View from India: GDPR’s impact on the Indian IT industry

The 1995 Data Protection Directive has been replaced by GDPR and what makes it distinct is that it has been envisioned to protect the personal data of EU citizens in the new digital world. The crux of the GDPR is to strengthen and unify data protection laws for individuals within the EU as well as address the export of personal data outside the EU. Thus, it protects the misuse of any kind of personal identifiable information (PII) of EU citizens.

The GDPR defines six privacy principles: lawfulness, fairness and transparency; purpose limitations; data minimisation; accuracy; storage limitations; integrity and confidentiality.

What is important is to see GDPR’s impact on the Indian IT industry, and this applies to companies that are handling private data of EU citizens and conducting business in Europe. GDPR is significant in the Indian context because many IT and ITeS companies have increased their presence in the EU market in the last few years.

“Indian IT, ITeS and pharma companies operate in Europe. The Indian IT industry alone enjoys revenue of approximately $200bn in the region and with GDPR coming into force it is necessary for all of them to stay compliant. Else, it could have a negative impact on the revenues, employment and perhaps on the Indian GDP as well,” warns BS Rao, vice president (marketing) of CtrlS Datacenters.

“Those not complying with GDPR are liable for a penalty of 20 million euros or 4 per cent of global turnover,” he added. “Assuming all of them achieve cent percent compliance, the revenues, customer trust and market share shall remain intact. Furthermore, should they also add consulting in the GDPR-compliant consulting services this can trigger a growth in the revenues and add to the Indian gross domestic product (GDP).”

Hence it becomes crucial for Indian companies to protect customers’ data with built-in intelligent security capabilities. For this, companies need to be GDPR compliant by investing in solutions and services to help customers with GDPR compliance. They should develop or update privacy policies, procedures and compliance programmes.

Employees should be equipped with skillsets to handle data privacy issues. A new set of tools need to be evaluated to address challenges around data subject requests, data retention and disposal, cross-border data transfers and consent management.

“A key step in the GDPR compliance journey is for organisations to have a clear and accurate understanding of personal data and maintain records of the end-to-end lifecycle of this data. For solutions involving automated profiling and decision-making using personal data, organisations should understand the categories of personal data and data subjects involved in processing. It’s also essential to understand and document the logic proposed for automated profiling or decision-making, besides understanding the significance and business objective of such processing,” highlighted Sivarama Krishnan, cyber security leader, PwC India.

Whilst business houses are rushing towards accomplishment of their data privacy and protection-related goals pertaining to GDPR, one should remember that today marks the beginning of the journey which will be continuous and evolve as companies work towards GDPR compliance.

“What is most interesting to note is that the GDPR has forced business entities to sit up and take a serious look at the data that they have been amassing. Even the smallest of start-ups struggled to decipher how much data they have collected, where they have been stored and how they were processed,” explained Supratim Chakraborty, associate partner, Khaitan & Co. He added, “Therefore, I would say it is a good wake-up call which should be emulated by all businesses. The principles of GDPR are beneficial and could be adopted by all business houses whether there is an EU interface or not.”

At every stage, organisations must minimise the collection of personal data and apply measures to maintain data quality and accuracy during the implementation of the automated profiling and decision-making solution. “Organisations should consider building ‘privacy principles’ into the foundation of the solutions involving automated profiling and decision making. They should ensure that adequate risk mitigation strategies, as identified during data protection impact assessments (DPIA), are embedded into the solution. They need to use privacy-enhancing methods like aggregation, anonymisation, pseudonymisation and encryption to minimise the amount of personal data and threats involved in automated profiling and decision making, thereby minimising privacy risks to individuals,” added Krishnan.

These are challenging times and the companies that plan with a futuristic outlook, stay dedicated to the implementation of their plan and also continuously evolve their strategy to adhere to the GDPR standards would emerge as winners. GDPR compliance should not only be looked at as an effort but also as a business advantage which can be a differentiator in the market. An entity compliant with GDPR requirements would definitely command more confidence from customers as compared to those who do not.

As a business opportunity, tech companies can provide assistance to their clients in the EU and other continents to become GDPR-compliant. It means innovative tech solutions will lead business initiatives towards GDPR services like data discovery and data-breach notification. In the long run, this new dimension will give rise to a complete ecosystem that will boost the economic growth of the country.