On 27th April 2016, the European Union adopted the General Data Protection Regulation (GDPR). And on 25th May 2018, European Union embarked on the milestone of Data Protection Laws across the region. The core objective of General Data Protection Regulation is to solidify and unite data protection for individuals within the European Union. Also, this law addresses the export of personal data outside European Union that means it disables the misuse of personal identification information (PII) of any kind of EU citizens.
This development will not only alter the business perspective in the European Union but also significantly influence the global market and multinational corporations. The government had provided two years to the organizations to understand, comprehend and implement the regulation into the system.
For Indian ITes, BPO and pharmaceutical giants, Europe has always been a potential market. The size of IT industry in the top two European Union member states- Germany and France is estimated to be around US$155-220 billion. Thus, it is quintessential for Indian IT industry to keep continuing to do business in Europe which should be in compliance with GDPR. In case of non-compliance, the penalty structure is of €20 million or 4% of global turnover. The regulation needs pragmatic and programmatic approach towards data protection and defensible programme for compliance with General Data Protection Regulation laws.
Organisations are required to revamp a number of aspects to match congruence with GDPR. It is of prime importance for organizations to develop a vision and strategy for compliance with GDPR. Organisations should also bridge the gap between the current compliance programme and requirements of GDPR and analyze the risk. There is a need for creating an accountable framework for data protection. Also, development of operational structures for steady document processing activities and data flow need to be in accordance with the compliance codes. The development of processes for privacy design, privacy impact and risk assessment is also an important parameter for the organizations.
Weak Data Protection Law in India
The outsourcing industry of India which is estimated over US$150 billion contributes to 9.3% of Gross Domestic Product. The European Union has been one of the biggest markets for Indian outsourcing sector and India is relatively fragile in data protection laws, which could make us less competitive than other outsourcing markets.
Mostly inflexible, the GDPR reduces the extent to which businesses can assess risks and make decisions when it comes to transferring data outside the EU. Indian companies would need to implement reasonable safeguards, as required under the GDPR, in order to transfer personal data outside the European Union, thereby further increasing compliance costs.
Greater Risk of Penalties and Litigation
Article 3 (Territorial scope) of the GDPR makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties for failing to do so.
After the US market, the European market is the leading potential place for Indian IT industries. Rather than perceiving it as a compliance burden, the Indian IT industry should consider this as a great opportunity to tap their fullest potential in the EU market. Over the years, India has become a technology hub equipped with deep expertise and a talented resource pool.
The GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions. Also, the requirements under the GDPR allow the European Commission to consider whether the legal framework existing in the country to which the personal data is to be transferred requires sufficient protection to data in respect of privacy and protection of their data. In the recent happening on data protection and the honorable Supreme Court verdict, data protection framework has been proposed by the Srikrishna Committee. Time has come to wait and see how the forthcoming legislation shapes up and whether it will satisfy the criteria put forward by GDPR.