Bengaluru: The European Union’s (EU’s) upcoming General Data Protection Regulation (GDPR), which envisages strict rules for handling personal data of users, is proving to be costly for Indian technology start-ups that have operations in Europe.

The new regulation that takes effect on 25 May specifies new protocols for handling and storing private data, and sharing it with third parties. Flouting GDPR regulations can attract fines of up to €20 million, or 4% of the company’s global annual turnover.

Europe is an important market for start-ups operating in the business-to-business (B2B) segment and mobile gaming. Hefty fines and strict regulations could hinder a firm’s operations or lead to a complete shutdown, according to start-ups and policy experts whom Mint spoke to.

According to Gaurav Kapoor, chief operating officer of MetricStream, GDPR is enforceable even if companies do not have an office in the EU or do not operate in the EU, but handle private data of EU citizens. MetricStream is a provider of governance, risk and compliance solutions.

“For small start-up businesses, since they deal with smaller workflows and smaller set of data, I believe the cost of compliance increment will be in the range of 4-5%. While for bigger corporates, it would range between 10-20% of their compliance budgets," said Kapoor.

A top executive at a Bengaluru-based tech start-up that has operations in the EU said on the condition of anonymity that most small tech companies that export software to Europe do not sign any formal service or legal agreement, in an attempt to stay away from auditors.

Such measures to get around regulations could prove to be fatal for small organizations, legal experts said.

“If you are collecting data and trying to hide that fact, you are actually in deeper trouble. The only hope is that you won’t be found out…I don’t think firms can get away with this for long; maybe extremely small start-ups or companies of small scale could be able to get away with it, but all it needs is just one expose, and that will do," said Suneeth Katarki, founding partner, IndusLaw.

The new regulations also leave a lot of room for interpretation and the level compliance differs according to the size of the company, according to a partner from a private law firm based in Bengaluru, who asked not to be named.

For example, a part of the law suggests firms should maintain a “reasonable" level of data protection, but the law itself does not define what “reasonable" protection is.

Co-founder of online talent assessment start-up Mettl, Tonmoy Singhal, said the biggest problem firms face while trying to comply with GDPR is the lack of clearly-defined guidelines. “There is no single authority to certify the level of compliance. This leaves a lot of subjectivity and hence can cause confusion amongst smaller companies that may not have easy access to the right legal entities," he added.

Nevertheless, policy experts and Internet rights activists believe that GDPR also sets new data protection standards in place, which is likely to be adopted by other countries as well.

Delhi-based Software Freedom Law Centre (SFLC), an organization working to protect freedom in the digital world, said that GDPR will be the most comprehensive dedicated legislation on data protection ever formulated.

“This is not to say that GDPR, once in force, will immediately make things better for everyone as there certainly will be difficulties initially in adapting current industry practices to this stricter and more nuanced framework… It will be especially challenging for businesses that serve the European market while operating from jurisdictions with more relaxed data protection laws, as reconciling GDPR with domestic regulations will be a complicated process," an SFLC spokesperson said in an email.

Close