GDPR Impact on Indian IT — (4 of 6) Increased Risk to Processors & Sub-processors
Over the last few years, the European market for Indian IT has been growing at three times the rate of the US market. Many Indian IT companies derive between 10–30% of their market and revenue from Europe and the rate is growing at 2–3% year-on-year. For example, Wipro had 9.8% Y-o-Y revenue growth from Europe while there was only a 2.8% Y-o-Y US revenue growth in 2017. The numbers are similar for other IT bellwethers like Infosys, TCS, and Cognizant.
This is why we need to pay attention to the radical new EU regulation, called the GDPR (General Data Protection Regulation), which will be effective May 25, 2018.
What is the impact of GDPR on Indian IT?
How can Indian IT get ready for GDPR?
In a series of articles we shall attempt to shed light on the most impactful aspects of GDPR for Indian IT.
This article is the third in the series on ‘GDPR Impact on Indian IT’ and outlines the impact of the ‘Increased Risk to Processors and sub-processors’ clauses in the regulation.
GDPR on subcontracting by processors
When a data controller contracts out to a data processor, who in turn contracts it out to another data processor, potential data security vulnerabilities are introduced into the system. GDPR lays out clear guidelines on the responsibilities of the processors and the controllers in such scenarios.
Data processors under GDPR have duties towards the controllers including
- Processing data only as instructed by the controllers,
- Using technical and organizational measures to comply with GDPR
- Deleting and returning data to the controller post-processing.
GDPR also prohibits processors from enlisting sub processors without the consent of the data controllers. Controllers retain the right to object to the addition or replacement of any processors.
Also, sub processors are subject to the same obligations as the main processors under GDPR.
What this means, is that subcontracting will need to get a lot more transparent than it is today. An enterprise that controls user data, needs to be aware of every single processor and subprocessor in the data flow, and their contracts will need to have the necessary GDPR obligations in a binding form.
Impact on Indian IT firms
The most direct and significant impact is on the outsourcing model that is common in Indian IT. Any work that is further outsourced to a sub processor, will need prior consent and approval from the European customer. This means if a local firm is being engaged as a subcontractor for specific tasks due to financial or logistics reasons, customer approval will be required and there might be a relationship or commercial impact to the same.
If non-compliance is established in a data breach, then liability is established by determining the cause and the data processors are also included, not just the data controller.
So, a breach happening at the sub-processor will impact the controller, processor and the sub-processor to varying degrees, unlike the current scenario where the regulatory burden is purely on the data controller. This is a titanic shift on risk index for many Indian IT companies, since until now they were only answerable to their customer in EU, but that is about to change. Post GDPR coming into effect, the Indian IT firms contracting from EU customers or subcontracting from other firms who are contracting from EU customer and processing the data of individuals, would also be directly answerable to the EU regulators.
