GDPR coming into effect, will have implications for a lot of Indian companies, particularly the IT and BPO firms.- Reports show that Indian firms haven’t changed their policies in accordance to the new requirements.
- In addition, takeaways from GDPR may help
India form its own data protection laws.
The main purpose, at the end of the day, is to protect the privacy and personal data of citizens within the European Union. That being said, porous borders and globalisation ensure that the effect of GDPR isn’t limited to the European continent.
How is that possible?
It’s simple. GDPR applies to all the countries that operate in the EU. Their country of origin doesn’t matter, as long as they have operations within the economic bloc. That includes a lot of companies within India’s tech industry. In fact, Europe is a significant market for Indian IT and BPO firms. Some have even said it will be a ‘matter of survival’.
That being said, global corporations like Apple, Microsoft, Facebook and
Even when people from India go to visit any of the nations that fall under the purview of the EU, they get the benefit of being covered by GDPR from the minute they land to the moment they leave.
Why should you care?
According to a study by Ernst & Young, only 13% of Indian companies are prepared for GDPR, while the rest are still to catch up. To be fair, companies in Canada, Singapore and China are even less prepared.
Companies should care because if they fail to comply with GDPR, there’s a potential penalty of upto 4% of their annual turnover. A single digit percentage may not sound like that big a deal, but it’s not a trivial amount when translated into actual numbers for most companies. It’s either that, or €20 million ($23.3 million) Euros. Not to mention the additional loss of EU clients and customers.
Companies monitoring the behaviour of people within the EU in anyway will have to adjust their policies to include the new rules introduced by GDPR. The right to be forgotten has been talked about at length, along with the right to erasure of personal data.
In addition to policy changes, the companies will have to appoint a local representative within the EU and have adequate measures in place to report and detect data breaches in a timely manner, that is, 72 hours.
People should care because of the indirect effect that GDPR can potentially have on India’s approach toward data protection and privacy, especially with the Aadhaar, a 12-digit unique identification number, being embroiled in constant controversy. The legal challenges in the project actually led to the Supreme Court having to explicitly declare that privacy is in fact a fundamental right.
More importantly, India is currently in the process of drafting its own data protection laws under the Justice Srikrishna committee. The question being asked is, how much should India borrow from GDPR for its own framework?
In the aftermath of the