GDPR and India’s Right to Privacy: Implications for Indian businesses

By Devanshi Kothari

GDPR and India’s Right to Privacy: Implications for Indian businesses

The new EU General Data Protection Regulation (EU GDPR), will come into effect on 25 May 2018. This regulation stipulates that any and all businesses within the European Union, or dealing with the EU will have to comply with GDPR. This will make all the businesses liable to protect any data that is categorised as “personal”. For Indian businesses, this can be a serious setback as the EU is India’s largest trading partner.

Simply put, data privacy is obtaining consent of the individual to collect personal data, being transparent as to why it is being collected, and deleting it when consent is withdrawn. A fine line separates implicit consent (withdrawing) or explicit consent (allowing). Protecting data involves active steps to prevent breaches and leaks.


What challenges does the EUGDPR pose for India?

The EUGDPR is legally binding regulation, not a directive that brings service providers directly under its purview. It also affects Indian companies that have expanded or plan to expand internationally, such as SBI and Flipkart.  Since the EU has been one of the biggest markets for the Indian IT/BPO sector, the Indian government has been concerned about the potential implications this will have for its national security policies, business opportunities and trade. Due to the differences in regulatory practices, the legal parameters have been ambiguous which make compliance more complex and difficult to achieve. The Indian government has concerns with regard to the following issues:

  • The Indian IT/BPO industry requires an increased free flow of data to be transferred from the EU
  • The regulation will limit EU companies’ outsourcing options which will result in obvious opportunity losses for businesses in India
  • India’s relatively weak data protection laws make India less competitive as outsourcing markets in this space when other economies are updating their regulatory practices to ensure seamless inter-state operability
  • Largely inflexible, GDPR reduces the extent to which businesses can assess risks and make decisions when it comes to transferring data outside the EU
  • The regulations target service providers directly who will have to face high costs such as investing “cyber insurance” whilst adopting new technology. Non-compliance will result in severe penalties.

India’s Right to Privacy

In a landmark judgement announced on 24th August, 2017, the Supreme Court of India declared that ‘Right to Privacy’ was a fundamental right that is applicable for all 134 crore citizens of India. This decision encompasses all aspects of civilian life under its purview- from sexual autonomy to data proliferation.

The Indian government, having recently undertaken a gargantuan digital transformation journey of going cashless and paper-less is collating citizen biometric data through ‘DigiLocker’ for the ‘Aadhar’ scheme. It is also developing an e-governance platform called ‘Digital India’ and a cashless delivery service under ‘IndiaStack’. The consecutive implementation of demonetisation and the Goods and Services Tax will require all businesses to maintain electronic invoices online. The government will have to tighten its security practices and enforce greater compliance by all web applications that offer digital transaction services. By drawing upon the regulatory practices of GDPR, India could develop an over-arching data protection regime that would extend to all government and business practices as this will only boost growth in the long run.


What is the way forward?

When it comes to designing data protection for businesses in India, the stakes are high, emphasizing the need for businesses, organizations and governments to adopt comprehensive data protection practices at all levels. This can be ensured through the following ways:

  • A risk-based approach to data privacy can significantly reduce the potential of non-compliance violations or a breach.
  • Adoption of smart cost-efficient ways to address cyber security.
  • End-to-end Encryption to ensure compliance
  • A provision for Indian citizens to claim penalties if businesses fail to obtain clear consent
  • Distinguishing between personal and sensitive data. Individual names and email IDs are personal but freely available. However, a person’s sexuality, race, net worth or investment decisions are sensitive data which require stronger protection.
  • Clear rules regarding portability of customer data- what can or cannot be shared with or without consent.
  • Professional training for employees to acquire specific skill sets to develop a stronger data protection regime

GDPR is an excellent opportunity for India to update its regulatory practices and effectively implement the fundamental right to privacy.  The IT/BPO sector should use this as a stepping stone to move up the value chain by strengthening its automation portfolio and make the industry more competitive in the global market.


About the author 

Devanshi Kothari is a member of Information Services team at MitKat and is studying Global Affairs at Jindal Global University.

Disclaimer: Any views or opinions represented in this blog are of the author and do not represent those of MitKat. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.

Published On - Jan 2,2018


©2017 MitKat Advisory Services Pvt Ltd. All right Reserved

Made With Passion:crisis management

Join the Conversation