Comments
The European Union’s new regulations on privacy and data protection will take effect on Friday, putting in place more protocols for the Indian IT industry to follow.
The General Data Protection Regulation (GDPR), which is kind to countries that have strict data privacy laws, requires companies to ensure safety of user data.
The stringent GDPR norms require violations to be reported within 72 hours of their occurrence, and any data breach or non-compliance could attract fines of up to €20 million, or 4 per cent of a company’s annual turnover, whichever is higher.
The new regulations will govern how companies will collect, process, and protect personal data of citizens of the European Union.
“The impact of GDPR would be more on data-driven organisations and sectors which are technology-intensive, such as IT, ITeS, financial services, telecom and life sciences,” said Arpinder Singh, Partner and Head (India & Emerging Markets), Fraud Investigation and Dispute Services).
“Today, many Indian firms cater to foreign markets including the EU, holding data or personal information of customers...companies in India will not only have to adhere to the regulation but also ramp up their compliance programmes,” he said.
Some experts say India’s GDPR preparedness is not up to the mark. According to a Forensic Data Analytics (FDA) survey conducted by EY recently, about 60 per cent of Indian respondents said they are unfamiliar with the regulation, compared to 39 per cent globally.
“Only 13 per cent in India stated that they have a plan for GDPR compliance, lower than the global average of 32 per cent. This indicates that Indian firms need to still make substantial investments in understanding the scope of and implementing a robust GDPR strategy,” he said.
Due to a sizeable number of MNCs based in India and operating in the EU, the impact of GDPR is likely to be heavy on India as well.
“These include not just the IT and ITeS companies but also financial, telecom and manufacturing companies that have operations in EU,” he said. The National Association of Software and Services Companies (Nasscom), however, claimed that the IT industry “is well on its way to comply with GDPR”.
“We have organised several training programmes with experts around the world and also with the Directorate-General for Justice and Consumers of the European Commission. So we believe we are preparing well,” a top Nasscom executive said.
Control over data
Besides emphasising on the consent of people on the use of their data, the regulation mandates that organisations should allow the people to withdraw their consent at any time. Organisations should also deploy processes to manage the new rights, including the right to be forgotten.
This would require the companies to have full visibility of the vast data that is piling up, in order to cull it out to meet the regulations.
The EU does allow transfer of data to countries with adequate levels of personal data protection. Transfer of data to non-EU countries is allowed on offering guarantees on data protection. Companies will be required to agree to standard contractual clauses or binding corporate rules (BCRs).
Indian companies don’t get any EU concessions as the country is yet to pass a Data Protection Act. However, mere passage of an Act is inadequate; it should adhere to EU norms on data protection.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.