Complying with Europe’s GDPR will be a “matter of survival” for Indian IT firms

The blog post by Ananya Bhattacharya was published in Quartz India on May 24, 2018

The European Union’s (EU) General Data Protection Regulation (GDPR), which comes into effect on May 25, will put consumers in charge of their online data.

The law affects not just companies in the 28 EU member states but also those across the world that collect and process data from customers residing in EU nations.

“The first companies to be affected will be any outsourcing firms that deal with the EU, as well as the software firms that have personnel in the EU and in India,” Ryan Johnson, senior manager of international public policy at Access Partnership, a Mumbai-based consultancy, told Quartz. “In addition to the internal compliance issues, a lot of their contracts will need to be amended to reflect GDPR standards, both for vendors and clients. It will also change the kind of products that customers will want, as they change their IT environments to ensure compliance.”

Scores of companies in India’s $160 billion IT sector—Europe is its second-biggest market after North America—may now have to watch their backs.

So what exactly is the GDPR?

The GDPR, enacted in May 2016, is replacing the EU’S severely outdatedData Protection Directive regulation of 1995.

The data monitored under the new regulation will not only include personal information such as names, genders, and e-mail addresses that users voluntarily share, but also background tracking of cookies and browser history, and so on. Even identifiers like location data and IP addresses are explicitly included under personal data now, according to a report by consulting firm Deloitte.

“As regulations catch up, data privacy has fast evolved to become a matter of survival for companies,” said Rana Gupta, an identity and data protection expert at Gemalto, a digital security company.

The new EU rules mandate that companies dealing with high-risk and high-volume data regularly must appoint a data protection officer. Taking transparency up a notch, the regulations give companies a tight 72-hour runway to report data breaches.

Any violation will draw a fine of up to 4% of the firm’s annual turnover or €20 million (around Rs160 crore), whichever is higher. “With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model,” said George Chang, vice-president at US-based cybersecurity firm Forcepoint.

That should be a wake-up call for Indian firms.

Ready or not?

While Indian IT giants like Infosys, Tata Consultancy Services (TCS), and Mindtree, which service European clients, will see an outsized impact of the new regulations, smaller Indian firms aren’t immune. Be it e-commerce sites with users logging in from, say, Belgium, or an India-based e-payments gateway accessed by someone in France, all companies—tech and otherwise—will need to tweak their terms and conditions to reflect the new rules.

“Digital marketing will be most affected once GDPR comes into effect, as promotional e-mails sent without the recipient’s prior consent fall afoul of the legislation’s diktat,” said Arun Balasubramanian, managing director of Qlik India, a software company.

Still, it seems like most companies haven’t prepared themselves for the altered regulation. A mere 13% of Indian companies have a plan to comply with the GDPR, a 2018 Ernst & Young survey revealed.

But India isn’t alone. More than half the companies located outside Europe aren’t ready either. “Even within the EU, small companies are struggling as there is a lot of fear-mongering about it (GDPR) and a general lack of awareness,” said Amber Sinha, senior programme manager at the Centre for Internet and Society (CIS).

Meanwhile, GDPR compliance can be an expensive affair, experts warn. This is so especially for large firms that may need to spend big on legal and consulting fees, besides bringing changes to their IT services. But all that will pay off in the future.

“Compliance can drive operational efficiencies, cost-savings, and even fuel innovation,” Gupta of Gemalto said. “…customers will place greater confidence in businesses, and businesses will minimise the all too common reputational and financial fallout of a breach.”

And as India looks at drafting its own privacy rules this year, Access Partnerships’ Johnson recommends it should look to “create a privacy law for India that’s substantively similar to GDPR, to help harmonise the two markets.”