• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
BW Businessworld

'Companies That Don't Comply Letter & Spirit By All Provisions Of GDPR Will Risk Losing Business'

Pavan Duggal, a well-known cyberlaw expert in a free-wheeling interview with BW Businessworld on the subject of EU GDPR

Photo Credit :


How well the Indian SW export companies or body shopping companies are prepared to implement the GDPR norms which have come into effect from May 25. 
The Indian SW Export companies or Body Shopping companies are currently scrambling their way to implement the GDPR norms which have come into effect from 25th May 2018. Most of the companies are in some levels of preparations, although there are some companies who have not even begun thinking in this direction. Indian companies who are dealing with European’s data need to quickly realize that they have to comply with the GDPR norms which have come into effect from 25th May 2018. If they do not so it is going to directly affect their business and potential business opportunities. Overall, Indian companies preparedness level could have been far better, but given the historical nature of Indian society, people invariably tend to do things at the last minute.

Most importantly what will happen to billions of private data already surreptitiously stored in data miners servers across the world? Will there be any binding on the errant companies to ensure complete erasure of the data thus procured?  
The GDPR is seeking to make a new beginning. The GDPR is prospective in nature and comes into effect from 25th May 2018. It will start applying to every data controller who collects data from European Union citizens, every data processor who processes data for and on behalf of a data controller or a data subject which is based in the European Union as also all organizations if they collect or process personal data of individuals located inside the European Union. Billions of private data that is already surreptitiously stored in data miner’s servers across the world will continue to be still there. The European Union is seeking to address this huge challenge with small steps. The GDPR is one small step towards securing the data of the European Union residents. Clearly, if the billions of private data which have already surreptitiously stored in data miner’s servers across the world are used for processing, then said legal entities will have to comply with the GDPR. If they do not do so, they potentially risk steep legal exposure to not only a fine of 4% of their total global turnover or of 20 Million Euros. The bigger issue will be how will the GDPR be effectively implemented across the world. On paper, it appears that the GDPR will be binding on companies to ensure complete erasure of the data thus procured. However, practically I see a huge number of practical challenges in effective, efficient implementation of the GDPR. This is so because GDPR is not just having a European Union focus but is having extraterritorial applicability outside the territorial boundaries of the European Union. It has always been a challenge to enforce provisions of law or legal frameworks which have extraterritorial applicability. It will be interesting to see how things would move in this regard.

What are the opportunities that arise out of this GDPR regulation for Indian companies 
There are immense numbers of opportunities that arise out of the GDPR regulations for new companies which Indian companies can offer services for proactive compliances for legal entities. It is pertinent to note that for ensuring data security GDPR requires organizations to put in place effective technical and organizational security measures to protect personal data from unauthorized usage, loss, damage, alteration. Those kinds of services would be offered by Indian companies to other outside customers. There is a huge market for compliances that are being created by GDPR regulations which are ensuring focus on data security, data control and handling personal data privacy breaches. India can offer low-cost services in this regard for the economies of the world just like the BPO or FBO have brought a decade and a half earlier.

Alternatively, what would be the losses incurred by Indian companies in this scenario? In dollar or Euro terms
There are no scientific figures of what could be the losses incurred by Indian companies in this scenario. Clearly, given the stringent implementation of GDPR in the European Union, all Indian companies who do not comply with its letter and spirit by all the provisions of the GDPR will risk losing business. The said losing a business could run into millions of dollars or Euros depending on which particular sector we are talking about. However, all these are just rough estimates. It would be prudent for Indian companies to ensure that they are on the right side of the compliance and complying with GDPR in order to not just increase their businesses coming from European Union but also further increase their compliance level as well thereby increasing their profitability.

Is there any govt to govt to talks on the issue on this aspect.

Currently, GDPR is being seen as a European Union phenomenon. We had begun see different governments talking about the GDPR, however, there is no specific dedicated government to government talks on which the subjects as per the information in the public domain.

What are the various other hindrances to Indian SW industry that the stipulations bring?  
There are various other hindrances to the Indians software industry that these regulations bring across. If the Indian software industry products are engaged in collection, processing or dealing with personal data concerning European Union residents, data controllers, or data subjects in the European Union, they will now no longer be able to carry-on their business in a seamless manner. GDPR would be like a Damocles sword which will be hanging on their heads till such time they do not comply with the same. In addition, the practical implementation of the GDPR is likely to bring forward new distinctive challenges. It will be interesting to see that as new challenges emerge to the implementation of the GDPR, the same could also bringing forward both hindrances as also challenges for the Indian Software industry.

Data mining will be affected in a  big way. Impact on Indian companies?  
There is no doubt about the fact that data mining will be impacted in a big way. Hence, all Indian companies who are engaging in data mining or big data, pertaining to data of European Union citizens, as also data controllers, data subjects based in the European Union or individuals based in European Union,  will have to stop their current usual business practices and will have to ensure compliance with the parameters of the GDPR. Non-compliance could expose them to potentially huge legal risks including facing a 4% fine on their total global annual turnover or facing a fine of 20 Million Euros which could be enough to wipe out a lot of businesses.

Any other views. 
India still does not have a dedicated law on data protection. Maybe India could learn from some of the salient features of GDPR framework and then come up with legal frameworks which are suited to the peculiar requirements of the Indian ecosystem.

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.

Tags assigned to this article:
EU GDPR GDPR interview

Sanjay Thapa Jeet

The author is an independent journalist

More From The Author >>