GDPR: What every company that does business in Europe needs to know
#GDPR, or the General Data Protection Regulation that came into effect last year in the European Union (EU) is a significant proof of the growing concern about personal data protection. Simply stated, #GDPR is a set of modified rules that promise to offer tighter control to individuals with regards to their personal information and any data relating to that.
But does it only affect the European organizations?
In this digital age, and with the rate at which cross-border transactions are growing, protection of data has indeed become an issue worth paying close attention to. And for the very same reason, the impact of GDPR doesn’t remain confined to EU only. Organizations based somewhere else in the world but doing business in Europe will equally be roped in.
Impact of GDPR
GDPR has an extra-territorial application and, thus, applies to entities situated outside EU in regard to personal data of persons of EU in relation to offering of goods or services to such persons. The regulation states that when personal data of people living in EU is transferred to non-EU countries, the GDPR's data protection safeguards goes with such data.
Thereby, all foreign entities who either determine the purposes and means of processing personal data of EU Residents (Controller), or who process the data on behalf of the controller (Processor); all become subject to GDPR. GDPR, therefore, is likely to have significant impact on the technology/data processing companies operating globally in sectors such as information technology, international e-commerce, outsourcing, etc.
However, complying to GDPR, comes with its own set of challenges for the businesses. Here is a list of challenges witnessed across some parts of the globe:1
Weak #data #protection laws across regions other than #EU: Take for example some of the Asian countries, where outsourcing has been a big employer and business. For example, India’s outsourcing industry, which is estimated to be worth over US$ 150 billion, contributes nearly 9.3% of the GDP. The EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws make the industry less competitive than other outsourcing markets in this space. Another country, Vietnam that has very recently enacted the data protection law is hugely invested in ITeS outsourcing. The industry is growing with a rise in English-speaking people. Yet there are still a number of ambiguities regarding the law on data protection.
Cost implications and #crossborder #restrictions: Largely inflexible, the GDPR reduces the extent to which businesses can assess risks and make decisions when it comes to transferring data outside the EU. Companies operating outside would need to implement sufficient safeguards, as required under the GDPR, in order to transfer personal data outside the EU, thereby further increasing compliance costs.
Greater risk of #penalties and #litigation: Article 3 (Territorial scope) of the GDPR makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for companies operating outside EU region that do not comply with the GDPR or increased compliance costs, run the risk of huge penalties on failing to stick to the regulation.
What does it mean for organizations outside EU?
For entities doing business in EU, GDPR compliance may lead to a significant change and alterations in their privacy policies and arrangements with their European counterparts and their data protection systems to make them comply as per the regulation.
Whilst it may considerably increase the compliance costs and complexities, particularly for smaller and mid-scale organizations, it does come with its own set of benefits too.
In order to comply with the regulation and stay away from the clutches of law, these firms will have to re-write and tweak their privacy policies, which in turn will only help these companies to make themselves cyber secure.
These firms will also have to have more stringent data management guidelines, and thus, will have a thorough audit and cleaning-up of their existing data, thereby greatly enhancing the quality of their data.
Because of the stricter policies and better quality data, they will be able to promote trust within their customer base, and therefore more loyal customers in the long run.
Since the companies will now be able to connect with only those who really are interested in their services and products, ROI on their marketing and promotion expenses would greatly increase.
So, how does one prepare to comply?
Whether a bane or a boon, GDPR is here to stay! And, no matter what, one will have to comply with the regulation to be able to remain in business. But, how do we reach there?
The first step should be to embrace these changes and make all the internal stakeholders aware of what it entails for the organization.
One should review and update all your data protection and privacy policies in line with the law
One should ensure that none of the policies infringe the rights of individuals when it comes to recording, storing and sharing their personal data
Imparting proper training on data privacy to the staff and if required will work. Appointing a #data #protection #officer to be able to fully align the company practices to GDPR will surely help
Investing in tools and technologies that will help the company to be GDPR complaint will benefit in the longer run
This said, world over governments might come up with their own versions of data protection regime, which in turn may pose another set of challenges and opportunities. We are already witnessing these. So while one may be swiftly move towards making himself GDPR complaint, keeping a track of developments around the world in this regard, to fully futureproof your organization is the key.
1- PwC’s submission on CyberSecurity law in India