• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

Companies Should See GDPR Regulation As Business Opportunity: Arvind Mehrotra, NIIT Technologies

In an interview with BW Businessworld, Arvind Mehrotra, President & Global Head- Infrastructure and Technology Services, NIIT Technologies, talks on the effect of the EU GDPR on the industry

Photo Credit :


How well the Indian SW export companies or body shopping companies  are prepared to implement the GDPR norms coming into effect from May 25. 
Globally including companies in India still lack the systems and processes to ensure compliance with the new legislation, which affects all companies holding and processing EU citizen data. Indian Organizations have been moving ahead with the GDPR compliance journey. Large IT/ITeS companies have started on this journey and are in the design phase and have started with implementation phase. However the same can not be true with smaller players.

Most importantly what will happen to billions of private data already surreptitiously stored in data miners servers across the world? Will there be any binding on the errant companies to ensure complete erasure of the data thus procured?

As long as the data stored by the data miners was collected on any of these legal grounds consent, contract or legitimate interest etc.., there is no requirement to erase any of that data. However, if some part of the data stored with the companies is not obtained on these legal ground, then companies have to find ways to identify(inventory) all such data before 25 May 2018 and ensure that such data falls under any of these legal grounds. (Obtaining fresh consents for such data could be a way to ensure compliance to GDPR).

What are the opportunities that arise out of this GDPR regulation for Indian companies 
There are companies who see this as an additional burden in terms of compliance, they should see it as a massive business opportunity knocking at their doors as a GDPR compliant organization will be given greater business preference at a global level. These companies can further make this a differentiator to gain more business. Legal firms and consulting firms are in demand to establish legal ramifications, meet standards and develop procedures & practices to meet the guidelines.

Further, GDPR has paved way for several opportunities for the Indian companies (especially the IT companies) to invest in their automation portfolio and provide solutions to their existing and new customer base. Data management services, application design & development with privacy principles will give better price points and data privacy management are newer outsourcing areas. GDPR is a big opportunity for Indian IT to invest in their automation portfolio, and get back to competing in this space.There are large automation opportunities especially in the data retention mechanisms and security ecosystems that will be needed to achieve GDPR compliance.

Alternatively, what would be the losses incurred by Indian companies in this scenario? In dollar or Euro terms
GDPR permits enforceability against a data processor directly. Although majority Indian companies work in the capacity of a Data Processor, however GDPR doesn’t differentiate between a Controller and a Processor when it comes to imposing fines.

There are two level of administrative fines that can be levied:

·        Up to €10 million, or 2% annual global turnover – whichever is higher for low risk breaches

·        Up to €20 million, or 4% annual global turnover – whichever is higher for high risk breaches

The other loss could be direct revenue impacting wherein organization might loss EU clients having significant impact.

Is there any govt to govt to talks on the issue on this aspect.
GDPR makes it clear that it will be applicable regardless of whether the processing takes place in EU or not. Although, the Law of the Land always supersedes any other law, yet with the Indian Data Protection law around the corner, it is safer for the Indian Companies to prepare themselves for the GDPR regulation. Government of India and Indian Parliament has agreed to adhere to the guidelines.

What are the various other hindrances to Indian SW industry that the stipulations bring?
The first and foremost being the relatively weak data protection laws in India, which put Indian companies at a disadvantage for outsourcing business

Another challenge is that the cost of compliance and operations for the Indian IT and BPO companies increases, since they too need to be GDPR compliant. This will lead to higher costs, and greater risk of penalties and litigation.

Despite the challenges, the opportunity is greater, and GDPR can be a stepping stone to Indian IT in moving up the value chain through innovation and product development

Data mining will be affected in a  big way. Impact on Indian companies?
Data Mining or Profiling, is one of the provisions of the General Data Protection Regulation (GDPR) that will have the most significant impact on businesses.

Data controllers will be required to inform individuals specifically about ‘the existence of automated decision making including profiling and … meaningful information about the logic involved and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject’ (Article 13(2)(f) of the GDPR).

Further, this will have an impact on sales and marketing initiatives of the organizations and quantum of data these functions have will go down drastically as Consent management was not in practice effectively earlier.

Notwithstanding, this presents a golden opportunity to Indian data processing companies to revisit their data protection, information security and confidentiality policies and make them compliant with global standards. This pre-emptive step will not only help them in sustaining their businesses, but also in securing compliance with GDPR, Forthcoming Legislation and other global best practices

We know that data is the new oil and is a key differentiator on how organizations leverage data creating more value for consumers. GDPR will certainly be a positive move, bringing consumer privacy and data security at the forefront. It is going to fundamentally change how companies handle customer data, but it is much more than just a compliance issue. In order to lead the new data conversation, companies should use the opportunity to re-think their customer experience and find new, relevant ways to restore customer confidence. GDPR is sure to strengthen data protection measures of the organizations and authorize them and their customers for total compliance.

To conclude, GDPR will strengthen data protection measures of enterprises and empower them and their customers, if followed in the right word and spirit. Businesses operating in other regions too will do well to adopt the GDPR standards as data protection increasingly becomes a worry.

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.

Tags assigned to this article:

Sanjay Thapa Jeet

The author is an independent journalist

More From The Author >>