyber Security Partner at EY, was quoted as saying by The Economic Times.

The GDPR is applicable to companies globally, and has significant potential financial penalties. Damages of any breach of privacy of user data from Europe could cost companies as much as four percent of their revenue, according to The Economic Times. For the Indian IT sector, Europe ranks number two in terms of the amount of business it drives, with US still taking the lead.

Indian firms, according to Business Standard, are struggling to understand the GDPR policies. A survey by EY had shown that 60 percent of Indian respondents were unfamiliar with the new regulation.

"When asked to describe their company’s current status with respect to complying with the GDPR, only 33 percent of respondents said that they have a plan, while 39 percent said that they are not familiar with the GDPR at all and 17 percent said that they have heard of the GDPR but have not yet taken any action," EY’s Global Forensic Data Analytics Survey 2018 had said.

What the GDPR is all about?

The GDPR attempts to unify data protection laws across the EU. It applies to all companies, regardless of location, that process the personal data of people living in the European Union.  It aims to strengthen the protection of EU citizens' personal details. It will apply to all companies, including those outside of the EU.

The GDPR is considered the biggest shake-up of personal data privacy rules since the birth of the internet. It is intended to give European citizens more control over their online information.

Under the new regulation, users will be asked once and for all whether to accept cookies, rather than every time they visit a new website. Users will have the option of going invisible online, while the rules enshrine the so-called "right to be forgotten" legislation. The industries most deeply affected will be those that collect large amounts of customer data and include technology companies, retailers, healthcare providers, insurers and banks.

Companies must be able to provide European customers with a copy of their personal data and under some circumstances delete it at their behest. They will also be required to report data breaches within 72 hours.

How Indian firms will be affected?

According to a study published by The Centre for Internet and Society, as a result of GDPR, data protection procedures like breach notification; excessive documentation and appointment of data protection officer may have to be incorporated in the Indian laws as well.

"As non – compliance involves high fines, inability of India or the organizations situated in India to qualify as data secure destinations is likely to divert business opportunities to safer locations," the study said.

(With inputs from agencies)