Indian Startups Aren’t Becoming GDPR-Compliant Fast Enough: Here’s What That Means for Business
Sindhuja Balaji
Europe’s newest data protection regulation – the General Data Protection Regulation – is here. This new data protection regulation compulsorily requires companies storing data of EU citizens with the highest levels of safety and protection. India, which has invested nearly $56 billion in Europe since 2003, has to now look at GDPR more closely than ever.
What is GDPR?
The rising number of Indian businesses and startups in Europe compels startup founders and businessmen to understand the implications of GDPR and begin investing in compliance measures as soon as possible. For the past 15 years, Indian sectors such as technology, pharmaceuticals and manufacturing have remained the primary cluster of overseas businesses in Europe. In the recent past, deep technology, product development and hardware startups from India have found their way to Europe owing to heightened investor interest, and most notably, the European market.
Why do Indian startups need to protect EU data?
The EU is a massive, single market comprising 500 million customers at least. Indian startups, especially those invested in deep technology and advanced technology, are witnessing a growing demand in Europe. Moreover, India’s fast-growing relationship with the EU is further bolstered by the possible EU-India Free Trade Agreement as well as multiple opportunities between India and Europe’s SMEs. With countries like Estonia, Lithuania and France rolling out incentives such as startup visas and programmes like e-residency, young Indian startups have more than one reason to consider setting up their business in Europe.
Why is compliance important?
Deepak Solanki is the co-founder of Velmenni, a hardware startup building wireless technology for high-speed data transmission through light. With operations in Estonia and India, Velmenni has a 50% client base across Europe. Solanki recently hired new data officer to look into his startup’s GDPR compliance. “Though it is tough to implement at once and creates extra expenditure for startups, it is important to be GDPR-compliant,” he said. “It creates a better image of a startup in consumer’s mind and brings more credibility. Transparency is important with clients – if consumers know how their data is being used by startups, it develops trust, which is critical for the growth of a startup like ours.”
However, Solanki is probably one of the few startup founders in India with a growing business presence in the EU who has invested in GDPR-compliant measures for his company. Experts believe not too many startups have initiated the process of compliance. According to Arpinder Singh, partner and head-India and Emerging Markets, Fraud Investigation and Dispute Services at EY, very few startups will be GDPR-compliant as it requires a significant investment. Although developing a mechanism around data protection is time-consuming, Singh recommends that the startup ecosystem should begin their compliance process soon in order to avoid fines.
What is the punishment for non-compliance?
Non-compliance can attract fines up to 4% of a company’s annual turnover or $20 billion. Such hefty fines can be disastrous for startups, especially early-stage ones. According to Praveen Paranjothi, founder of the Startup Europe India Network, Indian startups will now have to place data management at the core of their business models, not consider it an after-thought. “Indian startups will have to prioritize managing, handling, sharing and processing user data at the highest level. India, being an emerging startup hub for European clients, has to play at the international level on equal footing,” he says.
Paranjothi believes Indian startups, especially in the technology, SaaS and B2B sector, are well positioned to capitalize on opportunities in Europe, and incurring GDPR compliance and related infrastructure costs is a necessary step ahead. The Startup India Europe Network, which functions as a technology corridor between India and Europe, is working with multiple early stage ventures-right from guiding them on GDPR compliance to helping large companies appoint data security officers.
When will Indian companies be ready?
Interestingly, there has been an upsurge in the demand for cybersecurity jobs, especially in small size companies, between January 2017 and March 2018, according to job search portal Indeed.com. Sashi Kumar, managing director, Indeed India, said, “Companies across the world are gearing up to ensure compliance to General Data Protection Regulation (GDPR) and ePrivacy requirements. While the larger technology giants are more or less equipped to comply, it is the mid-size and smaller firms that are seeking professionals to help them cope with the requirements the new laws entail.” Data from Indeed shows that Bangalore is leading the way in the demand for cybersecurity jobs with 36%, followed by Mumbai at 17% and National Capital Region at 12%.
Surendra Singh, country director of global cybersecurity firm Forcepoint says, “There is a greater amount of urgency among Indian businesses around the regulation, the processes they need to follow and the technology tools that are required to protect the personal data. From discussions at various cybersecurity conferences with IT leaders, many are realizing that the reach of GDPR is broader than the EU countries but they are still grappling with visibility of data and its security.”
While May 25th, 2018 was the deadline for businesses to become GDPR-compliant, Singh says compliance is an ongoing process and organizations need to continually adjust and improvise security measures.