Indian companies, including startups, have been trying to make sense of the European Union’s General Data Protection Regulation (GDPR), which came into effect on May 25, while taking initial steps to inform their customers about the new law and protecting themselves against probable punitive action for non-compliance.
Many companies are also tweaking their privacy policies and in the past few weeks, they have sent notices to their subscribers informing them about the changes.
“This complex regulatory framework is as new to privacy regulators as it is to us,” Julie Brill, corporate vice president and deputy general counsel at Microsoft, wrote in a blog post. “The ongoing interpretation of the detailed aspects of this regulation will determine the steps that we all will need to take to maintain compliance.”
What exactly is GDPR? According to Satyajit Sinha, a senior London-based analyst at Counterpoint Research, the new set of regulations will enforce a stricter implementation of data privacy rules and entail serious consequences in cases of non-compliance.
“GDPR compliance demands more than basic data-loss prevention or just post-data-loss reporting. It demands that organisations set pre-defined protocols and precautionary measures to prevent data-loss in the first place. It also advises organisations on using predictive tools to anticipate attacks and take appropriate action against the exploitation of potential vulnerabilities,” he explained.
Will GDPR hit Indian startups hard?
To understand this, one needs to understand how GDPR is structured for enforcement. Sanchit Vir Gogia, chief analyst at Greyhound Research, explained that GDPR has various tiers for enforcement where it holds first, second and third parties responsible for data protection.
Giving an example, he said, that if an EU citizen were to book a ticket on a Indian travel app or website, then the new law mandates that the company whose financial instrument has been used for the transaction must be GDPR-compliant and that the financial company has to ensure the travel website is also compliant. In case of non-compliance by the Indian company, the EU will send a notice to the financial company to terminate all proceedings with the Indian company or face a ban in the EU till it is GDPR compliant.
“This is why startups are taking steps to ensure their revenue streams and working partnerships are not hurt,” Gogia said. “The complexity of the new law, and calculating the cost of compliance and non-compliance is taking a toll not only on startups but on other organisations because they have to figure the best path out.”
Gogia said a few startups had started blocking online transactions of EU citizens to put in a proper framework before they are declared non-compliant. Pavel Naiya, a senior analyst at Counterpoint, said several app owners were creating two versions of their apps at the back end to reach a semi-compliant state for now.
Also, GDPR compliance comes with a price tag. According to Sinha, one of the key challenges is that GDPR requires companies to comply with close to 500 requirements that will affect governance and cyber-security.
“It is mandatory for organisations to notify authorities within 72 hours of becoming aware of any breach. This demands better data breach detection and fast response capabilities. However, many organisations are struggling to identify and investigate data breaches within the given time frame, which leads to visibility gaps that delay investigations,” he explained.
Sinha also said that implementation of GDPR must start from the initial development stage of applications. “It will be mandatory for all developers to add an extra layer, to test for vulnerabilities, as application vulnerabilities could lead to accidental or unintentional data loss. Application developers need to reconsider risk and privacy during the design process, and security professionals need to find better ways to protect applications in use today,” he added.
Both Gogia and Sinha said most startups as well as large corporations are not GDPR compliant. This puts them potentially at the risk for penalties that can be up to €20 million or 4% of the defaulter company’s worldwide annual revenue, whichever is greater.
In addition, the GDPR includes penalties for non-compliance of customer consent clause and for non-compliance of maintenance of records, said Sinha. “Cloud providers are not exempt as they can be data processors,” he added.
This means a company’s overall data management, cloud services and IoT services cost per device will increase. As most Indian startups are in growth stage, compliance will add to the financial constratints they already operate under.