Indian firms grappling to comply with upcoming EU data privacy law

New Delhi, May 21

As the European Union (EU) gets ready to implement the much-awaited General Data Protection Regulation (GDPR) to harmonise data privacy laws for its citizens from May 25, most of the Indian organisations are still grappling to comply with the stringent regulation.

Containing 99 articles and 173 recitals, GDPR has key requirements that directly impact the way organisations implement IT security, thus addressing the key security tenets of confidentiality, integrity and availability of data.

According to the latest forensic data analytics survey by Ernst & Young (EY), only 13 per cent of the Indian firms have a plan to comply with GDPR by May 25.

As India is not present in the list of countries approved for data portability and transfer, GDPR poses an extra challenge for domestic firms that operate in the EU.

“It is imperative for Indian firms to plan and continue their journey towards compliance even after May 25, to ensure continuity of business within the EU and avoid hefty penalties because of non-compliance,” Jaspreet Singh, Partner-Cyber Security, EY, told IANS.

For Ramesh Vantipalli, Director Systems Engineering, End User Computing, VMware India, the challenge for the Indian organisations facing the GDPR is ubiquitous data which will only increase exponentially in future.

“For Indian companies with operations in the EU, data security measures will now have to work alongside legal and compliance teams to ensure maximum adherence to GDPR,” Vantipalli told IANS. 

“Fortunately, the transition will take place over some time and not overnight, giving Indian companies enough time to get their GDPR strategy in place,” he added.

With data privacy concerns on the rise and stringent regulatory requirements like GDPR coming into force, organisations have no choice but to redefine the way they approach data management.

“Organisations should realise that GDPR is about more than just data; it’s necessitating a new playbook for businesses to engage with people,” stressed Akshay Aggarwal, Director, Solution Specialist, Oracle India.

Non-compliance with GDPR can result in heavy fines and increased regulatory actions.

“Organisations that collect personal data must be able to prove that they consistently and reliably comply with GDPR privacy and security principles. We’re actively working with several Indian businesses in this regard,” Aggarwal told IANS.

A new study from IBM reveals that nearly 60 per cent of organisations surveyed are embracing the GDPR globally as an opportunity to improve privacy, security, data management or as catalyst for new business models, rather than simply a compliance issue or impediment.

GDPR is a fairly complex piece of legislation with far reaching impact not just within the EU but across the world.

“Indian companies operating in the EU will have to change the way they capture, process and use data of EU nationals. It is a complicated process involving in-depth understanding of privacy laws and policies,” said Prajit Nair, Director Sales-End User Computing, VMware India.

Technology alone cannot help organisations understand and transition to GDPR, but it will be a crucial enabler.

“Indian companies must put in place a comprehensive strategy involving legal, compliance and IT departments to ensure complete adherence to the GDPR laws, as well as a proactive plan to address breaches and leaks,” Nair told IANS.

In fact, the post-GDPR world will see a much closer integration of the law and technology as organisations work out their data protection strategies.

According to George Chang, Vice President-APAC of cyber-security firm Forcepoint, India’s Data Protection Law, when comes into effect, will sure have a major impact on business operations.

“Organisations in India need to place compliance and data security as a priority considering the cost for violating these privacy laws is about to get very expensive. GDPR can cost up to 20 million Euros or 4 per cent of annual turnover, whichever is higher, for intentional or negligent violations,” Chang informed.

“With those kinds of stakes, investing in compliance now is the only right move for a sustainable business model,” he added.

According to Richard Hogg, Global GDPR and Governance Offerings Evangelist, IBM, GDPR applies to all the personal data of any employee or customer who are in Europe.

“Whether they are citizens or temporary residences and live there, are just passing through an EU airport for 30 minutes. During this time, potentially GDPR applies to their personal data.

“GDPR really does have extra-territorial scope. Additionally, it can apply to anyone’s personal data, if you are actively marketing or profiling them From Europe, wherever they are in the world,” Hogg told IANS.

As the clock ticks down to the deadline to comply with the new GDPR regulations, the Indian firms need to enact strict data protection regulations.

“With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimise the financial fall-out of a breach,” Chang said. — IANS