With the General Data Protection Regulation (GDPR) all set to come into force in the EU next month, Indian tech startups with operations in the region are worried that they won’t be ready in time to implement the new safeguards that the legislation asks for.
While Facebook recently announced that it will roll out GDPR privacy controls to all users around the world, smaller tech firms in India are concerned about its possible impact on the country’s booming tech industry.
Enacted by the EU Parliament back in April 2016, GDPR is slated to come into effect on May 25th replacing the 1995 Data Protection Directive, and looks to address privacy concerns of EU citizens by imposing stringent regulations on the collection and dissemination of private data. Companies found to be in breach of the regulations will attract fines of up to €20 million, or 4 percent of the company’s global annual turnover.
The GDPR varies significantly from the Indian IT Act of 2000, which governs data protection in India, and the EU law includes provisions such as breach notification, detailed legal documentation and appointment of data protection officers, none of which are part of the current Indian law. The GDPR also comes with severe restrictions over data transfer to offshore destinations (outside the EU), and includes the ‘Right to Erasure’, whereby citizens can withdraw their consent for data collection, and ask companies to erase their past data completely. All this means Indian companies have to provision for the new rules for any users who may use their app in the EU.
However, the biggest difference between the IT Act and the GDPR is in the way they tackle breaches of privacy. While the former treats privacy breaches as a criminal offense, thereby limiting the victims’ options for applying for justice under the civil law, the redress mechanism under GDPR is available as a matter of right, which allows victims to take potentials violators to court themselves as part of large class action lawsuits that can cost companies a pretty penny.
What’s further worrying the Indian companies about GDPR is not just the lack of clearly-defined guidelines, but also the absence of a single authority to certify the level of compliance, all of which leaves room for confusion. The increase in the cost of compliance is also not something that the companies are looking forward to. According to Gaurav Kapoor, the CEO of GRC solutions provider MetricStream, “the cost of compliance increment will be in the range of 4-5 percent” for small startups, while for bigger firms, “it would range between 10-20% of their compliance budgets”.
Eventually, though it is in the best interest of these companies to get over the initial hurdles rather than wait for the consequences of violating GDPR. The extra cost incurred would be more than worth it as more and more countries take the cue and enact similar legislation going forward.