On 27 April 2016, the EU General Data Protection Regulation (GDPR) was adopted. And on 25 May 2018, it will come into full effect, thereby marking a milestone in data protection laws across the EU. The nucleus of the GDPR is to strengthen and unify data protection for individuals within the EU as well as address the export of personal data outside the European Union (EU), which means it protects the misuse of personal identifiable information (PII) of any kind of EU citizens.
The development will not only change the business landscape in the EU but also influence global markets and multinationals. Organisations had two years to understand, comprehend and implement the regulation in spirit and, as a consequence, demonstrate compliance. But with the May go-live date coming closer, it is important for organisations to assess their readiness for the new regime in order to avoid heavy penalties or fines.
Europe is a substantial marketplace for the ITeS, BPO and pharmaceutical industry in India. The size of the IT industry in the top two EU member states (i.e. Germany and France) is estimated to be around 155–220 billion USD.1 Thus, for the Indian IT industry to keep continuing to do business in Europe, it needs to comply with the GDPR.
The GDPR imposes a penalty structure of 20 million EUR or 4% of global turnover (on the higher side) in cases of non-compliances.
The regulation requires a programmatic approach to data protection and a defensible programme for compliance will be required to prove that you are acting appropriately. As part of these efforts, answers to the following questions need to be sought:
Organisations need to look at the following aspects as part of their compliance efforts:
Areas which need focus under the GDPR are:
Indian companies need to carefully look at the requirements for GDPR compliance. They need to:
In addition to the above, organisations should focus on changing the technologies they use and should consider: