The GDPR may critically impact many sectors, especially the IT sector and BPOs. The IT sector will be the first to be affected by the new data protection law in Europe. Follow this article to know more about how it would affect Indian IT sectors.
The General Data Privacy Regulation replaced the EU Data Protection Directive 95/46/EC, generally known as GDPR, on May 25th, 2018, following thousands of proposed revisions to the data protection rules. It is data protection, the central concept around which modern life revolves. It protects EU citizens and enterprises, enabling both groups to benefit from the digital economy.
First and foremost, this new set of regulations aims to offer EU people control over their personal information, allowing them to upload, delete, and report data breaches. Second, GDPR stresses increased oversight of enterprises and organisations in charge of client data. The law has altered the requirements for businesses that gather, store, and use a significant amount of data about EU citizens. For intra-EU transactions, these businesses must abide by the regulations governing the data privacy and protection of EU citizens. The GDPR also regulates the export of private information outside the EU and transactions between EU individuals and businesses outside the EU, even in the IT sector.
The GDPR harmonises data protection regulations in all 28 member states. It establishes tough guidelines for managing and using personal details (PII). Giving EU citizens their authority back expands protection of data protection and personal rights. The EU Data Protection Directive was replaced by GDPR, which went into effect on May 25, 2018. GDPR similarly repeals the UK Data Protection Act of 1998.
What is Governed by GDPR?
Whether or not the existing law applies to service or business providers is the main issue causing discord among them. Data controllers and data processors are subject to GDPR, which controls how the controller processes personal data obtained from the processor. Any information about an identified or recognisable live individual is considered personal data. The GDPR governs how people, businesses, and organisations process information. Name and last name, home address, email addresses like name.surname@company.com, social security number, location information, Internet Protocol address, cookie ID, advertising identifier of a phone, and information held by a hospital or doctor, which may be a symbol that specifically identifies a person, are examples of personal data.
How does GDPR Impact Indian Companies?
The GDPR may have a critical impact on many sectors, especially the IT sector and the BPOs, as it will have a global impact on companies worldwide. The IT sector will be the first to be affected by the new data protection law in Europe. If Indian companies comply with the GDPR, it will provide an outsourcing avenue for a larger section of the Indian IT sector, which will increase their market share.
Impact of GDPR on the Indian IT Sector
It is well known that the Indian BPO, ITeS, and pharmaceutical sectors view Europe as a sizable market. Germany and France, two countries that are members of the European Union, are thought to be worth between 15 and 20 billion dollars in the IT sector. Therefore, it should not be surprising that the Indian IT sector must abide by the GDPR if it wants to develop. Indian businesses who violate the GDPR will be fined either 20 million euros or 4% of their global turnover. India is worth around $150 billion in the outsourcing sector, which accounts for about 9.3 per cent of global GDP. Due to India’s laxer data protection rules, which put it at a disadvantage compared to rival countries, the European Union is one of the largest markets for the Indian outsourcing business.
The GDPR is generally rigid and prevents firms from taking chances and making decisions about data transfers outside the EU. Indian businesses must take the necessary precautions by the regulations to comply. This is due to the procedure for moving personal data outside of the EU, which would result in escalating compliance expenses.
No matter whether the processing of data takes place inside the EU or outside of it, it must adhere to the rules outlined in Article 3 (Territorial Scope) of the GDPR. This implies that Indian businesses must follow the GDPR’s rules or risk being banned from doing business and facing severe fines and litigations.
The European Union (EU) passed the GDPR 2018 in response to the Cambridge Analytical data breach case publicised in March 2018. Due to this, e-commerce businesses registered in non-European countries are bound by a legislative framework comparable to these rules. It is the responsibility of India’s E-commerce businesses must adhere to the same strict regulations.
In addition to infrastructure and technology, there is a law in place. The GDPR would undoubtedly affect the services industry, particularly banking, customer service, advertising, and data input, among others, the IT sector. Those people cannot receive these services unless the Indian data protection regulations are judged to be on par with or sufficiently strict by EU standards GDPR. Even if Indian businesses do not engage directly, Citizens in Europe would still need to comply with GDPR.
This is because it is possible for personal information about European people to be used for other relevant data processing activities. Indian businesses would face severe penalties for noncompliance if this were the case. For instance, a corporation in India could face fines under the GDPR if it utilises the data of former European consumers. Therefore, it is important to consider how the legal systems in India and the EU currently regulate data privacy. To maximise trade between India and the EU, government organisations and business organisations like FICCI and NASSCOM need to create a legislative framework that achieves synergy between the Indian and EU data protection regimes.
Conclusion
The Indian rules on data protection will need to be adjusted in light of GDPR’s exceptionally high standard for data protection. The Indian laws may also need to include data protection practices, including breach reporting, extensive recordkeeping, and the employment of a data protection officer. Suppose India or the enterprises there cannot qualify as secure data destinations. In that case, commercial opportunities may be lost to safer regions due to the substantial fines associated with non-compliance. It is significant to remember that data transmission will also be allowed if a model contractual clause is signed and approved by the supervisory authority. India may examine similar agreements to become a recognised recipient of data transfers.
Also, Read:
