How GDPR affects Indian companies with business interests in EU

Companies in India with business interests in the EU will have to comply with European Union's General Data Protection Regulation

Sayan Chakraborty
Published: Jun 5, 2018 10:40:56 AM IST
Updated: Jun 5, 2018 12:24:55 PM IST

Everything about entrepreneurship, the good, bad and the ugly of it, fascinates me. I take a keen interest on startups and venture capital firms and have written extensively on fundraises, M&As and business strategies. I can safely say changing tracks from engineering to journalism has been one of my best decisions. When not working, I indulge in almost every Indian's poison, cricket, playing or watching. I am a foodie and video game buff.

g_106339_data_security_280x210.jpgImage: Shutterstock

The general data protection Regulation (GDPR) that came into effect on May 25 could strain a few nerves in India. It concerns the right to privacy of individuals and export of personal data outside the European Union (EU). Not only are EU-based companies required to comply with the regulation, but also firms that target residents of the 28 EU countries for business. That’s where the trouble lies for Indian companies and multinational companies (MNCs) that have an India presence.  

Europe, apart from North America, is a big market for Indian IT companies. A Deloitte report says, “Europe is estimated to be a $45-billion potential outsourcing opportunity for Indian technology vendors.” All such companies need to comply, as well as Europe-headquartered MNCs such as Nestlé, Unilever, Nokia, Heineken and others. Many of these have backend operations or development centres in India, which access data of global customers. These, too, would have to fall in line, as will Indian BPOs that service European clients.

Experts say the compliance process is expensive, as companies will need to spend heavily on upgrading technology, introducing data encryption modules, and incurring legal and compliance costs. “GDPR includes processing of personal data of EU subjects, irrespective of whether the processing takes place in EU or outside. Data processing services for EU outbound data, outsourced to India in banking, insurance, health care, retail and other sectors, including through wholly owned subsidiaries, will require GDPR compliance. Most large-scale BPOs have already put systems in place for GDPR compliance. However, smaller units could face a challenge in terms of increased costs,” says Shivpriya Nanda, joint managing partner at law firm J Sagar Associates.

Also, there is ambiguity about some clauses around international data transfer, which say such transfers may happen if there is an adequate level of data protection. There isn’t any clarity on how adequate is ‘adequate’.

India has been a laggard in data privacy rules, with Aadhaar remaining a bone of contention between the government and privacy advocates. In August 2016, the Centre appointed a committee headed by retired Supreme Court judge BN Srikrishna to suggest a framework to protect institutional and private data. This could be India’s solution to arresting data abuse.

Click here to see Forbes India's comprehensive coverage on the Covid-19 situation and its impact on life, business and the economy​

(This story appears in the 22 June, 2018 issue of Forbes India. You can buy our tablet version from To visit our Archives, click here.)

Show More
Post Your Comment
Required, will not be published
All comments are moderated