Here’s what India needs to know about GDPR

• GDPR coming into effect, will have implications for a lot of Indian companies, particularly the IT and BPO firms.
• Reports show that Indian firms haven’t changed their policies in accordance to the new requirements.
  
• In addition, takeaways from GDPR may help India form its own data protection laws.

India may not be a part of the European Union (EU) but their new data protection law has implications world over. Officially kicking in today, the General Data Protection Regulations (GDPR) are essentially a new set of guidelines that determine how companies should access and use consumer data. GDPR is expected to help other countries, including India, formulate their own privacy laws.

The main purpose, at the end of the day, is to protect the privacy and personal data of citizens within the European Union. That being said, porous borders and globalisation ensure that the effect of GDPR isn’t limited to the European continent.

How is that possible?

It’s simple. GDPR applies to all the countries that operate in the EU. Their country of origin doesn’t matter, as long as they have operations within the economic bloc. That includes a lot of companies within India’s tech industry. In fact, Europe is a significant market for Indian IT and BPO firms. Some have even said it will be a ‘matter of survival’.

That being said, global corporations like Apple, Microsoft, Facebook and Google have to adhere to GDPR as well. Any changes to their privacy policies should apply universally, not just to users in the European Union. That includes residents of India.

Even when people from India go to visit any of the nations that fall under the purview of the EU, they get the benefit of being covered by GDPR from the minute they land to the moment they leave.

Why should you care?

According to a study by Ernst & Young, only 13% of Indian companies are prepared for GDPR, while the rest are still to catch up. To be fair, companies in Canada, Singapore and China are even less prepared.

Companies should care because if they fail to comply with GDPR, there’s a potential penalty of upto 4% of their annual turnover. A single digit percentage may not sound like that big a deal, but it’s not a trivial amount when translated into actual numbers for most companies. It’s either that, or €20 million ($23.3 million) Euros. Not to mention the additional loss of EU clients and customers.

Companies monitoring the behaviour of people within the EU in anyway will have to adjust their policies to include the new rules introduced by GDPR. The right to be forgotten has been talked about at length, along with the right to erasure of personal data.

In addition to policy changes, the companies will have to appoint a local representative within the EU and have adequate measures in place to report and detect data breaches in a timely manner, that is, 72 hours.

People should care because of the indirect effect that GDPR can potentially have on India’s approach toward data protection and privacy, especially with the Aadhaar, a 12-digit unique identification number, being embroiled in constant controversy. The legal challenges in the project actually led to the Supreme Court having to explicitly declare that privacy is in fact a fundamental right.

More importantly, India is currently in the process of drafting its own data protection laws under the Justice Srikrishna committee. The question being asked is, how much should India borrow from GDPR for its own framework?

In the aftermath of the Cambridge Analytica data breach, GDPR seems like the need of the hour despite it being far from perfect. Indian companies aren’t out of the woods yet and only time will tell if they manage to adapt or fail. Users, at the end of the day, don’t have too much to worry about. That is, aside from the current lack of data protection locally.