‘GDPR is not a one-time policy, but a practice in perpetuity’, Hrishikesh Datar of Vakilsearch.com

India does not have an express legislation governing data protection or privacy, but the government is working on a white paper on the same.

The deadline for companies to comply with EU-led General Data Protection Rights (GDPR), which goes live on May 25, has sent many CEOs into a tizzy over ensuring data privacy of its consumers. They are running behind lawyers and data officers. In fact, a new post called the Data Officer is being created in Europe to blend technology and legal queries to be compliant with GDPR.

YourStory caught up with Hrishikesh Datar, the founder of Vakilsearch.com, to talk about the legal nuances of GDPR, and what companies should do to protect themselves from being caught unaware of the laws. He says he is surprised that the Indian startup ecosystem has taken it easy over being GDPR compliant. He adds that every nation will have its own data law, and startups have to build technology complying with those laws.

The size of the IT business in France and Germany itself is $200 billion, and companies have a lot to lose if they are not compliant. Here are the edited excerpts of the interview:

YS: Are Indian startups ready for GDPR? What are your views on the implications of not being prepared?

Hrishikesh Datar: GDPR is a step in the right direction, but a lot of Indian startups may not be prepared for it yet. B2B startups that operate in Europe are the ones most likely to be affected due to the implications of non-compliance that attract hefty fines. These penalties may be justified as the startups were given two years to comply with the guidelines.

Currently, a lot of Indian startups are taking it easy as GDPR is only applicable to the members residing in the European Union (EU). Startups are forgetting the fact that one does not have control over the geographical location of visitors (unless the website is limited/available to certain geographies) to any website, and hence all websites could potentially be at risk of non-compliance.

As you know, the fines vary from Euro 20 million or 4 percent of the total turnover (whichever is higher), which definitely may seem a bit steep, but if larger corporations do not take this regulation seriously, then sizeable fines would be necessary.

Companies or startups will only understand the seriousness of the GDPR compliance when we hear about the prosecution of a company for non-compliance. We are just wired that way.

YS: How do you advise them to prepare for GDPR, since the deadline is May 25?

HD: Firstly, I do not think companies must view this as an imposition of a regulation on them, and rather must consider this as a general practice. If you truly look at the essence of GDPR, it is to ‘protect the misuse of personal identifiable information’ for persons residing in the EU. Companies must not discriminate on the basis of location and the same must extend to all people across the globe. Companies must go through their complete operational work flow and clearly identify various touch points where data of persons is being collected and stored. Going forward, this data must be managed effectively to keep their records in order.

GDPR regulation is not a one-time privacy policy change, but a practice in perpetuity (like a lifestyle change for the company). A few things (among other things) a company must do, are:

• Map your data - Self-audit the collection of data from customers and people you engage with
• Review policies – This may include making relevant changes in the privacy policy of a company
• Opt in – Send mailers to your customers residing in the EU to opt in regarding the communication you plan to send in the future
• Re-plan data collection
• Create a data retention schedule
• Introduction of opt-out feature
• Cookies – Clearly spell out details of the cookies you are using

 YS: What does it mean for other nations to introduce similar policies, and is this the new normal?

HD: If it is not already, it definitely will be a norm. The GDPR will be one of the first of many laws to come in this frontier. I am certain that this will act as an inspiration for other countries to come up with relevant laws in this regard. Japan has already formulated their own Act (Japanese Act on Protection of Personal Information) based on the principles of GDPR.

YS: Talk about how enterprises will have to prepare for GDPR. 

HD: A lot of Indian enterprises have many of their clients out of Europe. For enterprises to continue their business in Europe, they will have no option but to comply with GDPR. Small or large, the steps taken by these companies will be the same. But, due to the magnitude of the data, the process implemented by companies could be different.

YS: Does India have a framed policy on privacy laws and what is the implementation process?

HD: India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000, and the (Indian) Contract Act, 1872.

The (Indian) Information Technology Act, 2000, deals with issues relating to payment of compensation (civil), and punishment (criminal), in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.

A codified law on the subject of data protection is likely to be introduced in India in the near future.

YS: Your final thoughts on this, and how it is going to impact Indian VCs and technology companies. Should they prepare for it financially?

HD: It is a new regulation in the right path, and only time will tell us the practicality of it, which will directly be proportional to the implementation of GDPR.

I personally do not believe this will impact Indian VCs. Investments will continue to happen as they are. Having said that, the screening will begin to get more stringent at the due diligence stage. If companies are not compliant, it could directly have an impact on the VC’s investment in the company. Therefore, I only see due diligence becoming more stringent.

Just the size of the IT industry in Germany and France is around $200 billion. The GDPR is going to have a significant impact on the IT companies. Due to the implication of the said penalties, these companies will make sure they have their processes in place without any deviations. Once processes are in place, things will fall in order, and it will become a part of the systematic part of the company’s operation.