What this means for Indian users is that, while they have access to the same privacy policies on the platform, they are not governed by the same level of protection as EU users. Similarly professional networking platform LinkedIn split data governance for users between their Ireland subsidiary and US subsidiary.
Yet some organizations, especially in gaming and entertainment, are choosing to let go of their EU clients rather than update global policies. Uber Entertainment and gaming giant Ragnarok among others chose to follow this path.
Jaspreet Singh, Cyber Security Partner, EY notes,"If any organization has very little exposure to the EU region, then they should look at restricting their business. Organizations are certainly restructuring to minimize their exposure to EU. "
Moreover, it will be difficult for a lot of clients to distinguish between EU and non-EU users as that would require much more investment and it makes sense to have a global company-wide policy to cater to organization-wide needs, he adds.
“So far we haven’t read about an authoritative announcement w.r.t Indian enterprise(s) withdrawing operations/services from the EU because of GDPR. However, we have come across discussions where India based service providers are renegotiating the terms of business with their customers based in the EU,” said Manish Sehgal, Partner, Deloitte India.
While the negotiations may vary, including discussion around the personal data being received by the service provider to accountability organisation with GDPR ready systems and processes will have an advantage over its non-GDPR ready competitors, he added.
Singh highlights that Indian pharma companies
that have clinical research engagements with EU citizen, hospitality chains have EU customers, internet, e-commerce, manufacturing as well as banking will have to take efforts to comply with the change. Cost of doing business will certainly change and cost of compliance will be incurred by organizations but it will eventually be helpful for the business to implement GDPR controls.
The Justice Sri Krishna committee report also talks about a lot of privacy principles that have similarity with EU GDPR and will, therefore, make sense for Indian companies
to comply as a one-time exercise.
Lastly, Sehgal notes GDPR triggered change (within Indian consumers) may be limited to those interacting with or leveraging services of multinational enterprises however significant portion of consumers in India may be still unaware. Indian consumer will largely change because of the law-of-land i.e. India’s own data protection act.
Richard Hogg, Global GDPR & Governance Offerings Evangelist, IBM adds, ”There are hundreds of regulations overlapping security, data breach and retention policies etc. across the globe. What they need to do is to identify and classify data before implementing any of the policies in order to be able to accommodate multiple regulations.”