Globally technology and internet companies are updating their user policies and asking for digital consent, across the globe, to reflect the upcoming General Data Protection Regulation (GDPR) policies that come in to force on 25th May across the European Union (EU). Analysts view this exercise as a step towards a more accountable and safer user experience for Indian businesses with EU offshoots as well, something that will come in handy while India works towards its own data protection policies.
Last week Google introduced explanatory videos to explain their GDPR compliant privacy policies while also rolling out notifications to users across the globe which left most privacy watchdogs fairly satisfied with the attempt, something that technology giant IBM has implemented globally as well.
Social media giant Facebook, however, did not receive the same response with many calling it out for rolling out EU specific terms and data policies for more than 370 million users in Europe which did not apply the same way for non-EU users whose data will be governed by Facebook's US subsidiary.
What this means for Indian users is that, while they have access to the same privacy policies on the platform, they are not governed by the same level of protection as EU users. Similarly professional networking platform LinkedIn split data governance for users between their Ireland subsidiary and US subsidiary.
Yet some organizations, especially in gaming and entertainment, are choosing to let go of their EU clients rather than update global policies. Uber Entertainment and gaming giant Ragnarok among others chose to follow this path.
Jaspreet Singh, Cyber Security Partner, EY notes,"If any organization has very little exposure to the EU region, then they should look at restricting their business. Organizations are certainly restructuring to minimize their exposure to EU. "
Moreover, it will be difficult for a lot of clients to distinguish between EU and non-EU users as that would require much more investment and it makes sense to have a global company-wide policy to cater to organization-wide needs, he adds.
“So far we haven’t read about an authoritative announcement w.r.t Indian enterprise(s) withdrawing operations/services from the EU because of GDPR. However, we have come across discussions where India based service providers are renegotiating the terms of business with their customers based in the EU,” said Manish Sehgal, Partner, Deloitte India.
While the negotiations may vary, including discussion around the personal data being received by the service provider to accountability organisation with GDPR ready systems and processes will have an advantage over its non-GDPR ready competitors, he added.
Singh highlights that Indian pharma companies that have clinical research engagements with EU citizen, hospitality chains have EU customers, internet, e-commerce, manufacturing as well as banking will have to take efforts to comply with the change. Cost of doing business will certainly change and cost of compliance will be incurred by organizations but it will eventually be helpful for the business to implement GDPR controls.
The Justice Sri Krishna committee report also talks about a lot of privacy principles that have similarity with EU GDPR and will, therefore, make sense for Indian companies to comply as a one-time exercise.
Lastly, Sehgal notes GDPR triggered change (within Indian consumers) may be limited to those interacting with or leveraging services of multinational enterprises however significant portion of consumers in India may be still unaware. Indian consumer will largely change because of the law-of-land i.e. India’s own data protection act.
Richard Hogg, Global GDPR & Governance Offerings Evangelist, IBM adds, ”There are hundreds of regulations overlapping security, data breach and retention policies etc. across the globe. What they need to do is to identify and classify data before implementing any of the policies in order to be able to accommodate multiple regulations.”