GDPR Presents Golden Opportunity for Indian Fintech Industry

GDPR (General Data Protection Regulation) presents "Golden Opportunity" for India to build capabilities and create new lines of consulting businesses, and drive thought leadership in the global market. The GDPR law is being implemented in Europe with effect from 25th May,2018. It is a replacement for the 1995 Data Protection Directive. The Data Protection Directive till now has been used for setting the minimum standards of processing data in European Union which was quite basic and hence needed for making it more stringent. The GDPR implementation promises to strengthen a number of rights that users will have over companies that rely on their data. Post-GDPR, individual users can demand companies like Facebook, Google, WhatsApp to reveal or delete the personal data they hold. This will also be a pan European Union Regulation that will help regulators to work in across the EU for the first time. Earlier regulators had to launch separate investigations in each jurisdiction. This most of the time gave companies loopholes to exploit and the enforcement of these regulations was tough. The minimum fine upon breaching GDPR is also reaching as high as 20 million Euros or 4% of the companies global turnover. This is harsh for many companies and tech start-ups and will ensure that individual data protection compliance is kept at the highest priority by these companies. Though GDPR is a European law but it will also apply to an Indian organisation if such organisation provides goods or services to persons in the European Union (EU) i.e. EU data subjects, or monitors their behaviour within EU. An Indian organisation can either act as a controller (i.e. determine how and why data needs to be processed), or a processor (i.e. process data on behalf of a controller). GDPR has prescribed specific obligations and penalties in both the cases. GDPR protects ‘personal data’ of EU data subjects such as name, email, address, IP address, location data, genetic and biometric data, online identifiers, etc.This data could be of employees, customers, vendors or business partners of an organisation. Stricter protection is granted to sensitive category data, such as political opinions, religious beliefs, trade union membership, racial or ethnic origin, etc. Indian companies falling within GDPR ambit will need to provide new rights to EU data subjects going forward. These include: right to be forgotten, right to erasure of personal data, right to rectify data, right to data portability, etc. GDPR has prescribed detailed obligations and responsibilities for controllers and processors. Some critical ones include: A. Controller will now need to implement appropriate technical and organisational measures to ensure and demonstrate that it complies with GDPR, such as have appropriate data protection policies, pseudonymisation, encryption, privacy by design and privacy of default at the time of product development and implementation, etc. B. The contract between controller and processor for processing of personal data will need to incorporate GDPR requirements; C. Controllers and processors outside EU will need to designate a local representative in EU, and a data protection officer, in certain cases, which will be additional compliance and costs for Indian companies; D. Consent sought by controllers from data subjects should be clear and explicit. Pre-ticked consent boxes/implied consent will not work under GDPR. Opt-outs must be explicit; E. Records to be maintained if an organisation employs more than 250 persons; F. Data breach notification to authorities within 72 hours, and to data subjects without any undue delay; G. Cross-border data transfers with third parties / countries will need to satisfy adequate level of protection as GDPR. India is not a notified country as yet. Penalties and risks for non-compliance? The penalties are significant under GDPR. For non-compliance with customer consent requirements, data subject rights (discussed below), cross-border data transfer requirements, etc. the monetary penalty could be higher of: 4% of annual worldwide turnover in the preceding financial year or EUR 20 million. For non-compliances by controller and processors of their obligations under GDPR, the fines could higher of: 2% of annual worldwide turnover in the preceding financial year or EUR 10 million. These could have significant financial implications for any organisation doing business in Europe. Additionally, there’s also reputational risk and the risk of losing out EU clients/ customers if an Indian organisation is not GDPR compliant. Key Takeaways for Indian Organisations: Privacy has taken a centre stage in the digital era, as is evident from the recent Facebook -Cambridge Analytica controversy. EU is a significant market for Indian IT/BPO/ tech industry. Therefore, GDPR compliance has taken priority for all Indian organisations having business in EU.Indian companies can assess the following for immediate compliances: A. Conduct an assessment of personal data in their systems, review privacy policies and contracts to ensure that they are GDPR compliant; B. Assess source of EU data, how it is stored, whether security measures are in place; C. Assess if consent as per GDPR requirements was taken for collection of personal data; If not, one must reach out immediately and procure consents before 25 May 2018; D. Ensure that you have systems to enable new data subject rights of individuals, including how you would delete personal data; India has evolved to become a technology hub equipped with deep expertise and GDPR could be an opportunity for Indian Fintech companies to stand out as leaders in providing privacy compliant services and solutions.