As the General Data Protection Regulation (GDPR) comes into effect in the European Union countries this week, Indian enterprises with business interests in the region are working overtime to keep pace. While IT services companies, for whom Europe is the second-largest market after North America, have been preparing for long for the GDPR regime, cloud-based software service providers have taken an extra step by making their products and platforms GDPR-compliant not just for the European customers or region but for all.
The GDPR has definite ramifications for Indian Internet and technology firms that have customers living in the EU. But, for now it is the SaaS (software as a service) companies such as Freshworks (formerly Freshdesk) and Eka Software that have made their entire platforms compliant with the new law for customers across the globe.
“We have made our entire platform GDPR-compliant. Though this law applies to European companies and customers, we have a lot of customers who may be based in the US but they have operations in Europe,’’ said Manav Garg, founder and CEO of Eka Software, a commodity management software solution provider.
–– ADVERTISEMENT ––
“We know that sooner or later, the privacy law like the GDPR will come into force everywhere. Why not comply with such best practices now itself instead of waiting,” Garg said.
Similarly, Freshworks, which provides cloud-based business software, has also made itself completely GDPR-compliant wherever it operates. The Chennai-based company started its GDPR process about a year ago by putting together an internal taskforce. “Because we are a data sub-processor, we might be dealing with an American company which might have European citizens as its customers. In such a case, our customers also become compliant under the GDPR,’’ according to Gaurav Kulkarni, program manager at Freshworks. The idea is to offer uniform features to the entire customer base without dividing things by region.
Most companies in the B2B Saas space have approached the GDPR in the same fashion so that they won’t have to look at different privacy policies for different customers.
In case of large Indian IT services companies such as Tata Consultancy Services, Infosys and Tech Mahindra, most of them are already compliant with the new European data privacy law. Now, they are also ensuring that their vendors and suppliers comply with it.
India’s largest IT services company, TCS, for instance, has set up a new unit to ensure compliance with various data privacy regulations including GDPR, and also has global privacy policy covering all applicable geographies and areas of operations.
It has launched enterprise-wide online training, educational tools, social media and other awareness initiatives regarding data privacy and protection as well as GDPR.
Among others, Tech Mahindra is engaging with its Israel-based cyber security unit to work towards GDPR compliance and helping vendors and clients adopt the same. Companies ranging from Wipro, Infosys and L&T to Persistent and Cyient, to name a few, have all got major European clients and thus have large stakes in GDPR compliance.
Implication for Indian citizen
While GDPR is applicable in EU countries, it is not just the residents who will come under the purview of the new privacy laws but also millions of non-EU citizens who are working, studying or simply travelling through the region. This means that Indian passing through these regions will also be governed by GDPR even if they are still accessing domestic services.
“Indian companies providing goods or services to EU citizens or residents will be obligated to comply with GDPR, including financial institutions. Indian financial service providers are not obligated to GDPR unless they are providing services to EU nationals or residents or have presence in the EU region or even service EU businesses in handling their data,” said Arpinder Singh, Partner & Head- India & Emerging Markets, Fraud Investigation & Dispute Services, EY.
Last week, an IBM survey found that 76 per cent business leaders across the globe were of the view that GDPR will enable more trusted relationships with data subjects that will create new business opportunities. Only 36 per cent believed they were fully compliant.
Although international banks will have global standards for managing their data, they will also have to address country or region specific requirements of compliance or laws – such as Indian laws like the proposed data privacy and protection bill.
“Financial institutions have adopted the data segregation strategy by setting up region specific data centres and interfaces to minimise the risk of data breach and penalties. However, they need to be cautious about roaming users who use the financial services of these large organisations out of Europe,” noted Akshay Garkel, partner, Grant Thornton India.
Similarly, telecom service providers will have to regulate their service as per GDPR in case they are processing information of EU citizens. Depending upon the service or product which is utilised by the end –customer, appropriate consent has to be taken.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU law on data protection and privacy that gives citizens control over how firms utilise their personal data
When did GDPR become active?
GDPR became active on May 25, 2018, months after the final regulations were put out in the public domain, giving companies enough time to ensure their services were compliant
What is the impact of GDPR on India?
Indian firms servicing European customers such as IT, ITeS and SaaS companies, or servicing customers who do business in Europe, will have to follow the guidelines on data privacy and protection laid down by GDPR
The GDPR has definite ramifications for Indian Internet and technology firms that have customers living in the EU. But, for now it is the SaaS (software as a service) companies such as Freshworks (formerly Freshdesk) and Eka Software that have made their entire platforms compliant with the new law for customers across the globe.
“We have made our entire platform GDPR-compliant. Though this law applies to European companies and customers, we have a lot of customers who may be based in the US but they have operations in Europe,’’ said Manav Garg, founder and CEO of Eka Software, a commodity management software solution provider.
–– ADVERTISEMENT ––
“We know that sooner or later, the privacy law like the GDPR will come into force everywhere. Why not comply with such best practices now itself instead of waiting,” Garg said.
Similarly, Freshworks, which provides cloud-based business software, has also made itself completely GDPR-compliant wherever it operates. The Chennai-based company started its GDPR process about a year ago by putting together an internal taskforce. “Because we are a data sub-processor, we might be dealing with an American company which might have European citizens as its customers. In such a case, our customers also become compliant under the GDPR,’’ according to Gaurav Kulkarni, program manager at Freshworks. The idea is to offer uniform features to the entire customer base without dividing things by region.
Most companies in the B2B Saas space have approached the GDPR in the same fashion so that they won’t have to look at different privacy policies for different customers.
In case of large Indian IT services companies such as Tata Consultancy Services, Infosys and Tech Mahindra, most of them are already compliant with the new European data privacy law. Now, they are also ensuring that their vendors and suppliers comply with it.
India’s largest IT services company, TCS, for instance, has set up a new unit to ensure compliance with various data privacy regulations including GDPR, and also has global privacy policy covering all applicable geographies and areas of operations.
It has launched enterprise-wide online training, educational tools, social media and other awareness initiatives regarding data privacy and protection as well as GDPR.
Among others, Tech Mahindra is engaging with its Israel-based cyber security unit to work towards GDPR compliance and helping vendors and clients adopt the same. Companies ranging from Wipro, Infosys and L&T to Persistent and Cyient, to name a few, have all got major European clients and thus have large stakes in GDPR compliance.
Implication for Indian citizen
While GDPR is applicable in EU countries, it is not just the residents who will come under the purview of the new privacy laws but also millions of non-EU citizens who are working, studying or simply travelling through the region. This means that Indian passing through these regions will also be governed by GDPR even if they are still accessing domestic services.
“Indian companies providing goods or services to EU citizens or residents will be obligated to comply with GDPR, including financial institutions. Indian financial service providers are not obligated to GDPR unless they are providing services to EU nationals or residents or have presence in the EU region or even service EU businesses in handling their data,” said Arpinder Singh, Partner & Head- India & Emerging Markets, Fraud Investigation & Dispute Services, EY.
Last week, an IBM survey found that 76 per cent business leaders across the globe were of the view that GDPR will enable more trusted relationships with data subjects that will create new business opportunities. Only 36 per cent believed they were fully compliant.
Although international banks will have global standards for managing their data, they will also have to address country or region specific requirements of compliance or laws – such as Indian laws like the proposed data privacy and protection bill.
“Financial institutions have adopted the data segregation strategy by setting up region specific data centres and interfaces to minimise the risk of data breach and penalties. However, they need to be cautious about roaming users who use the financial services of these large organisations out of Europe,” noted Akshay Garkel, partner, Grant Thornton India.
Similarly, telecom service providers will have to regulate their service as per GDPR in case they are processing information of EU citizens. Depending upon the service or product which is utilised by the end –customer, appropriate consent has to be taken.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU law on data protection and privacy that gives citizens control over how firms utilise their personal data
When did GDPR become active?
GDPR became active on May 25, 2018, months after the final regulations were put out in the public domain, giving companies enough time to ensure their services were compliant
What is the impact of GDPR on India?
Indian firms servicing European customers such as IT, ITeS and SaaS companies, or servicing customers who do business in Europe, will have to follow the guidelines on data privacy and protection laid down by GDPR
No comments:
Post a Comment