GDPR: Tech startups, fintech companies with EU exposure to feel the pinch first

Data Security

As the European Union (EU) prepares to implement strict data privacy laws from May 25 to protect its citizens, consumer-driven Indian firms, especially technology startups, fintech companies, and IT services, with exposure to the EU may feel the impact first, say experts. “Consumer-driven companies that have exposure to the EU, in areas like IT services and fintech, that support the banking and other regulated sectors, are likely to be affected first, and have to comply,” said Shree Parthasarathy, National Leader – Cyber Risk Services, Deloitte. However, he added that Indian consumers and regulators may not feel the strong impact of the General Data Protection Regulation (GDPR) immediately.

GDPR aims to strengthen and protect the data of individuals within the EU and also deals with export of personal data outside the region. The laws are relevant due to rising instances of data breaches, with the latest involving social media platform Facebook, where the data of around 87 million users globally, including over 5.6 lakh Indians, was accessed by British political research firm Cambridge Analytica through its app, without authorisation.

Parthasarathy said GDPR will impact companies with operations in Europe and those that handle vast amounts of customer or client data, the most.

Parthasarathy pointed out that areas like life sciences, manufacturing sector and the government entities will find it much harder to comply to the GDPR in time, that comes into effect from May 25. Kroll, a New York-based corporate investigations and risk consulting firm also corroborated that the IT companies, which have exposure in Europe will be impacted the most. Further, it indicated that GDPR regulations stipulate significant fines for companies that do not comply with the law, which will be a concern.

Flouting the GDPR could attract fines of up to 20 million Euros or four per cent of a firm’s global turnover. Reshmi Khurana, Managing Director and Head of Investigations and Disputes, South Asia, Kroll, said, it remains to be seen which regulator will oversee the compliance of the law, which companies will be up for scrutiny in the first generation (probably European firms and those handling data from Europe inside or outside Europe), and how the checks will be delivered and fines will be levied.