Europe will soon demand GDPR compliance – and it will be detrimental not to comply

General Data Protection Rules will be applicable in Europe from May 25 and businesses, if not compliant, will see hefty penalties.

Protection of consumer data is an oft-spoken subject the world over, and Europe will soon become the first to enforce regulation with regard to it.

The regulation was passed in April 2016, and businesses were given two years to comply. However, it seems not everyone is prepared. General Data Protection Rights will go live in Europe next week, May 25 to be precise, and it is in the interest of every business to comply.

The EU created GDPR in an effort to protect digital identities of its citizens by making companies liable for data being used without customers’ consent. Under GDPR all companies dealing with consumer data will have to give the consumer an “opt in” and “opt out” option to being tracked. The companies must also manage the data in the country of origin.

So, what does that mean for Indian startups? As the first line of action, all businesses with any operations in Europe will have to engage with lawyers to ensure they are protecting the European consumer.

“We are hit by a train called GDPR,” says the founder of a Bengaluru-based SaaS (Software as a service) startup who did not want to go on record about the industry’s unpreparedness.

For startups, here is the entire spiel on GDPR and what it means.

While companies like Zomato and Uber would be running all out to be compliant, there are others that are not in the same boat. “We have not launched in Europe because we have to figure out the regulations,” says Tushar Vashist, CEO and co-founder of Healthifyme.

He is right there as the penalties are daunting, and can range from $10 million an annum or four percent of revenues.

To try and counter GDPR, sources say that a bunch of founders from companies such as Freshworks and Chargebee are part of an informal CEO group that is trying to create a framework that could protect Indian startups against the affects of GDPR.

They are already discussing mechanisms, both legal and financial, that could ensure that the Indian startup community is not adversely impacted by these “killer” regulations, as termed by an Indian company operating in Europe.

“Think about how it will affect businesses that are cloud first. If you are on the cloud, the rates drop if you have scale. Imagine having to maintain local data racks in each region thanks to regulation. It becomes expensive,” says a source in the SaaS industry.

There, however, are those who say companies should not complain because they had two years to comply with the regulation, and point out that all large companies are prepared. The one thing that is certain is that all companies, big and small, would have to spend heavily on managing new data centres within Europe.

S Mahadevan, Executive Vice President – Legal Compliance and Risk Management, HGS, says, “We started the GDPR review at HGS well in advance. The compliance team in the last few months has been carrying out rigorous assessment and reviews of our operations, IT controls, data storage, employee data and client communication process. We have upskilled our teams across functions to deal with the new compliance regime. Hence, we are confident of being GDPR ready by the due date.”

What does a startup have to fear?

A company that is scaling up and serving close to a million customers will have to spend upwards of $300,000 (Rs 2 crore) per region in Europe to buy data racks to manage sovereignty of each corporate customer. It will also have to provision for storage, new databases, and high availability of systems per region.

These costs, several startup founders say, could destroy the Indian ecosystem overnight. Indian startups, especially Software-as-a-Service businesses, have raised close to $1.7 billion in funding (between 2011-17) and Europe makes up at least 30 percent of global revenues. With the VC industry tightening its purse strings, the spend on GDPR compliance and managing data can destroy business models. India is the sixth-largest SaaS cluster in the world.

“The smaller ones will struggle. The larger companies, obviously, would have been compliant by now,” says Sonal Puri, CEO of Webscale Networks, a startup is GDPR compliant.

GDPR has also caused a debate about how it will impact cloud-based business models. Those business that are hosted on any cloud provider must ensure it provides flexibility in operations, and not charge for moving data to Europe-centric data centres. This means a company, and its client will have to ensure compliance with the Personally Identifiable Information (PII) clause in the GDPR, which essentially says that no personal data is available to a call centre.

To illustrate with an example, say a European customer calls an American brand’s call centre and the call is rerouted in to India. In this scenario, the Indian business has to enter into an agreement with the American brand that the personal data of the European client is anonymous, and not visible to any of the call centre employees.

Rohan Mahajan, founder, of LawRato, explains:

“Article 3 (Territorial scope) of the regulation categorically states that it will be applicable to all companies regardless of whether the processing takes place in EU or not. Even if the company does not have an office in the EU or operates in the EU but only handles personal data of the EU citizens, this law will be applicable to all such companies.”

LawRato outlines the obligations of companies:

To become GDPR compliant, companies will be required to undertake the following obligations -

1. Ensure Data Security -Organisations have to make sure that the data they are handling is safeguarded from additional processing. The organisation is obliged to put in place effective technical and organisational security measures to protect personal data from unauthorised usage, loss, damage, alteration, and damage.
2. Data Control -Organisations must ensure data accuracy and integrity, implement data security practices, and minimise the risk of data theft.
3. Data Breach –Companies must have a system for handling personal data breaches. They must implement appropriate measures to minimise any loss, and notify the public authority within 72 hours about such a breach.

India too will have a data protection law soon and these are the key tenets of its White Paper on data protection.

How to become GDPR compliant? 

Companies require a programmatic approach in order to comply with GDPR. In order to embrace the regulations, main stakeholders in a company need to be made aware of the regulations. Accordingly, they must also train their employees on handling personal data appropriately. Further, they should -

1. Conduct data-detection exercise - Organisations must determine where and how personal data and special categories of personal data as defined under GDPR are processed.
2. Establish a consent obtaining mechanism - As per the GDPR, consent should be obtained freely. Thus, organisations, while taking consent from consumers, should ensure it specific, informed and unambiguous. The company is required to carefully review as to how it seeks, records and manages consent to process data and implement a sophisticated framework to obtain and record consent.
3. Keep a record - Companies should be aware of the personal data they holds, how this data flows in and out, where it is stored, and how is it processed. They must also keep a database of who all have the access to the data.

“India is also going to release data protection laws, and so is the US. These regulations are going to redefine business models and how the cloud as a service operates. Startups have to build business based on regulation, although regulation itself cannot keep up with technology,” says Ganesh Prasad, partner at Khaitan and Company, a law firm.

A word for Indian startups - seek help and do not panic. Consult a lawyer so as to be ready to legally continue to scale the business.