Have a startup working with European users? The clock is ticking on GDPR compliance


General Data Protection Regulation, a comprehensive set of rules put forward to globally strengthen data protection and privacy of users, will come into force on May 25, 2018, and any non-compliance will attract fine upto £20 million or four percent of the company’s global turnover, whichever is higher.

Does your firm or startup have a presence in the European market? Does your company provide Information Technology and ITeS, pharmaceutical, financial or data processing services to European clients? If yes, then the clock is ticking and you must comply with the new and strict nuanced framework introduced by European Union for data handling.

Data offers competitive edge and assists businesses to differentiate themselves. It is at the heart of the technological evolution and helping in ushering a new era of artificial intelligence. Unfortunately, companies like Uber, Pizza Hut, Clarksons, Deloitte, Equifax, Zomato etc., have all reported loss of personal data of consumers. This unceasing rise of data leaks has stirred concerns over the way firms are using consumer data for marketing and other purposes. The Facebook-Cambridge Analytica data fiasco has yet again reignited the debate around data protection and data privacy all around the world.

To set new data protection standards in place the European Union has rolled out General Data Protection Regulation. These are the comprehensive set of rules put forward to globally strengthen data protection and privacy of users. The primary aim of the regulation is to give all control of the data to the user. This regulation will come into force on May 25, 2018 and any non-compliance will attract fine upto £20 million, or four percent of the company’s global turnover, whichever is higher!

As per a survey, presently only a third of Indian IT services firms are compliant with a European Data Protection Law. EY reports that around 60 percent of Indian companies are still unfamiliar with this new regulation. It is estimated that the size of the IT industry only in Germany and France, i.e. the top two European member states, is around $155-220 billion. It is considered an important market for firms operating in business-to-business segment. GDPR is slated to have global ramifications and huge fines and stringent compliance can lead to shutdown of startups.

Is it applicable to you?

Article 3 (Territorial Scope) of the regulation categorically states that it will be applicable to all companies regardless of whether the processing takes place in EU or not. Even if the company does not have an office in the EU or operates in the EU but only handles personal data of the EU citizens this law will be applicable to all such companies.

What are the obligations of companies?

To become GDPR-compliant, the companies will be required to undertake the following obligations-

  1. Ensure Data Security-Organisations have to make sure that the data they are handling is safeguarded from additional processing. The organisation is obliged to put in place effective technical and organisational security measures in order to protect personal data from unauthorised usage, loss, damage, alteration and damage.
  2. Data Control-Organisations must ensure data accuracy and integrity, implement data security practices and minimise the risk of data theft.
  3. Data Breach-As a company you must have a system for handling personal data breaches. Implement appropriate measures to minimise the loss and notify the public authority within 72 hours about such breach.

The companies require a programmatic approach and defensible programme in order to comply with GDPR. In order to embrace the regulations, the main stakeholders of the company should be made aware of the regulation and they should chalk out a plan to become GDPR-compliant. Accordingly, they must also train their employees on handling personal data appropriately. Further, they should-

  1. Conduct data-detection exercise- Organisation must determine where and how personal data and special categories of personal data as defined under GDPR are processed within the organisation.
  2. Establish a consent obtaining mechanism- As per the GDPR, consent should be obtained freely. Thus, organisations, while taking consent from the consumers, ensure that it specific, informed and unambiguous. The company is required to carefully review as to how it seeks, records and manages consent to process data and implement a sophisticated framework to obtain and record consent.
  3. Keep a record- Companies should be aware of the personal data it holds, how this data flows in and out, where this data is stored and how is it processed. They must also keep a database of who all have the access of the personal data.

The only way to save oneself from unwanted hefty penalty is to draft a policy for handling data of consumers in consonance with GDPR.

(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)