Initial reactions to EU’s GDPR (General Data Protection Regulation)) within Indian IT have been apprehensive, with even the Indian government getting involved at the diplomatic level to ensure any negative impact is minimized.
But, is this really so? Is it a time to be apprehensive about the risk to a $45B outsourcing market or should it be looked at as an opportunity of a lifetime?
What is GDPR? And why all the fuss?
GDPR (General Data Protection Regulation) is an EU regulation notified in May 2016, to replace the ageing DPD (Data Protection Directive) which was notified way back in 1998. GDPR takes into account the huge changes that digitalization has brought to the world over the last two decades, and its impact on the privacy of individuals.
GDPR has laid out very strict norms on how private information of individuals should be handled and processed, and has given teeth to the law through exorbitant penalties for violations.
While GDPR was notified in May 2016, organizations have time until May 2018 to get compliant, and hence the scramble and fuss to get there.
How does a European regulation matter to us?
GDPR regulates how ‘Personal Data’ of European citizens is managed and processed not just in Europe, but anywhere in the world. Any organization that is dealing with the personal data of European citizens comes under the ambit of GDPR.
So, if data of individuals is transmitted over to India for processing, then the organization processing that data needs to comply with GDPR. This would place a significant amount of compliance burden on these organizations
Opportunity of a lifetime for Indian IT
GDPR is ambitious as a regulation. It provides rights to citizen to control where and who can access their data, and for what purpose. It makes no distinction between the nature of the data. Achieving this though will be a huge challenge.
Recent surveys have shown that there isn’t a single organization that feels it is ready for GDPR compliance. So, while Indian IT industry needs to think about getting GDPR compliant, it needs to keep in mind that the whole world is in the same boat.
Indian IT is well equipped to take the lead in getting the organizations GDPR compliant. It is a huge opportunity for them to collaborate with some of the biggest customers in the world and get them to be compliant.
Make no mistake, there is a huge amount of work that needs to be done to get there – Pseudonymization and encryption of personal data needs to be done in every application, richer access controls for user data are required, data retention mechanisms need to be revisited, cross-border data transfer pipes need to be re-architected, consenting systems need to be created, and effective security ecosystems with log monitoring need to be created.
It is now a reasonably well established fact that Indian IT was caught napping when automation opportunities started coming in. GDPR is a big opportunity for Indian IT to invest in their automation portfolio, and get back to competing in this space.
There are large automation opportunities especially in the data retention mechanisms and security ecosystems that will be needed to achieve GDPR compliance.
There are a few challenges too.
The first and foremost being the relatively weak data protection laws in India, which put Indian companies at a disadvantage for outsourcing business. An organization given an opportunity to work with a company operating out of another EU nation as against an Indian company, might choose the former due to the stronger data protection standards that company would operate under. This might put Indian companies at a disadvantage.
Another challenge is that the cost of compliance for the Indian IT and BPO companies increases, since they too need to be GDPR compliant. This will lead to higher costs, and greater risk of penalties and litigation.
Despite the challenges, the opportunity is greater, and GDPR can be a stepping stone to Indian IT in moving up the value chain through innovation and product development.
(Disclaimer: This is a guest post submitted on Techstory by the mentioned author. All the contents and images in the article have been provided to Techstory by the authors of the article. Techstory is not responsible or liable for any content in this article.)