General Data Protection Regulation, a comprehensive set of rules put forward to globally strengthen data protection and privacy of users, will come into force on May 25, 2018, and any non-compliance will attract fine upto £20 million or four percent of the company’s global turnover, whichever is higher.
Does your firm or startup have a presence in the European market? Does your company provide Information Technology and ITeS, pharmaceutical, financial or data processing services to European clients? If yes, then the clock is ticking and you must comply with the new and strict nuanced framework introduced by European Union for data handling.
Data offers competitive edge and assists businesses to differentiate themselves. It is at the heart of the technological evolution and helping in ushering a new era of artificial intelligence. Unfortunately, companies like Uber, Pizza Hut, Clarksons, Deloitte, Equifax, Zomato etc., have all reported loss of personal data of consumers. This unceasing rise of data leaks has stirred concerns over the way firms are using consumer data for marketing and other purposes. The Facebook-Cambridge Analytica data fiasco has yet again reignited the debate around data protection and data privacy all around the world.
To set new data protection standards in place the European Union has rolled out General Data Protection Regulation. These are the comprehensive set of rules put forward to globally strengthen data protection and privacy of users. The primary aim of the regulation is to give all control of the data to the user. This regulation will come into force on May 25, 2018 and any non-compliance will attract fine upto £20 million, or four percent of the company’s global turnover, whichever is higher!
As per a survey, presently only a third of Indian IT services firms are compliant with a European Data Protection Law. EY reports that around 60 percent of Indian companies are still unfamiliar with this new regulation. It is estimated that the size of the IT industry only in Germany and France, i.e. the top two European member states, is around $155-220 billion. It is considered an important market for firms operating in business-to-business segment. GDPR is slated to have global ramifications and huge fines and stringent compliance can lead to shutdown of startups.
Article 3 (Territorial Scope) of the regulation categorically states that it will be applicable to all companies regardless of whether the processing takes place in EU or not. Even if the company does not have an office in the EU or operates in the EU but only handles personal data of the EU citizens this law will be applicable to all such companies.
To become GDPR-compliant, the companies will be required to undertake the following obligations-
The companies require a programmatic approach and defensible programme in order to comply with GDPR. In order to embrace the regulations, the main stakeholders of the company should be made aware of the regulation and they should chalk out a plan to become GDPR-compliant. Accordingly, they must also train their employees on handling personal data appropriately. Further, they should-
The only way to save oneself from unwanted hefty penalty is to draft a policy for handling data of consumers in consonance with GDPR.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)