GDPR: Here’s how EU data privacy law will affect Indian companies

The General Data Protection Regulation (GDPR) designed to give citizens in the European Union (EU) more rights to control their personal information also applies to an Indian entity if it monitors the behaviour of individuals in the EU.

"The scope of GDPR is very wide. It does not matter whether you are in the EU or outside," Supratim Chakraborty, Associate Partner at the law firm Khaitan & Co, said.

"If you are providing goods and services through the data subjects in EU, you will be covered under the ambit. For example, the outsourcing services will be covered under GDPR. Moreover, establishments which are engaged in tracking data subjects of the EU through apps or any other tools will be liable to comply to the new regulations," Chakraborty added.

According to the European Commission, the law applies to a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed. Non-compliance of GDPR rules can cost companies a fortune -- 20 million Euros or 4% of annual turnover.

It also applies to a company established outside the EU offering goods/services -- whether paid or for free -- which monitors the behaviour of individuals in the EU.

According to Shree Parthasarathy, Partner, Deloitte India, Indian businesses are battling severe issues of data protection and cyber security that have larger business implications on productivity and customer confidence.

"Embracing GDPR with a strategic roadmap should be the immediate priority for Indian CXOs, that would include creating awareness, training as well as constitution of a dedicated data protection framework," Parthasarathy said in a statement.

"GDPR can be a competitive advantage for India, if enterprises understand its relevance and further bring in a risk-based iterative mechanism to their business strategy that is trustworthy secure, and agile in the digital world," he added.

According to a Deloitte survey conducted in collaboration with Data Security Council of India (DSCI), large organisations with more than 10,000 employees (21% of respondents), embarked on their GDPR readiness journey in 2016 itself.

Whereas, 43% of organisations started their GDPR readiness journey only in late 2017 or early 2018, the results showed.

"GDPR compliance should not only be looked at as an effort and money draining exercise but also as a business advantage which can be a differentiator in the market. An entity compliant with GDPR requirements would definitely command more confidence from customers as compared to those who do not," Chakraborty said.