Making Indian firms compliant with European Union data privacy rules

The rollout of the new data privacy guidelines across European Union has Indian companies, with even remote connections to Europe, in a limbo. The new rules govern storage, transfer and use of data, including personal and financial information of European residents. Those violating the long list of requirements could attract fines up to £20 million or 4 per cent of their annual turnover, whichever is greater, along with strong business disincentives. 

This is where corporate India is in trouble. A large number of large and small businesses process EU data, have customers from the EU or have access to data of EU citizens in one way or another. However, experts claim Indian firms will need a lot of work to be General Data Protection Regime (GDPR)-compliant, with the rollout deadline of May 25 fast approaching. 

For instance, the GDPR guidelines require every firm to update its privacy policies to visibly indicate who owns the data, the purpose of the data, legitimate interests of the data controller, data transfer to a third party and any automatic decision-making carried out on a consumer’s data. While these are the requirements on the customer information side, there are huge asks on operational and human resources end too. 

Companies that fall under the GDPR ambit will have to correct all incorrect information that they possess about EU residents. Additionally, they will also be required to employ data protection officers to oversee compliance while data processing companies will have to appoint data controllers and carry out an impact assessment too. Impact assessments are to be undertaken for data processing that results in a high risk to the data subjects, notes Supratim Chakraborty, associate partner at Khaitan & Co. 

A study done by International Association of Privacy Professionals (IAPP) conservatively estimates there will be a requirement of at least 75,000 data protection officers (DPO) around the world. The requirement for India is pegged at around 1,125 DPOs. 

Since Indian laws do not have as deep provisions for information security as GDPR does, companies will find it hard to comply with the guidelines in time for the May deadline, says Chakraborty. “Lack of existing jurisprudence about EU GDPR will be a roadblock for companies as well,” he adds. Experts say implementing the EU GDPR requirements is a time and effort consuming process and demands technical and organisational policy and practice overhauls. 

The extent of India Inc’s unpreparedness was also prominent in a global study carried out by EY which found that only 13 per cent of surveyed firms in the country said that they have a plan for complying with the GDPR guidelines. In comparison, one-third of the companies surveyed were ready for the GDPR in the United States, while 50 per cent were prepared in France. Around 35 per cent of firms in South Africa said they were prepared for the new regime. 

Jaspreet Singh, partner, cybersecurity at EY India notes, apart from the information technology industry, which will be most affected by the new regime, pharmaceutical and hospitality are among the sectors that will feel the heat. “For a mid-sized IT firm the implementation will take at least six-eight months and incur about half a million dollars to be compliant,” says Singh. 

The broad contours of the new EU data privacy law were announced in 2016. However, the bulk of Indian businesses has been slow to react to the impending changes, say experts. 

An IT head of major of Indian law firm points out large companies may not have too much work to do if they are already conforming to international standards when it comes to data privacy and security. “If businesses are already aligned to existing data security standards, the GDPR regulations shouldn’t add much liability. But in case any business will have to start developing compliance from a nascent state, it will be a quite tight race against time,” he says. However, the biggest challenge will be for India’s sunshine IT companies which work with a lot of EU data on a daily basis. Industry association NASSCOM has set up a special GDPR compliance dashboard to help companies navigate the challenges. “The Indian (IT) industry is well on its way to comply with GDPR,” says Gagan Sabharwal, senior director, Global Trade Development, NASSCOM. 

Sabharwal points out compliance requirements would not only be decided by the GDPR and the specific clauses related to the security, but also contractual clauses that support data controllers to comply with the GDPR. NASSCOM has organised several training programmes for its members, lending a helping hand to stumbling companies. However, some challenges remain. “Concepts like Privacy by Design have no precedent in previous regulations which will be a learning phase for both companies and regulators,” says Sabharwal. For the IT industry, there is also a silver lining in the GDPR-compliance cloud. “We see an opportunity to offer services for GDPR compliance and complaint process capabilities,” says Sabharwal.

Outbrain