The implementation of the European Union’s General Data Protection Regime (“GDPR”) is touted to bring sweeping changes in the data protection regime across the world. This post discusses how the GDPR impacts Indian businesses.
The GDPR is not only applicable to EU members, but also governs entities in foreign countries that deal with data of EU citizens. Indian businesses that collect data from EU citizens are now required by the GDPR to (a) obtain user consent before collecting data, (b) clearly mention the purpose of using the collected data, and (c) provide users free access to their data. Further, in cases of cross border data transfer of an EU citizen’s data, the transferee country must have adequate levels of data protection. The new law also requires accountability and transparency at each level which makes it different and stringent from the previous law. Non-compliance could even invite fines up to 4% of the annual global revenue.
Indian entities dealing with an EU citizen’s data such as government agencies, banks, hospitals, etc. will now have to put in more resources to comply with the stringent requirements under GDPR. Such Indian entities should expect costs and expenses are to increase.
Indian businesses can achieve the desired results if they adhere to the strict guidelines so as to prevent being penalised. They can certainly make changes to their approach to avoid any violation. They can provide training to their employees about the functioning of the new regulations. There should be periodical review of the data and users must be given information about any application of their data.
Right now, although the GDPR is only applicable to EU countries, its impact on the Indian companies collecting EU citizens data is immediate. Small companies are expected to struggle to assemble resources and put in place a mechanism to ensure GDPR compliance.