General Data
Protection Regulation (GDPR) is the European Union’s
latest regulation to address the issue of data privacy. It is a replacement for
the 1995 Data Protection Directive, which has, until now, dictated the
standards of processing data in the EU. Indian firms, especially technology
start-ups, fintech companies, and IT services, with exposure to the EU may feel
the impact first. The law is scheduled to be implemented from
25 May 2018.
Mr Parthasarathy,
National Leader – Cyber Risk Services, Deloitte, said,“Consumer-driven
companies that have exposure to the EU, in areas like IT services and fintech,
that support the banking and other regulated sectors, are likely to be affected
first, and have to comply,” However, he added that Indian consumers and
regulators may not feel the strong impact of the GDPR immediately.
The GDPR comes at
a time where India is implementing new laws and starting more discussions
regarding data privacy in response to the increasing number of data breaches,
the latest involving Facebook where the data of around 87 million users
globally, including over 5.6 lakh Indians, was accessed by British political
research company Cambridge Analytica through
its app, without their consent.
In August 2017,
the Supreme Court in Justice Puttaswamy vs Union of India acknowledged
privacy as a fundamental right,the concept of
informational privacy, and noted that it should be backed up legislation that
must be enforced to ensure private entities can be held accountable.
The
GDPR contains 99 articles and 173 recitals, and includes crucial requirements
that have a direct impact on the implementation of IT security in
organisations. It addresses the main principles of security: confidentiality,
integrity and availability of data.
Under the GDPR, users have more power to demand
companies reveal or delete the personal data they possess. With the GDPR, users
will also be able choose the way their data is used by withholding consent.
They will be able request access to their personal information from data
brokers, or delete personal information from websites altogether.
According to the
GDPR, data protection involves a rights-based, consent-driven approach. GDPR
functions under the concept of privacy being ‘by design and
default’and has created new rules and higher standards of data privacy
compliance that previously never existed.
Mr Parthasarathy said GDPR
will impact companies with operations in Europe and those that handle vast
amounts of customer or client data, the most. He also added that areas like
life sciences, manufacturing sector and the government entities will find it
much harder to comply with the GDPR.
As quoted in the
First Post article, Mr Jaspreet
Singh, Partner-Cyber Security, said,"It is imperative for Indian firms to
plan and continue their journey towards compliance even after 25 May, to
ensure continuity of business within the EU and avoid hefty penalties because
of non-compliance”.
India is not present in the list of countries
approved for data portability and transfer.
Indian companies
working in the EU will be required to change the way they capture, process and
use the data of EU nationals. Technology alone will not be able to help
companies and organisations understand GDPR, it requires a detailed
understanding of a number of data policies and privacy laws.
Indian firms will have to pay heavy fines and
face increased regulatory actions if they do not comply with the GDPR.