India’s status as the sixth largest economy in the world has largely been fueled by its IT sector that raked in over 100 billion dollars in export of IT software and services during 2017-18. However, since May 25, 2018, the numerous IT companies that serve clientele from the European Economic Area (EEA) have come under the purview of General Data Protection Regulation (GDPR).
GDPR makes it mandatory for all companies to adhere to strict data privacy frameworks if they are dealing with PII (Personally Identifiable Information) of citizens from the EEA. Data that is categorized as PII includes everything from IP addresses, location data and other technology identifiers, in addition to basic user information.
For the financial services industry, this is a game changer as PII has always been a key enabler for better personalization, positioning and targeting of customers for more efficient marketing strategies. However, as the recent data scandal that involved Cambridge Analytica and Facebook has shown, this data is highly critical and is more often misused than used for the good of the people involved. This fact makes GDPR extremely relevant.
GDPR and its impact
The most important aspect about GDPR is that it is a mandatory regulation and not a directive. This implies that it is applicable to everyone that comes under its purview without exception. As per the guidelines stated by GDPR, companies will now have to obtain explicit consent from every user before they initiate any kind of interaction that aims to collect any kind of PII. In a nutshell, GDPR enforces companies to relook at the entire lifecycle of data, right from its generation and collection to storage and deletion.
As people become more aware of the consequences of their personal data floating around the internet, ‘privacy by design’ is gaining prominence and companies are being forced to revisit previously agreed upon contracts with customers and service providers.
All this implies that a lot of companies would have to revisit their existing business models, revamp their existing marketing strategies and make investments to conform to the regulations laid down by the GDPR.
The cost of non-compliance
The fines involved for GDPR infringement are severe and are of two types. The first is a fine of up to 10 million euros or 2% of annual global turnover of the previous year, whichever is higher. The second is a fine up to 20 million euros or 4% of annual turnover of the previous year, whichever is higher. While breaches of data controller or processor obligations would be fined within the first tier, breaches of data subjects’ rights and freedoms will result in the higher fines.
However, the value of the fine that would be imposed is not clear-cut and the behavior of the organization involved would be taken into account when determining the value of the fine. This implies that organizations certainly have the opportunity to influence the reduction of fines by taking corrective actions to fully comply with the regulations. This would increase an organization’s propensity to promote a culture of data protection and the ability to publicly showcase the compliance steps taken.
This situation is in stark contrast to previous regulations that rarely held technology companies accountable for non-compliance, data loss or data breaches. Now, not only are companies being compelled to adopt stricter security standards, they are also being forced to introspect and determine where they lie on the spectrum of data controllers and data processors. To put things in perspective, while a data controller collects and owns PII data, a data processor does not explicitly own the data that is given to it by a third party. While there still exists some ambiguity about who is primarily responsible when a data breach occurs, the next few months will shed some light on the laws and agreements that govern mandates around data controllers vs. processors. However, irrespective of how companies determine their strategies, they will have to empower EU citizens by providing them more control over their PII.
Implications for India’s IT industry
The implications of GDPR for Indian companies, especially in the IT sector, that provide software products and services are huge. They need to make their systems GDPR compliant and revisit their business processes that revolve around PIIs and assess the level of compliance with GDPR.
They would also need to appoint Data Protection Officers (DPOs) and ensure that they respond to a data breach within the stipulated 72-hour window. The impacted companies would also need to train their stakeholders across a broad range of business functions such as sales and marketing, data acquisition, compliance, after-sales support and much more to ensure that compliance with regulations is maintained at all times.
While most regulations do come with associated costs, they can eventually result in ensuring superior professional conduct and overall market stability. Compliance with GDPR will ensure that companies generate a superior level of trust and confidence amongst their customers. As a result, customers will increasingly opt for companies that follow good privacy practices and guarantee the integrity of their PII. Ensuring a quick and proactive approach to adhering to the guidelines would help the companies coming under the purview of GDPR to remain competitive in their race to succeed.
Views expressed are the author’s own. S. Sundararajan is the Executive Director of i-exceed, a technology services company.