GDPR & Its Impact On Indian It Industry: The Path Forward

By Robbert Kuppens, Global CIO and Pankaj Gupta, Global IT Director & India IT Site Lead, BCG

Headquartered in Boston, BCG is a global management consulting company which specializes in consumer insight, corporate development, corporate finance, digital economy, globalization, growth, information technology and many more services.

The primary question of who exactly is using your Personal data, how they accessed it, and what they are doing with it has never been more important than in present times. The number of scandals hitting the headlines are growing rapidly. Each one brings into sharp relief the way some companies use and repurpose customers’ Personal data, for products and services that are not tied to the original purpose for which the data was initially collected. Governments are waking-up to the dangers of data mishandling and are introducing ever more stringent laws in an attempt to mitigate the problem. But how does this impact companies based outside of their jurisdiction? In this article, we consider the impact of the introduction of the world’s most stringent regulation to date – GDPR, and the effect it might have on India’s IT industry.

The past few decades have witnessed the rapid growth of technology, as numerous devices, hardware, software, and platforms have risen to only to be replaced by newer, better solutions. What has remained constant over this period is the steady growth in data generation and use. According to International Data Corporation (IDC), over 163ZB (Zettabytes – one ZB is equivalent to 1tn GB) of data will exist by 2025, a figure ten times higher than today’s. This phenomenal growth is only set to continue with actual figures regularly outstripping estimates .

Even in the recent past, our networked technology was mostly limited to Enterprise systems and personal computers. But the emergence of artificial intelligence (AI) and the Internet of Things (IoT) have fuelled the rise in data, particularly personal data. Social media allows people to connect with friends and family around the globe, but leaves their personal information vulnerable to misuse. Smart Apps are a natural consequence of the cyber evolution; but all rely on, track and store personal data.

In today’s digital landscape, many companies are increasingly leveraging these immense and powerful stores of user data to create new products and services, as well as broaden and improve the functionality of existing ones. This is often achieved through sharing this data with third parties – from developers to marketing services providers. But, while most of this activity fits within existing legal frameworks, using this detailed consumer data for new purposes (either internally or through third parties) without upfront consumer engagement and understanding, poses two very real threats to these companies: perceived data misuse and increased regulation.

Recent news headlines about personal data incidents, including Equifax in the U.S., TSB in the UK, and the Facebook/ Cambridge Analytica incident that had a global impact, highlight the damage a data breach can cause to an organization’s reputation and ultimately its profitability. Mark Zuckerberg spent an uncomfortable couple of days answering questions from U.S. Congress in front of a global audience of millions, while Cambridge Analytica has subsequently gone out of business. It is more important than ever before for organizations to be seen to be actively protecting the data in their possession.

In May 2016, the European Union introduced a new law – General Data Protection Regulation (GDPR). GDPR is a law designed to harmonize data privacy laws across Europe and to enhance the protection of personal data for EU residents. It outlines how businesses should process personal data across the EU and provides exclusive rights to their residents like Consent, Right to access and Right to be forgotten. The law came into effect on May 25, 2018.GDPR applies to all companies processing and holding the personal data of people residing in the EU, regardless of where the company is located.So, an organization must be compliant with the regulation if it offers goods or services to or monitors the behavior of people in EU countries. Non-compliance can attract €20 million or four percent of a company’s annual turnover whichever is higher.

Personal data is any information relating to a person that can be used to directly or indirectly identify them. Examples of personal data include name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

India has been one of the major beneficiaries of IT consulting/outsourcing in last two decades and almost all IT consulting companies operating in India work with EU based organizations or with companies operating within the EU. So, any Indian organization doing business in the EU or with companies operating in the EU must comply with this new law if they are to protect their reputation and avoid large fines.

There are a few areas that Indian IT companies should focus on immediately. First, they should start investing in creating awareness among their employees about the importance of data while revising practice, policy, and process to ensure compliance. Each company should introduce a data management program by classifying data and creating the entitlement and roles defining how each employee would get access and manage any data in their ecosystem. This will ensure the rightful data usage and manage the data according to existing and upcoming data policies instead of reinventing the data cleanup after each and every new policy introduction or modification.

Any data breach should be viewed very seriously and dealt with swiftly so as to act as a deterrent. Most global organizations will now revise their data protection clauses with IT partners, putting the onus on these partners to follow data protection best practices. Companies that hold good data stewardship in high regard and educate & engage their employees and customers in the right way may find themselves holding a significant competitive advantage. This engagement will ultimately allow them to maximize the value of their data whilst avoiding the dangers of perceived data misuse. It also has the potential to increase market share in their core businesses relative to companies that are not viewed as trusted data stewards.

This will also make it easier to showcase customers and government, where which data resides and who is allowed to access, alter or delete it, thus easier to show compliance if so demanded through customer or government audits. This might also become an opportunity for India IT organizations to lead the way and leverage that know-how and experience in both serving India customers and other global customers by turning data privacy regulation into a competitive advantage.

Although data privacy laws in India are not yet as stringent as in the EU, we believe that thanks to the global nature of the Indian IT industry, GDPR will have a significant impact by encouraging Indian IT companies to lead the way in improving data protection in our country. In doing so, they will not only protect the personal data of EU citizens, but also safeguard the privacy of over 1.3 billion Indians. (Views are personal)

Current Issue