What Indian Firms Need to Know About GDPR Compliance It's extremely important for people doing business with European Union to know about GDPR and hence we elaborate on the subject

By Shaninder Singh Pahwa

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

graphicstock

Every organization in India that deals with, or has access to, personal data of EU residents is required to store and manage such data in compliance with the EU's General Data Protection Regulation (GDPR) which became effective since 25th May2018.

GDPR expands the definition of "personal data', which denotesany information relating to an individual who can be recognised directly or indirectly by identification numbers, location, and physical, genetic, economic or social identity.

GDPR Rights

GDPR assures EU residents privacy of their personal data stored within an organization. The regulation has extraterritorial scope mandating data storage entities outside the EU borders to be compliant. GDPR commissions organizations that possess data on EU residents to protect it; disclosure of which may cause these firms to face considerable penalties. Such organizations must also ensure that data is collected via valid legal approaches.

Impact on Service Providers

Given that many Indian entities render various types of service processes to entities registered in EU who provide access to personal data of EU residents, it is pertinent for such Indian organizations to be GDPR compliant.

Service providers likely impacted:

  • Chartered Accountants providing Personal Tax consulting to EU nationals and residents

  • Organizations performing Background Checks on EU nationals and residents

  • Law Firms working with direct clients, and law firms, based in the EU

  • Forensic investigators conducting fraud investigations on Indian subsidiaries of EU companies

  • Recruitment, HR and Payroll Consulting firms analysing personal data of EU residents

  • EU based consulting firms internally bidding and outsourcing contracts obtained in the EU to their Indian subsidiary/back office.

Keeping Data Safe

Indian organizations must revisit the terms of their contracts which allow them access to personal data of EU residents. Both awareness and vigilance will be necessary prerequisites to remain compliant with GDPR. Some options to mitigate breach of data:

  1. Stringent non-disclosure terms and strict confidentiality agreements with all senior employees is a must. Ideally these should be locked-in with their employment agreement.

  2. Employees should have access to such data in accordance with their assigned role and responsibilities. Sharing or providing access to information should be only on a need to know basis as at times critical personal information is shared with other employees or third-party vendors without realizing the consequences of such actions. Therefore, it is important to have in place back-to-back confidentiality agreements with all those with whom personal data of EU residents is to be shared.

  3. An organization must have an IT policy in place to further secure such data when an employee is serving his or her notice period, to have limited or no access.

  4. Ex-employees may attempt to access information by connecting with unsuspecting employees. Ensure that data confidentiality is stressed to all employees during attrition.

  5. Invest and maintain a reliable encrypted backup and storage system. Indian companies that control information about EU individuals must audit their data storage integrity, and archives access policies, while ensuring they have access to all necessary data when needed.

  6. Use of portable storage media must be prohibited unless critical but should be monitored and supervised. SD cards hold 512GB easily and are unnoticed.

  7. Random audit of data security procedures and processes may be undertaken to monitor system integrity, especially during change in the IT department or major migration of data or software.

  8. Lastly, regular training for employees to understand the scope of GDPR, what it entails and implications to the company, especially in case of non-compliance. Employees must be made aware of the consequences in the case of mishandling or mismanagement of digital data.

Indian organizations must provide comfort to EU clients that they're committed to complying with GDRP regulations and that data with them is securely stored, and data rights under GDPR are respected. These include an EU resident's right to:

  • withdraw consent for the use of their personal data at any time

  • access their personal data

  • know the nature of the data

  • To object concerning how the data is used.

GDPR Compliance

  • Map and Audit Data Flows

To remain GDPR compliant all entities in India, irrespective of their size, will need to take stock of the data they store about EU residents. To do this they must keep track of where and when they use such data. In the event an EU resident seeks information, pertaining to their personal data, its storage and purpose for which they said data is used, Indian firms must be able to share such information with ease, transparency and clarity.

  • Stronger Data Control and Collection

GDPR tightens the privileges of consent when acquiring data from customers. Indian companies falling within the ambit of GDPR may consider appointing a Chief Data Officer to manage how they receive, control, collect, store and archive data of EU residents.

  • Compliance with Local Indian Laws

Indian companies, while developing compliance to GDPR, must not ignore compliance with India's cyber laws too, for which Legal and IT will need to work together.

Opportunity

Although continuous efforts will be needed to remain GDPR compliant, SME's should view this as an opportunity rather than a hindrance. Being GDPR compliant provides a USP to a service provider differentiate itself and acquire more business from the EU.

Shaninder Singh Pahwa

COO, Alea Consulting

Mr Pahwa is the COO of Alea Consulting, India’s first home-grown Risk and Fraud Mitigation Consulting firm

 

Business News

'I Love Doing Product Reviews': Bill Gates Stepped Down from Microsoft in 2020, But Admits He Still Spends 15% of His Time Working at the Company

In a new interview with the Wall Street Journal, Gates also said he is still close with Microsoft's CEO Satya Nadella.

Franchise

Franchise Models Explained — How to Choose the Right One for Your Goals

Navigating the franchise world starts with understanding key business models. Here's how project-based and subscription franchises differ in investment, scalability, and recession resistance.

Business News

Uber's CEO Says Drivers Have About 10 Years Left Before They Will Be Replaced

Uber CEO Dara Khosrowshahi says the jobs of human drivers are safe for the next decade, but after that, another type of driver will take over.

Business News

Elon Musk's DOGE Is Hiring People Eager to 'Work Long Hours' to Eliminate 'Waste, Fraud and Abuse' in the Government. Here's How to Apply.

The Department of Government Efficiency is hiring U.S. citizens to help cut spending and headcounts in the federal government.

Business News

'Everyone Can Profit From It': What Is DeepSeek? China's 'Cheap' to Make AI Chatbot Climbs to the Top of Apple, Google U.S. App Stores

DeepSeek researchers claim it was developed for less than $6 million, a contrast to the $100 million it takes U.S. tech startups to create AI.

Science & Technology

From Data to Destiny — How AI Can Turbocharge Your Business Future

Are you ready to embrace the power of AI with trusted data? Let's transform challenges into opportunities and propel your business into the future.