GDPR (General Data Protection Regulation) introduced by EU in replacement of the Data Protection regime hither to in place has opened up a debate on whether it is an “Opportunity” or a “Threat”.

IDC predicts (Refer article here) that a substantial opportunity would be created for security and storage software vendors since the severity of fines would drive for a shake up of data protection practices. According to IDC, the total market opportunity created is of the order of $3.5 billion. Of this the securty software from GDPR concerns is expected to raise from $811 million in 2016 to$ 1.8 billion in 2019, and storage software would grow from $258 million in 2016 to $1.7 billion in 2019.

There is no reason to disbelieve this projection. However if one part of the industry is making $3.5 billion, it has to be spent by another part of the business. In the case of GDPR driven business change, the data processing industry will incur the expenditure while the data security and storage vendors including the cloud storage product vendors will gain the corresponding revenue.

Additionally, the data processing industry has to also incur expenditure on “Compliance Consultancy” and “Cyber Insurance” which is not a small expenditure by itself.

Also, though the GDPR is discussed globally as if it is an issue between EU and US, the Indian IT industry also has a huge stake since it works both for the US and EU clients and needs to provide a “GDPR Compliant Data Processing Service”.

Indian IT industry needs to observe that the GDPR is proposed as a “Global Regulation” and imposes restrictions which would mean that no Indian Company would get EU business if it is not compliant with GDPR and if it tries to be compliant, it has to confront the following penalty structure.

Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:

Child consent;
Transparency of information and communication;
Data processing, security, storage, breach, breach notification; and
Transfers related to appropriate safeguards and binding corporate rules.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

Data processing;
Consent;
Data subject rights;
Non-compliance with DPR order; and
Transfer of data to third party.

It would be essential for all Indian IT companies to plan for

a) GDPR Compliance measures such as Creating awareness, making gap analysis etc

b) Hardening the Security and Storage

c) Obtaining Cyber Insurance Cover

d) Auditing suspected data breach incidents

e) Incurring the expenditure on penalties if any

Obviously, the industry has to be prepared for at least a 5% increase in its data processing costs which along with the increasing VISA costs coming from the US markets, make it difficult for them to remain profitable and competitive.

I urge NASSCOM to take suitable steps to ensure that the impact of GDPR on India is not adverse. At the same time strategies to harness the benefits that may flow from the global implementation of GDPR should be drawn up urgently.

The DeiTy also needs to evaluate measures that it may contemplate to ensure that GDPR does not hurt the IT industry in India.

Naavi