The European Union (EU) has taken the lead in amending its existing data protection laws through the introduction of the General Data Protection Regulation (GDPR) that comes into effect from next year. But what are the contours of this regulation and how will it impact enterprises?

Photo Credit : Shutterstock,

That data is increasingly driving economies around the globe is not an over statement. As businesses across the world uncover the right-fit big data and analytics strategies, data protection regulation is in the spotlight. The European Union (EU) has taken the lead in amending its existing data protection laws through the introduction of the General Data Protection Regulation (GDPR) that comes into effect from next year. So, what are the contours of this regulation and how will it impact enterprises is the moot question.

What is GDPR?

Data helps businesses differentiate themselves and thus represents a competitive edge. But concerns have been growing over the way enterprises use consumer data for marketing, as current regulations do not offer any control to them. Thus, GDPR was born with more stringent and prescriptive compliance challenges, backed by fines of up to four per cent of a company’s annual global revenue. Other stringent rules include those pertaining to data breach reporting, appointment of mandatory Data Protection Officer, and citizens’ right to be forgotten in the digital realm among others.

How it impacts businesses

The GDPR will replace the 1995 Data Protection Directive and is aimed at protecting EU citizens’ personal data in the new digital world. The regulation covers all the EU member states and citizens, so all global enterprises with operations or customers in EU must comply. Businesses are already gearing up to this new data protection regime. A PwC pulse survey recently asked C-suite executives from large American MNCs about their GDPR compliance plans to which more than half of them said that this was their top data-protection priority. Some American businesses are also looking at ways to reduce their GDPR risk exposure or even withdrawing from the market. Another research by RiskIQ revealed that more than one-third of public web pages of FTSE 30 companies capturing personally identifiable information are in danger of violating the GDPR rules. Indian companies with operations in EU or dealing with EU citizens’ data will also have to comply with this regulation.

Takeaways for India

India is in a unique position as it embarks on a digital transformation journey of unprecedented magnitude through citizen biometric data platform of Aadhaar, e-governance initiative Digital India, fostering presence-less, paperless, and cashless service delivery through IndiaStack and digitization of citizens’ documents via DigiLocker. Aadhaar has strong data protection measures but as India moves towards digital at a scorching pace, ensuring comprehensive protection of data while also empowering citizens to leverage their own data will be paramount. For instance, enrollment for jobs or skilling initiatives based on the documents saved on the cloud platform of DigiLocker.

India’s demonetisation move was followed by the Union Budget for 2017, that outlines an ambitious goal of achieving 25 billion digital transactions in 2017-18 -- which means the Government will need to ensure security and regulatory compliance of unprecedented number of websites and web applications offering digital transaction services. With the Goods and Services Tax or GST coming into effect recently, all businesses will now have to maintain electronic invoices on the cloud. India could draw on an over-arching data protection regime by building on GDPR. However, data protection cannot be in the government sphere alone. Businesses in India can also take cognizance and bring in strong data protection measures akin to GDPR, that will only enable their growth in the long run.

One area to be considered is the electronic consent architecture in India, which is a global first, but this needs to be extrapolated further. For instance, Indian citizens should be able to claim penalties, if businesses failed to obtain clear consent to use their personal data. In the horde of digital marketing, consumer right to opt-out is often not delineated or respected. Also, there is the question of what constitutes as personal and sensitive data. Freely available data like a person’s name and email ID could be classified as personal data, while information about a person’s net worth or investment decisions, should be treated as sensitive data, which requires stronger governance and compliance measures. Digital marketers should be able to leverage technology to classify data categories based on such rules.

They also need to understand the rules for portability of customer data – what can be shared or not shared; with or without their consent; with the competition or industry at large. Indian enterprises dealing with customer data also need to store, organise and provide access control to customer data in their possession in accordance to global norms. This will pre-empt any data protection governance and compliance norms that may be implemented by the Government, which is likely to happen soon. India Inc. could thus learn from GDPR and leapfrog the curve as it has done in the past, with technology deployments in sectors like banking, telecom etc.

To conclude, GDPR will strengthen data protection measures of enterprises and empower them and their customers, if followed in the right word and spirit. Businesses operating in other regions too will do well to adopt the GDPR standards as data protection increasingly becomes a worry.