Umeed Kothavala, chief executive officer (CEO) and co-founder, Extentia.(HT PHOTO)
Umeed Kothavala, chief executive officer (CEO) and co-founder, Extentia.(HT PHOTO)

Startup Saturday: Deciphering GDPR and its impact on India’s businesses

The new EU policy to protect citizens’ private data forces companies to become compliant, or face action.
By HT Correspondent | Hindustan Times, Pune
UPDATED ON JUN 09, 2018 02:55 PM IST

With the European Union (EU) enacting the General Data Protection Regulation (GDPR) to protect its citizens’ data, companies across the world have found themselves forced to comply with the new laws. Umeed Kothavala, chief executive officer (CEO) and co-founder, Extentia, speaks to Namita Shibad and explains the core of the new regulation and the way forward for companies to be GDPR compliant.

What is the GDPR?

Its aim is to protect the personal data and privacy of all citizens in the EU, and limit its export. GDPR could be the first law to hold companies of any size, accountable for the data that they collect, store, analyse, and use. This will mean all organisations that have a presence in the EU, process the data of EU citizens, have more than 250 employees or whose data-processing impacts the rights of data subjects, have to be GDPR compliant. The data subject is also granted rights under GDPR. Any EU resident can demand the right to access information about them or they can demand to be forgotten, which would mean all data collected on them must be removed.

What does the regulation seek to protect?

GDPR largely focuses on protecting personally identifiable information (PII). This includes basic contact information, web data, health and biometric data, and other social data which can be used to identify any specific individual. There are three parties responsible for ensuring compliance with these regulations. The first is the data controllers, who acquire and utilise the data. The next are the data processors, who seek and subsequently work on and analyse the data - acting as service providers to controllers. The final group is the data protection officers who are appointed internally or externally, to respond to all queries and ensure compliance with GDPR.

How will companies implement it?

In order to use personal data, the involved parties must implement new measures to ‘pseudonymize’ data (a data management procedure where personally identifiable information fields within a data record are replaced by artificial identifiers, or pseudonyms), along with data protection measures being applied at the earliest. Companies can follow six steps to implement GDPR.

The first way is to understand the GDPR legal framework, then create a data register and classify the obtained data as is necessary. The fourth step is crucial, it includes a privacy and data protection impact assessment of policies within the organisation. The subsequent step is to access and document additional risks. Finally, to stay compliant, organisations must revise the previous steps, adapt and repeat them consistently.

How will GDPR affect businesses?

GDPR requires all data handling entities to obtain explicit, oral, written and specific consent for every instance of data captured. The consent must be taken with an affirmative act. During data collection, the companies are expected to explain how and why the data is obtained. They must also reobtain consent, if the methods or the usage of data changes. If the companies do not obtain consent or if it is not verifiable, then they are at risk of non-compliance.

As per Article 13 of the regulation, these companies are also required to provide information to the relevant customers about the data controller, data processing involved, length of retention of data, protection measures, and ways to exercise the customer rights that GDPR provides. To adhere to Article 22, the companies must restrict the use of intelligent algorithms in decision making and profiling of individuals. The algorithms used for analytics may have a significant effect on data capture.

If any of these specifications are not met, then the company can face penalties as high as €20 million or 4 per cent of their annual turnover, whichever amounts to a higher value.

What do you personally think of data protection laws?

GDPR’s positive intention has been overshadowed by being an unwieldy and potentially unrealistic piece of legislation. It imposes a heavy penalty on small and large companies while rewarding unethical organisations looking to evade the word of law. GDPR addresses current issues without an eye to the future by failing to take into account spambots, phishing and ransomware – which are likely to become major issues in the next five to 10 years. Unfortunately, the unsubscribe button has diverted user attention from far riskier online behaviour. GDPR is running the very real risk of a domino effect whereby other countries will set up similar, but not the same policy, causing a nightmare of conflicting and contradictory demands on all organisations. Although GDPR has its heart in the right place, its aim of data protection has been overtaken by bureaucratic ambition and poor knowledge of how technology and the real world works.

Clicking the Subscribe button: Experts on GDPR

“The big doubt in the mind of CEOs and founders of startups is whether they will be impacted by GDPR. If you are primarily either a processor (you process data) or a controller (you choose to manage or store data for some business purpose), you will be impacted by the regulation. This is not only for EU clients. It could be for the United States or any other country. It is high time startups wake up and pay serious attention to data protection laws and regulations. I would advise startups to seek a good legal expert on international data transfer and protection to get going. You may be in touch with lawyers for valuations, mergers or acquisitions, but it is more important for you to have good documentation for each and everything which you do. Some startups may feel that if they are not receiving investments, then why bother? However, the more the data you process, the more you get for analytics and the more vulnerable you are for a purview. Analytics are a hot favourite with investors. I would also advise all CEOs and founders to recheck their cloud service terms and conditions and undergo a refresher course on security and privacy controls.”

-Prakash Sharma, head of Autonebula connected transport system initiatives

“This is a regulation that currently is applicable only to the EU. Anyone doing business with the EU will have to comply with its norms. In our city, the software industry is well equipped to deal with such security compliances. For startups it will create a lot of paperwork, but it provides a short-term opportunity to some entrepreneurs to provide software that is GDPR compliant. It could also lead to new regulations in other countries like the US, which could come up with its own standards for data protection.”

-Kiran Deshpande, president, TiE Pune

“Indian companies with operations in EU or dealing with EU citizens’ data will have to comply with the regulation to continue their business. The EU, for us, comprises the second biggest market after the US and the monetary impact of GDPR on businesses is going to be significant. According to a PricewaterhouseCoopers survey, the estimated spend by American companies on GDPR compliance is to the tune of $1 million to $10 million. At a high level, the impact of GDPR on business will require substantial modifications to how customer data is processed, stored and protected. Storing personal data of EU residents is only legal when there is consent. Additionally, businesses must erase personal data upon request and report data breaches within 72 hours to supervisory authorities. Privacy is now to be implemented not only by design, but by default and built into all new products, devices and business processes. Currently, there is a strong disconnect between understanding what data you have and how it is being used. That gap has to be filled now. Clearly understanding and controlling data is the foundation for compliance with GDPR. At an operational level, a lot of measures are called for. First and foremost, large businesses have to institute a data protection officer (DPO) with an expertise in risk assessment and compliance monitoring skills. Secondly, companies will have to conduct data protection impact assessments (DPIAs) and privacy features have to be deployed throughout the daily operations of their businesses.”

-Sunity Choudhary, co-founder and chief operating officer, Asti Infotech (global positioning system tracking solution provider)

SHARE THIS ARTICLE ON
Close
HT Image
HT Image

Navale Bridge Chowk audit report submitted, collector orders immediate improvements

By Dheeraj Bengrut, Pune
PUBLISHED ON MAR 06, 2021 12:05 AM IST
In a bid to offer solutions to the various road, traffic and infrastructural issues from Navale Bridge Chowk to Warje Chowk, a review meeting was held by the Pune district collector Rajesh Deshmukh on Thursday
Close
HT Image
HT Image

Citizens suffer as 37 CFCs remain shut since lockdown

By Nadeem Inamdar, Pune
PUBLISHED ON MAR 06, 2021 12:05 AM IST
City residents are facing serious issues related to getting property tax bill printouts, birth and death certificates and other documents from the 37 Citizen Facilitation Centres (CFCs) across the city as the offices have remained shut since lockdown was announced
Close
HT Image
HT Image

Mohammadwadi-NIBM annexe residents demand action against speeding bikers

By Nadeem Inamdar, Pune
PUBLISHED ON MAR 06, 2021 12:04 AM IST
Mohammadwadi-NIBM annexe residents have filed petitions seeking police action against speeding bikers after racing in violation of traffic law has caused a nuisance for days in the area
Close
HT Image
HT Image

Vandana Chavan unhappy with PMC over protection of water bodies

By HT Correspondent, Pune
PUBLISHED ON MAR 06, 2021 12:04 AM IST
Member of Parliament (MP) Vandana Chavan expressed unhappiness over Pune Municipal Corporation (PMC) for not protecting water bodies and the biodiversity park
Close
HT Image
HT Image

Prakash Upadhyay takes charge as ADRM, Pune railway division

By HT Correspondent, Pune
PUBLISHED ON MAR 06, 2021 12:04 AM IST
Prakash Upadhyay has taken charge as the additional divisional railway manager (Addl DRM) of the Pune railway division
Close
HT Image
HT Image

Bavdhan residents hold E-dharna against garbage dumping

By Prachi Bari, Pune
PUBLISHED ON MAR 06, 2021 12:03 AM IST
Bavdhan residents took to the internet to stage an e-dharna against the growing problem of garbage dumping in Bavdhan using hashtag #SaveBavdhanFromGarbage
Close
HT Image
HT Image

Nitin Landge elected chairperson of PCMC standing committee

By Jigar Hindocha, Pune
PUBLISHED ON MAR 06, 2021 12:03 AM IST
Nitin Landge of the Bharatiya Janata Party (BJP) has been elected as the chairperson of the Pimpri-Chinchwad Municipal Corporation standing committee after he defeated the Nationalist Congress Party (NCP) corporator Pravin Bhalekar by five votes on Friday
Close
Bombay high court. (File photo)
Bombay high court. (File photo)

Pune: Bombay HC asks media to not give unnecessary publicity to woman's death

PTI
PUBLISHED ON MAR 05, 2021 01:30 PM IST
A division bench of Justices SS Shinde and Manish Pitale gave the directive on Thursday while hearing a petition filed by the woman's father against news articles on his daughter, her death and her alleged relationship.
Close
HT Image
HT Image

Students demand improvements in exam process after 2020 experience

By Dheeraj Bengrut, Pune
PUBLISHED ON MAR 04, 2021 11:54 PM IST
Students affiliated to Savitribai Phule Pune University (SPPU) in Pune, Nashik and Ahmednagar districts are once again worried about the forthcoming first semester examination
Close
HT Image
HT Image

Corporators set up helpline centres for vaccination registration

By Siddharth Gadkari, Pune
PUBLISHED ON MAR 04, 2021 11:53 PM IST
In an effort to ease off pressure from the Pune Municipal Corporation (PMC) in registering citizens on the CoWin website, corporators have set up helpline centres in their respective wards
Close
HT Image
HT Image

1,848 new cases, five Covid deaths on Thursday

By HT Correspondent, Pune
PUBLISHED ON MAR 04, 2021 11:53 PM IST
A total of 1,848 new cases were reported on Thursday in the Pune district
Close
HT Image
HT Image

Political leaders back weekly markets by vendors in run-up to polls

By Siddharth Gadkari, Pune
PUBLISHED ON MAR 04, 2021 11:53 PM IST
In an effort to gain political mileage in the upcoming civic polls, local corporators and various political party leaders are organising unauthorised weekly markets in the Pune Municipal Corporation (PMC) limits
Close
HT Image
HT Image

PMC fines 1,577 public places in 15 days for violating Covid norms

By Manasi Deshpande, Pune
PUBLISHED ON MAR 04, 2021 11:53 PM IST
The Pune Municipal Corporation (PMC) has continued its drive of surprise inspections of public places to monitor Covid preventive norms compliances
Close
HT Image
HT Image

Private hospitals account for 303 vaccines in four days

By Namrata Devikar, Pune
PUBLISHED ON MAR 04, 2021 11:52 PM IST
Since March 1st, private hospitals in Pune have vaccinated only 303 beneficiaries at 10 sites across the Pune Municipal Corporation (PMC) limits
Close
A PMC analysis shows that most of those died are above 50 years of age.(HT Photo)
A PMC analysis shows that most of those died are above 50 years of age.(HT Photo)

One year of Covid: Ripped apart by loss of near and dear ones, families struggle

By Nadeem Inamdar, Pune
UPDATED ON MAR 04, 2021 02:18 PM IST
As on Sunday, Pune district reported 8,115 deaths due to the infection, of which 4578 are from city areas alone.
Close
SHARE
Story Saved
OPEN APP