Startup Saturday: Deciphering GDPR and its impact on India’s businesses
The new EU policy to protect citizens’ private data forces companies to become compliant, or face action.
With the European Union (EU) enacting the General Data Protection Regulation (GDPR) to protect its citizens’ data, companies across the world have found themselves forced to comply with the new laws. Umeed Kothavala, chief executive officer (CEO) and co-founder, Extentia, speaks to Namita Shibad and explains the core of the new regulation and the way forward for companies to be GDPR compliant.
What is the GDPR?
Its aim is to protect the personal data and privacy of all citizens in the EU, and limit its export. GDPR could be the first law to hold companies of any size, accountable for the data that they collect, store, analyse, and use. This will mean all organisations that have a presence in the EU, process the data of EU citizens, have more than 250 employees or whose data-processing impacts the rights of data subjects, have to be GDPR compliant. The data subject is also granted rights under GDPR. Any EU resident can demand the right to access information about them or they can demand to be forgotten, which would mean all data collected on them must be removed.
What does the regulation seek to protect?
GDPR largely focuses on protecting personally identifiable information (PII). This includes basic contact information, web data, health and biometric data, and other social data which can be used to identify any specific individual. There are three parties responsible for ensuring compliance with these regulations. The first is the data controllers, who acquire and utilise the data. The next are the data processors, who seek and subsequently work on and analyse the data - acting as service providers to controllers. The final group is the data protection officers who are appointed internally or externally, to respond to all queries and ensure compliance with GDPR.
How will companies implement it?
In order to use personal data, the involved parties must implement new measures to ‘pseudonymize’ data (a data management procedure where personally identifiable information fields within a data record are replaced by artificial identifiers, or pseudonyms), along with data protection measures being applied at the earliest. Companies can follow six steps to implement GDPR.
The first way is to understand the GDPR legal framework, then create a data register and classify the obtained data as is necessary. The fourth step is crucial, it includes a privacy and data protection impact assessment of policies within the organisation. The subsequent step is to access and document additional risks. Finally, to stay compliant, organisations must revise the previous steps, adapt and repeat them consistently.
How will GDPR affect businesses?
GDPR requires all data handling entities to obtain explicit, oral, written and specific consent for every instance of data captured. The consent must be taken with an affirmative act. During data collection, the companies are expected to explain how and why the data is obtained. They must also reobtain consent, if the methods or the usage of data changes. If the companies do not obtain consent or if it is not verifiable, then they are at risk of non-compliance.
As per Article 13 of the regulation, these companies are also required to provide information to the relevant customers about the data controller, data processing involved, length of retention of data, protection measures, and ways to exercise the customer rights that GDPR provides. To adhere to Article 22, the companies must restrict the use of intelligent algorithms in decision making and profiling of individuals. The algorithms used for analytics may have a significant effect on data capture.
If any of these specifications are not met, then the company can face penalties as high as €20 million or 4 per cent of their annual turnover, whichever amounts to a higher value.
What do you personally think of data protection laws?
GDPR’s positive intention has been overshadowed by being an unwieldy and potentially unrealistic piece of legislation. It imposes a heavy penalty on small and large companies while rewarding unethical organisations looking to evade the word of law. GDPR addresses current issues without an eye to the future by failing to take into account spambots, phishing and ransomware – which are likely to become major issues in the next five to 10 years. Unfortunately, the unsubscribe button has diverted user attention from far riskier online behaviour. GDPR is running the very real risk of a domino effect whereby other countries will set up similar, but not the same policy, causing a nightmare of conflicting and contradictory demands on all organisations. Although GDPR has its heart in the right place, its aim of data protection has been overtaken by bureaucratic ambition and poor knowledge of how technology and the real world works.
Clicking the Subscribe button: Experts on GDPR
“The big doubt in the mind of CEOs and founders of startups is whether they will be impacted by GDPR. If you are primarily either a processor (you process data) or a controller (you choose to manage or store data for some business purpose), you will be impacted by the regulation. This is not only for EU clients. It could be for the United States or any other country. It is high time startups wake up and pay serious attention to data protection laws and regulations. I would advise startups to seek a good legal expert on international data transfer and protection to get going. You may be in touch with lawyers for valuations, mergers or acquisitions, but it is more important for you to have good documentation for each and everything which you do. Some startups may feel that if they are not receiving investments, then why bother? However, the more the data you process, the more you get for analytics and the more vulnerable you are for a purview. Analytics are a hot favourite with investors. I would also advise all CEOs and founders to recheck their cloud service terms and conditions and undergo a refresher course on security and privacy controls.”
-Prakash Sharma, head of Autonebula connected transport system initiatives
“This is a regulation that currently is applicable only to the EU. Anyone doing business with the EU will have to comply with its norms. In our city, the software industry is well equipped to deal with such security compliances. For startups it will create a lot of paperwork, but it provides a short-term opportunity to some entrepreneurs to provide software that is GDPR compliant. It could also lead to new regulations in other countries like the US, which could come up with its own standards for data protection.”
-Kiran Deshpande, president, TiE Pune
“Indian companies with operations in EU or dealing with EU citizens’ data will have to comply with the regulation to continue their business. The EU, for us, comprises the second biggest market after the US and the monetary impact of GDPR on businesses is going to be significant. According to a PricewaterhouseCoopers survey, the estimated spend by American companies on GDPR compliance is to the tune of $1 million to $10 million. At a high level, the impact of GDPR on business will require substantial modifications to how customer data is processed, stored and protected. Storing personal data of EU residents is only legal when there is consent. Additionally, businesses must erase personal data upon request and report data breaches within 72 hours to supervisory authorities. Privacy is now to be implemented not only by design, but by default and built into all new products, devices and business processes. Currently, there is a strong disconnect between understanding what data you have and how it is being used. That gap has to be filled now. Clearly understanding and controlling data is the foundation for compliance with GDPR. At an operational level, a lot of measures are called for. First and foremost, large businesses have to institute a data protection officer (DPO) with an expertise in risk assessment and compliance monitoring skills. Secondly, companies will have to conduct data protection impact assessments (DPIAs) and privacy features have to be deployed throughout the daily operations of their businesses.”
-Sunity Choudhary, co-founder and chief operating officer, Asti Infotech (global positioning system tracking solution provider)