Decoding Europe’s new data protection law


European Union’s (EU) General Data Protection Regulation has came into effect on May 25, 2018. However, many firms in India are still not ready for compliance with the new law which will cover all entities doing business in the EU.

GDPR journey

  • A lot of organisations, especially in the EU region, started their GDPR compliance journey more than a year ago.
  • It is only in India that awareness is very low and organisations are still grappling with how to get compliant with GDPR. Compliance is not easy… It is not a one-time job… it impacts not only technology but all aspects of organisation per se.
  • only 30-35% of all IT/ITES firms had started work towards being GDPR-compliant.
  • a lot of organisations still don’t understand how this is applicable to them.
  •  it is not just IT and ITES companies. Firms across sectors and industries need to be GDPR-compliant.
  • Any organisation providing goods and services in the EU, be it a BFSI unit, a manufacturer, a pharma company…, comes under GDPR

transform the privacy landscape

  • This regulation will radically transform the privacy landscape for organisations of all sizes and sectors that process personal data.


  • GDPR not only impacts Indian organisations, but also global firms who are handling or managing PII data for EU employees, vendors, businesses.
  • a lot of focus is on the IT/ITes firms as they contribute about 7% to India’s GDP.
  • There are areas where GDPR provides relief and consistency, however, it also comes with very stringent penalties on non-compliance
  • the impact on SMEs and start-ups are a cause for concern they may struggle with several areas that render it costly for processors
  • These include appointing a data protection officer in organisations, the concept of privacy by design (encryption) and by default (processing the minimum amount of data), new privacy rights for individuals like the Right to Erasure and Right to Data Portability, and new consent rules which require consent for different activities from different stakeholders, including employees and customers.

Need of the hour:

  • Companies have to need to build robust processes and assign responsibilities and accountabilities to address data protection and privacy-related issues. and queries ensure the GDPR requirements. Data protection in some form was always there, especially in the U.S. and EU. However, GDPR is a more stringent form of earlier regulations. “So, companies have been following certain processes already, they now need to take it to the next level. The real impact of this on business will become clear only one or two quarters down the line and will depend mainly on issues of non-compliances and supervisory authority’s consideration.

Implementation Factor:

  • the cost and time of implementation for required policy and processes implementation will depend on various factors such as maturity level of organisation and size of the data handling., global presence, customer, employee and vendor base in EU and business model. While implementation can take anywhere from six months to a year or more, the cost can vary between a vast range from organisation to organisation.

‘Positive impact’

  • GDPR will have a positive impact on the way data is treated globally by the companies. It is difficult for global companies to segregate data and systems in an integrated world.
  • GDPR will provide a benchmark of how data protection may be treated. GDPR also gives a sense of comfort to the data subjects and enforces clear purpose, transparency of data when any data controller or processor collects, processes, stores, disposes and archives their personal data.
  • Terming the new law as “a tectonic shift in the global privacy paradigm, it would herald a new era in consumer trust.

Challenges Ahead:

  • Globally, the increasing number of cybercrimes had made it imperative for companies to keep pace in hiring the right talent to combat them. Therefore, companies across the world are gearing up to ensure compliance to General Data Protection Regulation (GDPR) and ePrivacy requirements. While the larger technology giants are more or less equipped to comply, it is the mid-size and smaller firms that are seeking professionals to help them cope with the requirements the new laws entail.


This is a golden opportunity for India to drive thought leadership in the global market. We can build expertise and capabilities, create new lines of advisory and consulting businesses, develop a market differentiator and be a source of competitiveness.


Leave a Reply