How GDPR affects Indian companies with business interests in EU

The general data protection Regulation (GDPR) that came into effect on May 25 could strain a few nerves in India. It concerns the right to privacy of individuals and export of personal data outside the European Union (EU). Not only are EU-based companies required to comply with the regulation, but also firms that target residents of the 28 EU countries for business. That’s where the trouble lies for Indian companies and multinational companies (MNCs) that have an India presence.  

Europe, apart from North America, is a big market for Indian IT companies. A Deloitte report says, “Europe is estimated to be a $45-billion potential outsourcing opportunity for Indian technology vendors.” All such companies need to comply, as well as Europe-headquartered MNCs such as Nestlé, Unilever, Nokia, Heineken and others. Many of these have backend operations or development centres in India, which access data of global customers. These, too, would have to fall in line, as will Indian BPOs that service European clients.

Experts say the compliance process is expensive, as companies will need to spend heavily on upgrading technology, introducing data encryption modules, and incurring legal and compliance costs. “GDPR includes processing of personal data of EU subjects, irrespective of whether the processing takes place in EU or outside. Data processing services for EU outbound data, outsourced to India in banking, insurance, health care, retail and other sectors, including through wholly owned subsidiaries, will require GDPR compliance. Most large-scale BPOs have already put systems in place for GDPR compliance. However, smaller units could face a challenge in terms of increased costs,” says Shivpriya Nanda, joint managing partner at law firm J Sagar Associates.

Also, there is ambiguity about some clauses around international data transfer, which say such transfers may happen if there is an adequate level of data protection. There isn’t any clarity on how adequate is ‘adequate’.

India has been a laggard in data privacy rules, with Aadhaar remaining a bone of contention between the government and privacy advocates. In August 2016, the Centre appointed a committee headed by retired Supreme Court judge BN Srikrishna to suggest a framework to protect institutional and private data. This could be India’s solution to arresting data abuse.