The new EU General Data Protection Regulation (EU GDPR), which takes effect on 25 May 2018, requires that any businesses dealing with the European Union (EU) will need to comply with the new laws. The EU continues to be a significant market for the IT/BPO industry in India. The top two EU member states—Germany and France—represent nearly half of the European IT Services market, which industry experts conservatively peg at around $155-$220 billion. Businesses that have prepared for the EU regulation will be able to capitalise on this important market.
One of the major facets of this regulation is that it extends the scope and application of the EU law to outside the borders of Europe. All companies that collect data on EU citizens in Europe or elsewhere will have to comply with the GDPR legislation. For example, if a company based in India has data on French respondents in a survey, then the company will have to comply with this legislation. The regulation requires that all businesses become fully accountable for protecting any data categorised as ‘personal.’
Although India has cautiously welcomed the GDPR, it fears that this regulation will negatively influence its businesses and policies. For quite some time, the Indian government, like the US and a few other governments, has been demanding ‘adequate status’ for sharing information, accessing data and tagging communication. Therefore, legal complications over defining the parameters of ‘personal data’ continue to exist, making compliance much more complex and difficult to achieve.
However, it does not absolve companies from reporting a data breach within 72 hours of the event as per the new regulation. If a company had data encryption in place at the time of a breach, then the rules are significantly relaxed. The reason: No data breach, whether malicious or accidental, has any effect on encrypted data.
Why does EUGDPR present challenges for India?
The proposed regulation brings the service providers directly under the jurisdiction of EU commissioners, and it will become a legally binding regulation rather than a directive. For a long time, the Indian government was concerned that complying with the new regulations would impair its national security apparatus. However, it raised new objections stating that complying with the regulation means more trouble than its national security concerns: it could act as a non-tariff trade barrier, affecting outsourcing opportunities and information flow.
In a policy update some time ago, an Indian think-tank outlined the reasons of opposing the new GDPR regulation:
- The regulation makes it difficult for EU businesses to explore outsourcing opportunities. Outsourcing can help EU companies to reduce costs, become more productive, and increase competitiveness.
- The regulation is not flexible. For example, when it comes to transferring data outside the EU, the regulation provides less scope for businesses to assess risk and take decisions.
- The regulation has clauses that can hamper innovation in business and user experience.
- The regulation brings service providers directly under its purview. It is very detailed about their responsibilities, with rigid terms and harsh penalties.
- Adhering to the regulation leads to opportunity loss for the Indian IT/BPO industry as it further increases the threshold for data transfer outside EU.
- Following the regulation significantly adds to the compliance costs for the service providers. These costs are already higher when serving EU-based clients as compared to other markets such as the US.
The need for a comprehensive approach to data security
When it comes to the GDPR, the stakes are high, emphasizing the need for businesses, organizations and governments to adopt comprehensive data protection practices at all levels. A risk-based approach to data privacy—data protection by design—can significantly reduce the potential of non-compliance violations, or worse yet, a breach. Businesses must be smart about implementing cost-effective and efficient ways of addressing the level of risk across their IT environment.
Encryption is a recommended practice throughout the GDPR legislation, referenced in sections addressing lawfulness, security, and breach notification of personal data. If organizations compare the cost of a fine for a particular violation with the cost of buying a new technology, compliance will win in virtually every scenario. Data is increasingly distributed across hybrid environments—residing on endpoints, stored in data centres, and across public clouds. Given this reality, the EU GDPR will also hold both cloud service users and their providers jointly responsible for appropriate protection measures and breaches to data privacy.
Deciding the best way forward
According to EU policy makers, this new regulation is to not merely protect information but also to authenticate legitimate users. In India, where much communication takes place on low cost systems, end-to-end encryption provides a solution to prevent misuse and ensure security. Accessing files through personal devices or online accounts has become the norm in today’s changed business climate, which encourages work flexibility and remote working.
Unfortunately, this has also opened up opportunities for data breaches to occur. The loss of a device—unprotected and unsecured—often comes at a heavy cost. When lost devices contain sensitive corporate and customer data, there is no stopping the criminals from using it to commit identity fraud and other offences. The new EU GDPR holds companies responsible for keeping their data secure.
However, even when encryption compliance is in effect organisation-wide, an inherent risk exists if businesses do not follow the right approach to educate staff or use the right technology to protect data. The new EU security requirements are complex and demand constant surveillance. It is in this context that companies need to realise that data security is not just an IT problem or a compliance issue, but a significant concern that the entire organisation must work together to address.
The EU GDPR has put in place a mechanism where security of data is taken as a given and that businesses work for data protection. In the coming days, the protection of personal data will never be the same again—and that is a very good thing to happen at least now.