Is the General Data Protection Regulation (GDPR) going to have any impact on organisations outside India? This is a question many Indian startups and enterprises are grappling with as Europe races to embrace GDPR regulations coming into force by 25 May.
Organisations are worried about whether GDPR would have any profound impact on companies in India. GDPR rules apply to players who are operating outside EU and are targeting data subjects there. The bottomline is clear — if you offer services to EU-based customers or mine their personal data, then the service provider comes under the purview of GDPR guidelines. It’s not just the IT and ITes companies who operate outside EU, most pharma and financial companies also have increased their geographic footprint in Europe.
Indian Companies Gearing Up For GDPR
As of now, India lags behind data privacy laws but is now playing catch-up by appointing a committee to develop a framework for data privacy rules in India. The panel is reported to submit the recommendations by end of May.
According to a Deloitte report, Indian service providers who collect and mine personal data extensively will need to understand the requirements under the new law and become GDPR compliant to find new avenues and renew existing contracts. The report cites that Indian tech companies who are data collectors and data processors should have prepared well before 2018 for GDPR.
The changing guidelines mean Indian companies will have to assess and redesign their data-intensive business processes such as data acquisition, processing and data management, in compliance with the guidelines. This would also require companies training their stakeholders and significantly redesign their business processes and controls in activities ranging from sales, marketing, pre-sales, project costing, data acquisition, data processing, data management (retention and purging), compliance and reporting.
According to industry veteran Sreekanth Nemani who told a leading magazine, GDPR means companies will have to follow data protection measures like encryption for better and effective data protection.
Given The Massive Ramifications For Tech Companies Outside EU, Here Are A Few Ways Companies Can Ready Themselves For GDPR
Training Respective Stakeholders: An Accenture report indicates that in the past, data controllers were tasked for data protection. Now, with GDPR coming into force, companies which provide data processing services, such as cloud services, can also be held liable for compliance risk and obligation. Which means that accountability for data protection will trickle down the data supply chain to web-based companies which will have to reimagine their business processes to avoid significant implications such as fines to the tune of 4 percent on global turnover.
Tightening Internal Privacy Controls And Ensuring Data Portability: The Accenture report notes that as per the GDPR guidelines, enterprises should put in place certain privacy controls into systems and processes that make use of personal data. Also, tech companies also need to engineer secure solutions to allow users more visibility into their data when they wish it to be transferred. For companies to transfer individual customer data, they require capabilities to structure data to be portable and manageable across various platforms.
Shore Up Staff On Data Privacy: A key takeaway from GDPR would be the increased hiring of data security and data privacy practitioners. Web-based companies who operate large amount of data will have to fill positions of Data Protection practitioners who will further establish processes that provide increased collaboration across business functions and understand compliance requirements around GDPR.
Kamal Brar, who leads the Hortonworks business in APAC observed in a business daily that Indian enterprises can also strengthen their data privacy measures and empower their users in the same manner. Indian tech companies should also take note of the strong GDPR measures and understand its long term benefits. He emphasised that by drawing on the GDPR guidelines, Indian companies put in a framework for the portability of data, gathering data by electronic consent and also consent regarding the use of data. He emphasised that Indian enterprises can borrow from GDPR guidelines and build technology deployments in areas like banking, healthcare and finance etc, to strengthen data privacy rules.