Related image

GDPR intends to give citizens of the EU greater control over their personal information.

BENGALURU: The General Data Protection Regulation (GDPR) set to be rolled out on Friday has serious business implications for many Indian companies dealing with clients in the European Union (EU). But the readiness for compliance of the European data law amongst startups has been a mixed bag.

The law intends to give citizens of the EU greater control over their personal information. It restricts and reduces the automated processing of personal data without user consent, even if it is publicly available data. GDPR mandates companies to adhere to a EU citizens’ request to access and delete his/her personal data that is with the company. It also bestows citizens with the right to opt-in and opt-out of any service he/she has subscribed to.

This has proved tricky for many Indian startups offering services to EU clients by bringing in complex regulatory mandates.

“While a few (startups) have taken steps to start compliance, there are many startups just beginning to take stock of the regulation,” said Nehaa Chaudhari, public policy lead at TRA law. Chaudhari also pointed out that there isn’t absolute clarity on how many provisions of the GDPR may be interpreted, and these are likely to be contested in the courts.

“Most of the large companies because of their scale have the flexibility because of which they can comply with these norms. Whereas SMEs and startups are still struggling to comply as it kicks off (on May 25)” said Gagan Sabharwal, senior director, global trade development, Nasscom.

The costs involved in becoming GDPR compliant are quite significant which acts as drawback for cashstarved startups.


Depending on the nature, severity, and duration of data breach companies in non-compliance of GDPR may face heavy fines — amounting to as much as 4% of annual global revenue. “Generally speaking on a scale of 1-10, large companies are at about 8 or 9, the SME and startups would be around 4 and 6,” Sabharwal said. Startups that ET spoke to said that they had taken stock of the shortcomings and have started work quite a while back. “We’ve had to add lot of features for users to be able to delete their data, export their data etc. It took us two weeks of engineering and work with lawyers to get the policies in place,” said Nischal Shetty, founder of Crowdfire, a social media management platform, adding for a medium-sized company this effort would end up costing anywhere from Rs 25-50 lakh depending on the complexity of the product.

“Bringing any kind of change in the core architecture is time consuming, labour intensive and costs a lot,” said Shailendra Singh, CISO of Capillary Technologies, estimating the compliance cost between Rs 10-15 lakh. The firm has been evaluating its processes from last October.

“For instance, the major thing we worked on is the data retention policies as recommended by EU GDPR. This was the major activity we had. Once a user says I do not want to have any association with you, there needs to be a mechanism for you to be able to do that… We have strengthened the processes around it,” Singh said. SaaS giants Zoho and Freshworks started serious work on GDPR back in July last year. “We made an inventory of our data, mapped our data flows across the organisations and documented that,” said Andrew David Bhagyam, lead – privacy operations & management, Zoho.

“We work to follow the principle of data minimisation — that is, keeping data only for as long as needed, and for the minimum duration,” Bhagyam said.

Freshworks’ advice to startups is to divide the GDPR action plan into four categories — process, product, vendors and documentation. “Everything you do will fall under these categories,” said Gaurav Kulkarni, program manager at Freshworks. “Firstly, deciding whether you are a data controller or a data processor, because every startup will have different hats.”

However, experts are of the opinion that Indian startups can watch and learn with how larger companies handles such processes.

“The initial stages they (EU) will be lenient. Things will play over the next one year and the forerunners are going to be social media companies Airbnb, Google, FB, Twitter, and the like,” said Mohan Kumar, partner at Norwest Venture Partners. “Indian startups won’t be in the front to bear the brunt of all of it… Awareness will soon start to kick in.”


Categorized in: