The Indian IT and BPO industry faces a regulatory “tsunami” in the European Union, and could face harsh fines if it fails to meet a May 2018 deadline to comply with data security stipulations.

The General Data Protection Regulation (GPDR), set by the EU, givies individuals complete ownership of private data relating to them. This will have far-reaching implications for firms that directly or indirectly handle the data of individuals.

Businesses and organisations that serve the region must bear this in mind while handling the data of people or data ‘subjects’ — as the regulation, which will come into force on May 25, 2018, refers to them.

This imposes a huge compliance burden on Indian firms that deal with the data of people in that region. Firms will have to comply with the provisions even if they don’t deal with data directly but do it for a company that does business in the EU.

Eli Zilberman Caspi of Israeli cyber security consultancy firm Konfidas says, “It’s like a tsunami coming in” but no one is taking notice of the danger.

“Its magnitude is misunderstood. It is quite a task to identify the data asset (that falls under the regulation space) and assess what part of it is private data. Making every employee in an organisation aware of the requirements is important,” he told BusinessLine .

Caspi was here to attend a two-day international conference on cyber security.

“It is the responsibility of firms that do business in the EU to ensure that the companies they engage in executing the business comply with the norms. If you are not complaint, you could face harsh fines,” he said.

What the regulation says

The regulation, passed by the European Union in 2016, gave a two-year deadline for enforcement. Under its provisions, individuals will have the right to check how their data is used and whether it is being used lawfully. They will have a right to ask for its removal, Caspi said.

Fines for non-compliance can amount to 2-4 per cent of the firms’ annual turnover or €10-22 million, whichever is higher.

However, CP Gurnani, former Chairman of Nasscom and CEO of Tech Mahindra, says, “It shouldn’t be a problem. The Indian IT industry in general and Tech Mahindra in particular, understand the importance of compliance.”

He sees no Y2K-like urgency in this issue. “I don’t think it’s an avalanche. It will happen over a period of time, in phases,” he noted.

“Do not hold data unless processing it is necessary for the performance of a contract,” advises Caspi.. “Don’t hold data unless it is necessary to fulfill a legal obligation. Don’t allow data access to an employee unless it is necessary to perform the contract.”

comment COMMENT NOW