Decoding Europe’s new data protection law

‘Many firms in India are still not ready for compliance with the law, which covers all entities doing business in the EU’

May 27, 2018 10:31 pm | Updated 10:31 pm IST - NEW DELHI

Locked and loaded:  The GDPR, which came into force on May 25, provides for hefty penalties of up to to €20 million or 4% of a firm’s global revenue for non-compliance.

Locked and loaded: The GDPR, which came into force on May 25, provides for hefty penalties of up to to €20 million or 4% of a firm’s global revenue for non-compliance.

The recent flurry of ‘we have updated our privacy policy’ e-mails in your inbox is the result of European Union’s (EU) General Data Protection Regulation coming into force. These stringent regulations that aim to protect all EU citizens from data breaches, provide for hefty penalties of up to €20 million or 4% of a company’s global revenue for non-compliance. Analysts expect this regulation to have a ripple effect on how consumers’ data is treated across the world.

The regulation, which was approved by the EU Parliament in April 2016 after about four years of preparation and debate, came into effect on May 25, 2018.

However, many firms in India are still not ready for compliance with the new law which will cover all entities doing business in the EU.

GDPR journey

“A lot of organisations, especially in the EU region, started their GDPR compliance journey more than a year ago,” said Jaspreet Singh, partner-Cybersecurity, EY. “It is only in India that awareness is very low and organisations are still grappling with how to get compliant with GDPR. Compliance is not easy… It is not a one-time job… it impacts not only technology but all aspects of organisation per se.”

He pointed out that only 30-35% of all IT/ITES firms had started work towards being GDPR-compliant. “It is a mix of many issues… a lot of organisations still don’t understand how this is applicable to them. For some, it’s a typical mentality that ‘I will not get fined or we will see what happens,” Mr. Singh said. But it is not just IT and ITES companies. Firms across sectors and industries need to be GDPR-compliant.

“Any organisation providing goods and services in the EU, be it a BFSI unit, a manufacturer, a pharma company..., comes under GDPR,” said Prashant Gupta, partner, Grant Thornton India LLP. “This regulation will radically transform the privacy landscape for organisations of all sizes and sectors that process personal data.

GDPR not only impacts Indian organisations, but also global firms who are handling or managing PII data for EU employees, vendors, businesses,” said Mr. Gupta.

Mr. Singh of EY said a lot of focus is on the IT/ITes firms as they contribute about 7% to India’s GDP. “If you look at the revenues, it is a heavy contributor. That is why everyone talking about the sector being the most impacted. Otherwise, cost of doing business will be there across sectors.

“There are areas where GDPR provides relief and consistency, however, it also comes with very stringent penalties on non-compliance,” said IT/ITes industry body Nasscom.

“Most large companies are very well prepared due to economies of scale, however, the impact on SMEs and start-ups are a cause for concern they may struggle with several areas that render it costly for processors,” it said. These include appointing a data protection officer in organisations, the concept of privacy by design (encryption) and by default (processing the minimum amount of data), new privacy rights for individuals like the Right to Erasure and Right to Data Portability, and new consent rules which require consent for different activities from different stakeholders, including employees and customers. “Once this learning curve is scaled, we do see an opportunity to offer services for GDPR compliance and complaint process capabilities,” Nasscom added.

Mr. Gupta added that companies have to need to build robust processes and assign responsibilities and accountabilities to address data protection and privacy-related issues. and queries ensure the GDPR requirements. Data protection in some form was always there, especially in the U.S. and EU. However, GDPR is a more stringent form of earlier regulations. “So, companies have been following certain processes already, they now need to take it to the next level. The real impact of this on business will become clear only one or two quarters down the line and will depend mainly on issues of non-compliances and supervisory authority’s consideration,” said Mr. Gupta.

He added that the cost and time of implementation for required policy and processes implementation will depend on various factors such as maturity level of organisation and size of the data handling., global presence, customer, employee and vendor base in EU and business model. While implementation can take anywhere from six months to a year or more, the cost can vary between a vast range from organisation to organisation.

‘Positive impact’

“This [GDPR] will have a positive impact on the way data is treated globally by the companies. It is difficult for global companies to segregate data and systems in an integrated world.

“GDPR will provide a benchmark of how data protection may be treated. GDPR also gives a sense of comfort to the data subjects and enforces clear purpose, transparency of data when any data controller or processor collects, processes, stores, disposes and archives their personal data,” he added.

Mr. Singh agrees. “Mauritius, for example, last week passed a very stringent law similar to GDPR. India is already working on data protection law — some of the attributes that the draft policy talks about are similar to what is there in the GDPR. Today, globally, organisations will have to up their ante on privacy-related engagements and issues. So that end customer data is not impacted.”

On the financial impact on businesses, Mr. Singh said, “I can’t put a number on it… a lot of clients that we work with have already started getting queries around please demonstrate your GDPR compliance, privacy policy, consent notices etc. across sectors.”

‘Tectonic shift’

Terming the new law as “a tectonic shift in the global privacy paradigm,” Anant Maheshwari, president, Microsoft India said it would herald a new era in consumer trust. “We began work on GDPR as soon as it was adopted by the European Union. We have over 300 full-time engineers focused on GDPR compliance and have adopted over 30 controls based on GDPR.

“Our preparations for GDPR touch every part of our company — from our senior leadership who drive our commitment all the way to individual engineers on our product teams who write code,” he added in a blog.

Maninder Singh, corporate vice president and head, cybersecurity and GRC business, HCL Technologies explained: “The regulations means that the business process should be run in a manner so that privately identifiable information or personal information is protected and should not be disclosed to any person who is not supposed to know.” Hence, your business logic must contain that control, hence your app should be written in that manner and any connected IT systems that hold that personal information must secure it in a particular manner.”

“I think most of the businesses must have done assessments and would have in their business systems try to build logic to get ready for it [GDPR]. I can tell you for HCL. We have worked very closely with the regulators in Europe for the EU GDPR law. HCL has done necessary things for its part of operations in Europe to comply to the GDPR regulation,” said Maninder Singh, corporate vice president and head, cybersecurity and GRC business, HCL Technologies. Mr. Singh added that in any regulations a lot of things are evolving, so the real implication of the law will become clear only once it starts operation for a while.

Data protection jobs

According to data from job portal Indeed, between January 2017 and March 2018, there had also been a spike in the number of job postings for data protection roles, which had seen an increase of 143% while the number of job searches for the same had risen by 188% as Indian companies looked to fortify their databases.

“Globally, the increasing number of cybercrimes had made it imperative for companies to keep pace in hiring the right talent to combat them. Therefore, companies across the world are gearing up to ensure compliance to General Data Protection Regulation (GDPR) and ePrivacy requirements. While the larger technology giants are more or less equipped to comply, it is the mid-size and smaller firms that are seeking professionals to help them cope with the requirements the new laws entail” said Sashi Kumar, managing director, Indeed India.

Additionally, according to the platform, there had been an upsurge in job postings for cybersecurity roles by 150% between January 2017 and March 2018 along with a corresponding increase of 129% in job searches for the same in the same period.

Mr. Maheshwari of Microsoft said, “To me, this is a golden opportunity for India to drive thought leadership in the global market. We can build expertise and capabilities, create new lines of advisory and consulting businesses, develop a market differentiator and be a source of competitiveness.”

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.