Open in app

Sign in

Write

Sign in

GDPR Impact on Indian IT — (6 of 6) Financial Impact

Sreekanth Nemani
ASSERTION

--

Over the last few years, the European market for Indian IT has been growing at three times the rate of the US market. Many Indian IT companies derive between 10–30% of their market and revenue from Europe, while the rate is growing at 2–3% year-on-year. For example, Wipro had 9.8% Y-o-Y revenue growth from Europe while there was only a 2.8% Y-o-Y US revenue growth in 2017. The numbers are similar for other IT bellwethers like Infosys, TCS, and Cognizant.

This is why we need to pay attention to the radical new EU regulation, called the GDPR (General Data Protection Regulation), which will be effective from May 25, 2018.

What is the impact of GDPR on Indian IT?

How can Indian IT get ready for GDPR?

In a series of articles, we shall attempt to shed light on the most impactful aspects of GDPR for Indian IT.

This article is the sixth and final in the series on ‘GDPR Impact on Indian IT’ and outlines the ‘Financial Impact’ on Indian IT companies that will be considered as ‘data processors’ under GDPR.

Who is liable?

In most scenarios involving digital services, there is a company that is dealing with the customers and collecting/maintaining their data called the data controller, and there are other companies that actually process that data called the data processors. Many Indian IT companies are involved in some form of data processing of EU residents.

If a data breach or any violation of the other clauses occurs, then the GDPR firmly states all the parties (both data controllers and data processors) are liable.

Article 82(4): Right to compensation & liability

“Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.”

Indian IT firms handling EU personal data can get involved in litigation if there is a data breach anywhere in the full chain of data controllers and processors. This presents a huge risk for all the companies.

Financial Impact — Regulatory Fines

In a scenario where a data breach has occurred at some point, either at the data controller or the data processor, the victims of the data breach have legitimate claims for compensation for their loss. Compensation under GDPR is a right of the victim and is highly enforceable.

The regulation lays out two categories of fines.

Under Article 83(4), administrative fines up to €10 million or 2% of the global turnover of the enterprise (whichever is higher) can be levied. This fine is applicable for violations of the following sections of the regulation:

  • Child consent for information society services
  • General conditions relating to data protection, data processors, records of processing activity and cooperation with supervisory authorities.
  • Data security issues relating to processing and data breach notifications to supervisory authority and to victims
  • Data protection impact assessments and consultation
  • Data protection officer’s designations, positions and tasks.
  • Codes of conduct and certification

So, for example, if the enterprise fails to notify the authority within 72 hours about a data breach that they detected, or if they don’t inform the affected victims about it then they can be fined under this section. They could also face this fine if they haven’t performed data protection impact assessments of their infrastructure or if they haven’t gotten their organization certified by a recognized authority or if they haven’t appointed data protection officers of sufficient rank or designations.

The second category of violations is considered more severe and so the fines are doubled to €20 million or 4% of the global turnover of the enterprise (whichever is higher), under Article 83(5). This category primarily relates to violating the clauses that provide rights of an EU resident on his personal data. A brief list of clauses, for whose violations this fine is applicable:

  • Principles relating to the processing of personal data, the lawfulness of the processing and meeting conditions of consent for processing.
  • Rights of an EU resident relating to transparency of information, establishing mechanisms and modalities of communication for exercising of those rights.
  • Rights of the EU resident to access, rectify, erase personal data and to be notified of the same and to be able to port their personal data.
  • Rights relating to profiling and automated processing.
  • Principles regarding transfers of data to other countries, safeguards, authorizations and binding corporate rules relating to those transfers.

So, for example, if an Indian IT firm receives personal data that is not necessary for the data processing it does, it can be fined under this category. If an EU resident is not provided with a mechanism to remove or correct his personal information, or if the personal information is used to create a profile and perform automated approval/rejection of a loan without consent from them for doing so then the firms can be fined under this category.

Financial Impact — Damages & Compensation

The affected subjects can also claim compensation and damages, independent of the regulatory fines as mentioned above. This can be claimed both from the data controllers and the data processors, and the claims can be made in the country where the person is residing or the country where the controller/processor has an establishment.

Such action can also be taken by non-profit public interest organizations on behalf of the subjects. For a multinational enterprise suffering from a data breach (especially due to negligence or inaction), this can mean multiple lawsuits across Europe and huge financial impact.

Financial Impact — Costs

Considering the scope and scale of the risk that IT firms face, there is a huge amount of architecture of processes and systems that these firms need to undertake to get ready for May 2018. This will be a capital cost that will have to be spent on securing, consulting, training and hiring.

Using automation will significantly help reduce some of these costs, and will keep the recurring costs to the minimum.

It will bode well for the Indian IT firms to remember — “Compliance is not a cost, it is a competitive advantage”.

--

--

Sreekanth Nemani
ASSERTION

Written by Sreekanth Nemani

38 Followers
Editor for

Security & compliance automation expert. Principal Analyst & Product Mgmt Dr. at Assertion. ex-Avaya & VoIP. many patents. research papers. published articles.