Till about a year ago, things were looking good for Indian startups and enterprises doing business in Europe, or at least they appeared to look good. A survey by FICCI had stated “after exuding muted optimism for the last three-four years, Indian companies are most optimistic today than they ever were in the last nine years. This is notwithstanding Brexit which has resulted in operational hurdles for Indian companies while staying invested in Continent Europe.”
Today, the headlines at home and all over the world are a little different, and while the cause for worry isn’t an economic crisis or a country’s sovereign debt, it is in fact a new regulation called the General Data Protection Regulation aka GDPR. The Regulation mandates companies to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Non-compliance can cost a business dearly.
If you keep a tab on technology news, you may have heard/read about the GDPR more times than you can keep count lately. Come May 25 — the implementation date of the Regulation — and the entire business game and liabilities of Internet and data companies will change, making it harder for them to take consumer data for granted. But will it also hamper innovation? And what does this mean for India Inc, especially for Indian startups?
We earlier looked at the GDPR in detail and how complying with the regulation can lead to an increase in costs for companies in terms of both gathering and analysing data and how non-compliance can lead to even greater expenses in penalties. Now, let’s take a look at what the view from Europe is and what avenues and difficulties this could this lead to for companies in India, but first here is a refresher:
GDPR is a regulation created by the European Commission (EC) to give users better control over their data and privacy while ensuring that whatever personal content they share with companies adheres to certain standards when it comes to how it is stored, used, and protected. Apart from the strict data protection provisions, what stands out in this regulation are the repercussions for potential violations.
One of the most eminent features of the Regulation is the right to be forgotten, wherein a user can ask for all her data to be completely erased, the reason for which can be as simple as withdrawal of her consent. Its opt-out feature gives users the ability to specifically and clearly agree or not agree to share their data and to be tracked by online analytics of companies like Facebook.
The fine for violation of the Regulation can go up to € 20 Mn ($24 Mn) or 4% of the concerned company’s annual turnover of the preceding financial year (whichever is greater). This is massive.
Just imagine if the Facebook-Cambridge Analytica fiasco — in which it was established that the personal data of about 50 Mn Americans and at least a million Britons had been harvested from Facebook and improperly shared with Cambridge Analytica — had happened after the GDPR came into effect. Based on the existing provisions of the Regulation, Facebook could have been fined a whopping $1.6 Bn on the basis of its revenue of about $40 Bn recorded in FY 2017.
The precedent for this was set when the EC levied a $2.73 Bn fine on Google because it abused its market dominance as a search engine by giving an illegal advantage to another Google product.
It’s clear that the Europeans are serious about their privacy, and all doing business with them need to take note of this. The FICCI report from last year stated that the EU represents a large consumer base (close to 500 Mn potential consumers) if the entire block of 28 countries is considered to be a single market — not a market India can ignore.
What Should Indian Startups Do To Ensure GDPR Compliance?
May 25 is going to be a day of reckoning for many Internet and data-based companies. The GDPR doesn’t only affect companies operating in the EU. Even if a company doesn’t have the presence in Europe but has European users on its platform, it will come under the ambit of this rule. And there are many such companies in India.
“Think of any airline in India that has EU residents taking their flights or hotels where EU residents book a stay,” said Rana Gupta, vice-president, APAC, sales and services, identity and data protection (enterprise and cybersecurity), Gemalto, a multinational digital security services company. All such companies dealing with data belonging to EU residents will have to comply with the GDPR, explained Rana.
Inc42 also spoke to Praveen Paranjoth, a Europe-based venture capitalist and founder of the Startup Europe India Network (SEU-IN), about the upcoming Regulation. SEU-IN, launched early last year, is a technology corridor that aims to create seamless engagement and collaborations for startups expanding into European and Indian markets.
Praveen believes that it’s important for Indian startups to take this seriously and do everything they can to be compliant. “Even if you are operating in India, it is important to keep privacy and data protection at the centre of your process,” he said. He added that while companies will may find it challenging to comply with the GDPR, the cost of not complying is going to be very high.
The first step a startup needs to take to comply with the GDPR is to (self) audit what personal data it holds, not only from its direct customers but also of its suppliers etc. Companies will also need to take into account special protection for children, and be prepared to handle requests from data subjects (people whose personal information they hold). One should be prepared to detect, report, and investigate personal data breaches and, more importantly, to build data protection in all their new projects and products.
Meanwhile, upcoming startups should familiarise themselves with this new scenario even if they don’t do work that falls within the ambit of the GDPR, because data privacy and protection laws are becoming stricter and stronger the world over.
Countries such as Japan are are also looking to replicate the GDPR or devising their own regulation in response to this development. On the other hand, companies are looking at hiring people who have knowledge of data protection, an expensive and rare talent to enlist, which too will add to their costs.
Do Startups Need Data Protection Officers?
In this context, another question pops up: Will startups need to create the position of a data protection officer (DPO) to create data protection strategies and oversee their implementation to ensure compliance with GDPR requirements.
While the GDPR says that a company needs to do so only if it stores and processes large amounts of data, individual states have the right to use their domestic legislation to this effect, like how Germany has made the role of a DPO mandatory even though the GDPR does not mandate it. Reuters has called the role of a DPO “the hottest tech ticket in town”.
Rana believes the real question is whether companies think they want to pay attention to security and privacy-related issues in their business. “This is the question that boards need to answer. If the answer is yes, then they need to figure out who at the board level carries out this responsibility. Whether this responsibility is then executed through a dedicated employee in the organisation or through a part-time consultant will depend upon the size and complexity of the business,” he added.
GDPR: The Fear Of The Unknown
Praveen feels one of the reasons for all the hoopla around the GDPR is that the Indian startups are under-informed in general. “There is a fear of the unknown as to what it means to the cost base and what kind of compliance we will need to do and how deep we will need to go, etc,” he said.
However, this “fear of the unknown” doesn’t only apply to India as some of the richest and biggest companies and countries around the world are scrambling to apply their heads and deploy their resources towards understanding and complying with this rule.
The Regulation is also going to impact how we innovate but not much. If you take blockchain and ICOs for example, the GDPR is playing catch-up, and there will be a scenario where the Regulation is always playing catch-up, he explained. “The most important thing is there needs to be a balance between what we innovate and what it means for the society. If the GDPR is busy playing catch-up with technology, it is unlikely it will play a diffusing role when it comes to innovation,” said Praveen.
But not is all glum for Indian startups. In fact, bigger players, who have millions of customers and a corresponding amount of data, will find GDPR compliance to be a cumbersome process. For smaller Indian startups, which are still in their early stages, it will be relatively easier to put things in the process, specifically in relation to giving users the power to download, delete, and transfer their data and provide them with the opt-out feature.
This also represents an opportunity because servicing for GDPR compliance will open up new avenues for both companies and individuals as skills and services to build privacy into the center of businesses will be in high demand.
How Will GDPR Affect Blockchain?
Blockchain, a digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly, certainly needs to be looked at in the context of the GDPR. The important question is: Can Blockchain be GDPR compliant, in the sense that can it allow users to track, withdraw, and delete data if they so desire? “Whenever there are questions like this that need answers, innovation can be done around them,” said Praveen. He likes to believe that this is an opportunity that Indian startups can exploit.
Already, most companies in Europe want to do business only with companies that are GDPR-compliant. Siddharth Chakravarthy, CEO and founder of Hyderabad-based StaTwig, which offers blockchain and IoT solutions to help manage supply chain problems, said, “We have a few projects in the pipeline with EU customers where we have shown that we can comply with these regulations.”
He added that the overall requirements of the regulation may seem complex, but it all boils down to how well a company manages its data across various platforms. “In a lot of traditional systems, this is a very complicated task to accomplish as the data is collected from separate systems, stored on multiple platforms, and used to perform analytics in various departments of the company. For new platforms such as ours, it is easier to build the architecture so that it meets the requirements in the regulation,” said Siddharth.
It’s not just whether your compliance with GDPR that matters but also whether others with whom you may have shared user data can comply with the Regulation.
Ravi Jagannathan, CEO of blockchain services startup KrypC, explains:
“For example, If I am a hospital and I have given data of patients to a lab with the authorisation of the patient, I effectively become the data controller. Under the GDPR, if tomorrow, the patient asks that his/her data be deleted, then it’s not just the hospital but also the lab that will have to delete the data. The hospital, in turn, will need to make sure that the lab does this and will be liable for this,” explained Ravi.
What Ravi referred to was the central idea of the regulation whereby users should be able to track, trace, and delete shared data. But the challenge with blockchain is that if one records one’s details in the digital ledger, it can never be deleted, which defeats the purpose of the GDPR.
He added there is a way around it. KrypC, for instance, has created a framework wherein certain data is kept off-chain — it’s not one’s personal details that are stored in Blockchain, but the reference of one’s details. Clients’ personal details will be stored in a registry that is securely maintained by the company and is not on Blockchain. So, this way, their personal details will not be exposed to anyone.
He elaborated how this works with the example of Bitcoin. When you buy or sell the cryptocurrency, details such as name, address, and date of birth are not revealed in the transaction, what is revealed is only your digital address in a binary form, he explained.
“If I am a bank that’s providing your personal data to an insurance company, then I continue to be the data controller. Now, to comply with the GDPR, what I need to do is share a reference to the registry with the insurance provider and the link will also send a communication to you asking if you want your data to be shared. In this manner, I don’t have to share the data liabilities of downstream data companies,” Ravi said.
Niti Aayog, the think tank of the Indian government, is slated to come out with a policy paper on Blockchain technology in June that will look at identifying use cases and then come up with a national strategy through discussions with all stakeholders.
Is Data Protection Enforcement Really a Bad Thing?
While Europe has taken the lead when it comes to establishing a substantial data protection regulation, its early mover advantage could be difficult for other countries to follow or even deal with. India is in the process of drafting its own data and privacy regulation but when will it be implemented is anyone’s guess. Meanwhile, it isn’t clear how business collaborations between India and Europe will adapt to this.
“There is no specific arrangement between India and Europe in relation to privacy laws. Considering the extended jurisdiction of the GDPR, companies in India need to be careful about whether their websites could be perceived as offering goods or services to people in the EU,” said Suneeth Katarki, a partner, at legal firm IndusLaw.
Meanwhile, the existing gap between the policymaking of both the entities is massive. For example, under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract, has been also made punishable with imprisonment for a term extending up to three years and fine extending to INR 5,00,000 (approximately $8,000). Compare this with the high penalties embodied in the GDPR. The gap is evident.
Whatever the challenges, India and its business ecosystem need to urgently emulate emerging global regulations and frameworks like the GDPR given the unignorable technological innovation happening in the country and outside as well. To this extent, having a concrete data protection policy is important for a business as well as a consumer standpoint.
Complying with the GDPR is a challenge for companies around the world — there is no doubt about that. But companies that are dealing even remotely with data of EU subjects don’t have any option but to comply. Indian startups and companies, who, until now, like their Silicon Valley peers, didn’t focus on data protection will voluntarily or forcefully adopt their technologies and business models to comply with stricter data protection laws both at home and abroad.
Come to think of it, this may not be such a bad thing after all.