- SOC2 Compliance for Startups - 06/01/2020
- Fundamentals Of HTTP Headers And Web Application Security - 03/01/2020
- Basics Of IoT Security Threat Modelling - 03/01/2020
GDPR and its impact on privacy (new changes)
You might be thinking – how does a EU regulation affect businesses in India and how we operate? This is a truly global regulations change that every company needs to follow and remain compliant to.
The General Data Protection Requirements (GDPR) has more stringent rules protecting consumer data, and more information being provided to consumers about the way that their data is being stored. In order to remain compliant, companies must develop comprehensive policies so that their intent is clear. There’s more transparency and the act of consent is made clear. In a way, it’s one of the best things that could have happened after the Facebook debacle. But since Facebook saw an increase (not a decrease) in userbase after the news broke, the law may not do much beyond adding extra steps.
Consumers may or may not care about their data being leaked, partly because they’re so used to it by now. They understand that the major companies they trust have all been hacked, but they’re on the fence about how it’ll affect them. An important feature of the bill ensures that customers have a “right to be forgotten” clause which can empower them to opt out of these data exchanges.
Another interesting aspect of the clause ensures that customers have access to the data being collected about them and can correct them in case they’re dissatisfied. That’s an interesting new step that’s quite radical in today’s internet era. The law extends to all countries under the European Union, however companies are extending their messaging to all visitors from major countries. This is to promise transparency and allow more controls to consumers who want to access their information.
This is a positive step in the right direction, and an important move that was long overdue. The most interesting part about the GDPR is that it outlines various added compliances for companies listed under it’s regulation. Different companies like ride sharing apps, food-tech and fin-tech companies have unique sub-sets of requirements as well. This customization ensures that the language is the same throughout and no consumer is confused about why their data is being collected.
What is India doing about it? It’s formulating a similar set of regulations for online Indian businesses to be more transparent with its consumers.
“We (DSCI) along with industry body Nasscom has set up a GDPR helpdesk to help companies with the transition.” – Rama Vedashree, CEO of Data Security Council of India (DSCI) (Source)
This is opening up new discussions in the field and creating new avenues of compliance that companies need to follow in India. All major companies in the tech startup space have already began its communication and technology compliance processes in order to remain ahead of the government’s moves.
“There are some negatives in the new regulation but the positive is that now there is a legal framework available where they can categorize the Indian IT sector as ‘data adequate’ without having to stamp all over India.” – Gagan Sabharwal, Senior director, global trade development at Nasscom (Source)
Essentially, many stakeholders are seeing this as added costs that they need to incur, with few leaders believing that it’s a good move. It’s also being seen as a differentiator in the eyes of tech companies that want to promote their transparency-oriented brand image. With Indian lawmakers working with tech companies to formulate these laws, smaller startups may need to invest that much more on compliant systems. This could be increases in data management costs, sharing data with third-party auditors, etc.
“A lot of organizations, especially in the EU region, started their GDPR compliance journey more than a year ago. It is only in India that awareness is very low and organizations are still grappling with how to get compliant with GDPR. Compliance is not easy… It is not a one-time job… it impacts not only technology but all aspects of organization per se.” – Jaspreet Singh, partner-Cybersecurity, EY. (Source)
The second way that GDPR affects Indian businesses has to do with scale. Indian startups want to scale as quickly as possible, and when there is limited growth in Tier-1 markets, they look towards UK and US. These sophisticated markets can offer prince-insensitivity that’s unseen in India and a penchant for quality that many Indian companies can offer.
These companies will have to comply with these regulations, on top of the new Indian regulations that will emerge shortly. This will add to the cost being incurred by these startups and the outsourcing model could be affected significantly.
Companies that outsource their data to Indian databanks, will need to provide the same guidelines across the board for these Indian outsourcing partners. Depending on the level of data they collect, they will have to enhance their systems and provide cleaner mechanics for consumers to access their data. Article 3 of the GDPR makes it clear that the territorial scope of a business remains insignificant, if they’re operating any portion of their business in the EU.