The recent flurry of ‘we have updated our privacy policy’ e-mails in your inbox is the result of European Union’s (EU) General Data Protection Regulation coming into force. These stringent regulations that aim to protect all EU citizens from data breaches, provide for hefty penalties of up to €20 million or 4% of a company’s global revenue for non-compliance. Analysts expect this regulation to have a ripple effect on how consumers’ data is treated across the world.

The regulation, which was approved by the EU Parliament in April 2016 after about four years of preparation and debate, came into effect on May 25, 2018.

However, many firms in India are still not ready for compliance with the new law which will cover all entities doing business in the EU.

GDPR journey

“A lot of organisations, especially in the EU region, started their GDPR compliance journey more than a year ago,” said Jaspreet Singh, partner-Cybersecurity, EY. “It is only in India that awareness is very low and organisations are still grappling with how to get compliant with GDPR. Compliance is not easy… It is not a one-time job… it impacts not only technology but all aspects of organisation per se.”

He pointed out that only 30-35% of all IT/ITES firms had started work towards being GDPR-compliant. “It is a mix of many issues… a lot of organisations still don’t understand how this is applicable to them. For some, it’s a typical mentality that ‘I will not get fined or we will see what happens,” Mr. Singh said. But it is not just IT and ITES companies. Firms across sectors and industries need to be GDPR-compliant.

“Any organisation providing goods and services in the EU, be it a BFSI unit, a manufacturer, a pharma company..., comes under GDPR,” said Prashant Gupta, partner, Grant Thornton India LLP. “This regulation will radically transform the privacy landscape for organisations of all sizes and sectors that process personal data.

GDPR not only impacts Indian organisations, but also global firms who are handling or managing PII data for EU employees, vendors, businesses,” said Mr. Gupta.

Mr. Singh of EY said a lot of focus is on the IT/ITes firms as they contribute about 7% to India’s GDP. “If you look at the revenues, it is a heavy contributor. That is why everyone talking about the sector being the most impacted. Otherwise, cost of doing business will be there across sectors.

“There are areas where GDPR provides relief and consistency, however, it also comes with very stringent penalties on non-compliance,” said IT/ITes industry body Nasscom.

“Most large companies are very well prepared due to economies of scale, however, the impact on SMEs and start-ups are a cause for concern they may struggle with several areas that render it costly for processors,” it said. “Once this learning curve is scaled, we do see an opportunity to offer services for GDPR compliance and complaint process capabilities,” Nasscom added.

GDPR is a more stringent form of earlier regulations. “So, companies have been following certain processes already, they now need to take it to the next level. The real impact of this on business will become clear only one or two quarters down the line and will depend mainly on issues of non-compliances and supervisory authority’s consideration,” said Mr. Gupta.

‘Positive impact’

“This [GDPR] will have a positive impact on the way data is treated globally by the companies. It is difficult for global companies to segregate data and systems in an integrated world.

“GDPR will provide a benchmark of how data protection may be treated. GDPR also gives a sense of comfort to the data subjects and enforces clear purpose, transparency of data when any data controller or processor collects, processes, stores, disposes and archives their personal data,” he added.

Mr. Singh agrees. “Mauritius, for example, last week passed a very stringent law similar to GDPR. India is already working on data protection law — some of the attributes that the draft policy talks about are similar to what is there in the GDPR. Today, globally, organisations will have to up their ante on privacy-related engagements and issues. So that end customer data is not impacted.”

On the financial impact on businesses, Mr. Singh said, “I can’t put a number on it… a lot of clients that we work with have already started getting queries around please demonstrate your GDPR compliance, privacy policy, consent notices etc. across sectors.”

‘Tectonic shift’

Terming the new law as “a tectonic shift in the global privacy paradigm,” Anant Maheshwari, president, Microsoft India said it would herald a new era in consumer trust. “We began work on GDPR as soon as it was adopted by the European Union. We have over 300 full-time engineers focused on GDPR compliance and have adopted over 30 controls based on GDPR.

“Our preparations for GDPR touch every part of our company — from our senior leadership who drive our commitment all the way to individual engineers on our product teams who write code,” he added in a blog.

“I think most of the businesses must have done assessments and would have in their business systems try to build logic to get ready for it [GDPR]. I can tell you for HCL. We have worked very closely with the regulators in Europe for the EU GDPR law. HCL has done necessary things for its part of operations in Europe to comply to the GDPR regulation,” said Maninder Singh, corporate vice president and head, cybersecurity and GRC business, HCL Technologies.

Data protection jobs

According to data from job portal Indeed, between January 2017 and March 2018, there had also been a spike in the number of job postings for data protection roles, which had seen an increase of 143% while the number of job searches for the same had risen by 188% as Indian companies looked to fortify their databases.

“Globally, the increasing number of cybercrimes had made it imperative for companies to keep pace in hiring the right talent to combat them. Therefore, companies across the world are gearing up to ensure compliance to General Data Protection Regulation (GDPR) and ePrivacy requirements,” said Sashi Kumar, managing director, Indeed India.

Additionally, according to the platform, there had been an upsurge in job postings for cybersecurity roles by 150% between January 2017 and March 2018 along with a corresponding increase of 129% in job searches for the same in the same period.