What is GDPR?
The General Data Protection Regulation (GDPR) is a Regulation of the European Union that protects natural persons (called data subjects) regarding the processing and free movement of their personal data. This regulation has laid out very strict norms on how private information of individuals should be handled and processed. The GDPR is applicable globally.
What are the salient features of GDPR?
- Awareness: The GDPR compliance ensures that the organization as a whole should be sensitized about the data security practices they have to follow thereby adding GDPR to the company’s “risk register”.
- Consent: GDPR asks companies to take consent from the customers and this consent is freely given, informed, unambiguous and mutual. It enables the data controllers to have sufficient evidence to control the individual data.
- Wider scope: Data processors across locations come under the purview of the GDPR regulations and they have specific compliances to adhere to.
- Individual’s rights: Privacy is a fundamental right and the GDPR realizes this by establishing Rights to access to Data, Right to correction to the Data, Right to be forgotten, Right to restrict data proliferation without consent and many such rights.
- Privacy Notices: Amidst growing concerns for privacy, the GDPR helps companies empower their customers by being clear and transparent about how the ‘personal’ and ‘sensitive personal’ data is being handled.
- Data Protection Impact Assessment: The GDPR helps companies implement best practices which are mandatory in circumstances of medical health data, sensitive personal data, legal records, special category data and publicly accessible data.
- Data Protection Officers: The GDPR helps establish an ombudsman like position in the company. This position is taken by autonomous and appropriately senior personnel. This is a nodal office where the organizational operations, IT, Legal, Data Security and Privacy Policies cross roads.
Implications on Indian Businesses
The scope for GDPR implementation is much wider in India. According to a survey conducted by EY, 70% of Indian respondents see data protection and data privacy compliance as increasing areas of concern. 46% of the companies are worried about cyber breach and insider threats. Only 30-35% of all IT/ITeS companies have started their journey to work towards GDPR compliance.
India is in a unique position because of her Digital Transformation Journey. Through the government initiatives like JAM (Jan Dhan Aadhar Mobile), Digi-lockers, De-monetization, GST and others, more and more data is generated and stored. The Data Privacy Bill and The Supreme Court Judgement declaring Data Privacy as Fundamental Right shows the increasing seriousness about the topic.
Direct Impact of GDPR and Challenges
- The ITeS industry requires an increased un-restricted flow of data to be transferred from the EU because essentially the software business is on the outsourcing model.
- The GDPR will limit EU companies’ outsourcing options which will hamper business development opportunity and may incur losses for businesses in India as India may lose the competitive edge in the global markets.
- The Data transfer decision making will be stringent which may lead to increased overhead costs and longer timelines.
- The GDPR regulations target ITeS industry directly so for the compliance purposes there is a high investment cost which otherwise will lead to severe penalties. For example, an Indian unit building analytics for a tourism company in EU will have to undergo increased permissions from the client and also adhere to compliances like taking customer consent, data access and more.
- Moreover, the Indian Companies get an opportunity to check the GDPR readiness. Readiness essentially ability to help the data subjects freely manage their own data, help the companies assess the collected data, monitor the methods of data processing and design systems to protect the stored data. Readiness and Ediscovery are the hallmarks of good data governance in any industry.
Benefits of the GDPR for Indian Businesses
GDPR is essentially a blessing in disguise for many businesses in the technology domain. Some of the benefits are listed below –
- Cyber Security: The regulation encourages the companies to re-evaluate and improve the overall cybersecurity strategy. GDPR enables to establish a thorough control over entire IT infrastructure, security monitoring and data protection workflows.
- Marketing ROI (Return on Investments) & Customer Loyalty: GDPR requires companies to inform the customers of the data privacy and data processing protocols. It also requires companies to give more control to its customers in terms of sharing the information. Tailored messages to targeted customers/users can lead to more click throughs, social sharing and eventually a higher conversion rate. Companies get a chance to explain to their customers very clearly how they will be utilizing the data and gain loyalty and retention of the business.
- Efficient Data Management: GDPR compliance will encourage the company to minimize its exposure by removing all the redundant and trivial data which holds no value to the organization, but only risk. Date Audit will give a complete idea of the data structure and store procedures.
- Usher a Data Culture for Security: GDPR can promise ushering in a new culture in the company by sensitizing everybody about data security and introduce a new mindset of respecting user data privacy.
Companies are required to take up this new GDPR compliance challenge in the stride and establish new technology architecture and security processes around the data they handle. Many GDPR compliant companies are seeing new business opportunity by helping others become compliant and create a data secure ecosystem to ensure that the culture of innovation and startups is supported.
The GDPR thus opens up an opportunity in Data Governance and Protection practices in India, while laying a road map to strengthen the framework for government and industry. It also helps implement the Fundamental Right to Privacy enshrined in the Indian Constitution.
Ameya Paratkar is an ICT professional and has worked in the cloud computing domain with multinationals. Currently, Ameya heads a SaaS product in the Agri-tech domain in India. He has a keen interest in Technology Governance Policies.