Sameer SachdevaJun 03, 2019 14:47:42 IST
The European Union (EU) adopted the General Data Protection Regulation (GDPR) on 27 April 2016 and it came into effect on 25 May 2018, but it looks like Indian companies are ignorant about its implication and applicability.
The GDPR seeks to protect EU citizens' rights to data privacy through this regulation, so any Indian company which has customers from Europe for its online or offline services, are mandated to be compliant with the GDPR regulation. One of the features of the GDPR is that when personal data of EU resident is transferred to non-EU countries, these nations have to provide data protection. The GDPR has an extra-territorial ambit. Violation of GDPR can invite fines of up to 4 percent of a company's GDP.
It is applied to Indian entities acting as a controller or processor of personal data of EU residents. In India, the GDPR will impact the information technology (IT), Information Technology Enabled Services (ITeS) companies, outsourcing companies and international e-commerce firms.
According to Na. Vijayashankar (Naavi), the chairman at the Foundation of Data Protection Professionals in India (FDPPI), “Companies need to comply with laws for residents of different geographies. For instance, for data of EU residents, the GDPR is applicable, while for Indian citizens the Personal Data Protection Act (PDPA) will come into force as and when it is implemented. Similarly, for citizens of Canada, Singapore or any other country the respective data protection law holds good.”
Kamal Dave, the Managing Partner of law firm Cyber Juris, says, “Many Indian companies are ignorant of the GDPR, and have a misconception about it.”
Dr Pavan Duggal, a Supreme Court advocate and expert in cyber-security laws, agrees with Dave about the lack of awareness about the GDPR.
“Indian companies feel that the GDPR is a European concept, and doesn’t apply to them. However, the moment an Indian firm is handling or processing data of Europeans, it is amenable to it. Though no Indian company has been fined so far, it potentially carries a reputational risk. Besides, it can affect current and prospective business interests. Big organisations are ahead of the curve and trying to be compliant. The general perception is that Indian companies can work around these issues. Presently, Indian companies need to comply with the Information Technology Act as the country doesn’t have a privacy act yet. The government needs to strengthen data protection at the earliest.”
The impact of GDPR will be maximum on IT/ITeS industry as software development is happening on the outsourcing model. The business of the Indian companies may also be hampered if they are non-compliant with GDPR. EU companies will definitely do their due diligence before outsourcing contracts to India regarding compliance to GDPR by the outsourced companies.
The cost of compliance to GDPR will be another component while taking outsourcing projects which will be borne by the Indian companies.
The Indian companies will also have to adhere to local laws which are IT Act currently and the proposed Personal Data Protection Bill 2019 which is expected to be passed by parliament soon.
In nutshell, Indian companies have to follow multiple legislation (local and global), increased cost of compliance and loss of business in some cases in the GDPR era.