The European Union’s (EU) General Data Protection Regulation (GDPR), which takes effect from 25 May, envisages strict rules for handling personal data of users and specifies new protocols for handling and storing private data, and sharing it with third parties.

Why should we bother about a European data protection rule?

GDPR will replace the 1995 Data Protection Directive and is aimed at protecting the personal data of EU citizens in the new digital world. The regulation covers all the EU member states and citizens, so all global enterprises with operations or customers in EU must comply. Europe is a significant market for the ITeS, BPO and pharma sectors in India. The size of the IT industry in the top two EU member states (Germany and France) is estimated to be around $155–220 billion.

What are the implications of the new regulation?

The rules will also apply to companies whose activities target data subjects in the EU. The definition of personal data now explicitly includes location data, IP addresses, and identifiers such as genetic, mental, economic, cultural or social identity of a natural person. Individuals will have stronger rights over their personal data. The new rights include the right to be forgotten, the right to data portability, the right to object to profiling. Consumer consent to process data must be freely given.

What if Indian firms do not comply with GDPR?

Flouting the rules can attract a maximum fine equivalent to 4% of an organization’s global annual revenue or €20 million, whichever is higher.

Are there any positives to EU GDPR?

Indian companies are likely to face increased compliance costs on the back of GDPR or risk huge penalties if they fail to comply. But they could see it as a business opportunity. Moreover, following the Supreme Court’s verdict, a data protection framework has been proposed by the Srikrishna Committee in India. Of course, whether the legislation will satisfy the criteria laid down under the GDPR or not remains to be seen.

How should Indian companies prepare for the EU GDPR?

They should review their policies, procedures and existing privacy programmes; impart data privacy training to employees; and review or update contracts signed with third-party vendors, among other things. Besides, Indian companies also need to evaluate how equipped they are to deal with the audit process, and use appropriate technology solutions to prepare for the same.

Close