Today is 25th May 2018. EU is still waking up to this D Day while India is already awake. There is no doubt that today will be considered a historic day in the Data Protection industry since EU GDPR is coming into effect from today.
Two years back the regulations were announced and the dead line was set. But mot companies continued to be complacent. Naavi started actively urging the Indian industry to respond by first opening the Privacy Knowledge Center in September 2016, and following it up with the GDPR Knowledge Center in February 2017.
Since then several articles have been published under www.privacy.ind.in as well as www.naavi.org highlighting the positive and negative features of GDPR.
However, the industry woke up only in the last six months when they saw the potential impact of a huge penalty for non compliance envisaged under the Act and the perception that it may become applicable even for entities outside EU.
During the past one year, since India is itself discussing its own Data Protection law under the Expert Committee Chaired by Justice Srikrishna, I have been urging the committee to ensure that Indian Data Processing industry is provided a protective umbrella in terms of the unreasonable penalties that may be imposed consequent to GDPR and the contractual commitments that Indian Companies may undertake in their anxiety to preserve their business. I have also raised the concern that Indian shareholders of such companies may be adversely impacted if they sign uncapped indemnity clauses that may provide for transfer of liability of their business partners.
I have also expressed my displeasure that EU has drafted the regulations in such a manner that it can be mis-understood as a global law and create a sense of fear amongst the data processors outside EU.
To some extent this sense of fear may not be warranted and I am sure that if challenged, EU will defend and say their law does not impose itself on other countries. But the fact is that perceptions some time cloud the reality and if we do a survey of Indian companies, we find that most IT professionals think that GDPR is mandatory for them.
In the meantime, UK has come up with its own DPA2018 which is perhaps of a greater concern to Indian companies since most Indian companies have established physical presence in UK even to take up business in EU and hence DPA 2018 is applicable to a much larger number of Indian companies. UK law by trying to extend GDPR as part of its own law, creates some additional burden that is beyond GDPR.
All this means that the cost of IT business in India is going up and Indian Companies need to ensure that they donot take up GDPR compliance entirely at their cost and try to load part of it on their international customers.
While I have indicated that in order to effectively defend against the impact of GDPR (and now add UK_DPA2018), industry needs to organize itself and SME data processors as well as Data Protection Professionals need to create some sort of collective bargaining power by creating self interest groups, I have also recognized that GDPR will be also creating business opportunities of different kinds for professionals.
In all such situations, the first industry which will benefit is the Education Industry. Infact, the career of the undersigned itself took off with Cyber Law College when ITA 2000 was enacted and later added consultancy. Similarly, GDPR will also create opportunities for the training industry. Already we have seen people from EU and some enterprising local professionals conducting training programs and charging a bomb. The GDPR itself may give further boost to some of them by creating a “Certification Mechanism” which will provide a false sense of privilege to some organizations established in EU which can claim “Accredited with the Supervisory Authority of …”.
Naavi believes that what is important is “Education” in which we become more knowledgeable. Certifications will follow. Certification without transfer of knowledge is not going to benefit professionals and could actually create traps where a professional may grow to his level of incompetence as Peter’s Principle suggests.
Naavi’s Cyber Law College in association with Apnacourse.com will be launching a training program on GDPR which will go online today to mark the formal coming into effect of GDPR.
The Course will contain about 7 hours of video lectures spread over around 18 modules. Probably this needs to be updated from time to time since this space is dynamic. Even the interpretations under GDPR itself will undergo some changes once the EU Data Protection Board becomes more active. Just as we have updated the Cyber Law Course on Apnacourse.com when some major changes occurred, this course will also undergo some updations from time to time. Presently the Course is being presented for knowledge enhancement. In due course Cyber Law College may introduce a certification of its own to provide recognition of “Course Completion” and recognition of passing a “Basic Awareness Test”.
Cyber Law College and Naavi in association with Apnacourse.com and otherwise would be conducting offline corporate training programs also so that awareness of GDPR would not be a matter of deficiency in the Indian industry.
Implementation is ofcourse a choice that the industry players may have to decide based on their own risk appetite. But I would like to caution the industry that they should not allow the international competitors to use lack of awareness or compliance of GDPR as an excuse to shift outsourcing business from India to elsewhere. For this purpose they need to incorporate a plan of action where by they can provide confidence to all their customers that they are aware of and are compliant with GDPR though we may assert our “legitimate Interests” and “Application of Local Laws”.
So… interesting days are ahead of us. Whether we like it or dislike it, GDPR is here and we cannot ignore it.
…..So happy GDPR day to all…