This note is written after experience of more than 20 Indian Startups and small and mid sized companies.
So as we know it, GDPR is going to affect a lot of Indian companies in many ways, but the key ways in which it affects Indian companies is by restricting their growth and business potential.

The Indian culture is such that CEOs are just not ready to comply and GDPR is not a light regulation. It places enhanced obligations on all companies to consider privacy as a key risk and monitor it accordingly.

Another challenge facing Indian companies is that these are typically 50 to about 200 employee companies and they have very poor information security controls and GDPR requires under article 32 that company should have strong technical and organisational measures to ensure data protection.

In such a scenario small companies are forced to significantly improve their information security controls which means a lot of financial expenditure. At this juncture, companies evaluate the pros and cons of compliance. Should they spend and comply or rather lose that one client that is giving them the business.  

Small Indian companies are generally concentrated and have businesses with a few large overseas clients these companies believe that if they are able to convince these few clients and win their confidence then there really isn't any requirement to comply. But as Riskpro India has seen, while consulting on several data protection consulting assignments with these companies, it is those few large clients that will make the push because the larger the clients you have, the more compliance oriented they tend to be.

So, a piece of advice is that GDPR is not a one-time activity but rather an ongoing compliance requirement.  Unless the company's understand this key difference,  compliance will be merely a tick box exercise and will result in large regulatory penalties for such companies.  Just putting together a set of policies and papers procedures a few trainings here and there and then telling the world that you GDPR compliant does not help. Instead what the company should be doing is that they should be understanding the privacy risk,  building a culture of improving data protection across the organisation and enhancing their information security controls.

Really if you look at it then the only real things that are very important are not many but a few. And many small companies can easily comply with these. The following are the key requirements for companies 

•    Need to have privacy policy that explains exactly what kind of information is collected how it is collected and that data subject have rights under the policy.

•    This document called should also outline what type of minor’s data processing occurs and any cross-border transfers and recipients of data

•    A robust and clearly articulated consent collection and consent storage evidencing process is absolutely critical small companies who tend to blast out emails and engage with customers and potential customers through direct marketing without realizing that there are multiple regulations that impact the organisation.  It is not just GDPR that they have to comply with,  but we also have regulation similar to PECR and E-privacy,  so you can imagine trying to follow and comply with one regulation but ignoring the fact that these are parallel regulation out there.

•    Such confusion totally impacts these companies and at the end, they are better off not complying at all rather than complying half heartedly and without realising the overall impact of their activities.

To conclude, under such circumstances, it is absolutely important that these Indian companies carry out a detailed GDPR gap assessment and identify the core and key areas of non-compliance. After that a project plan should be designed in which all the tasks and actions are outlined.

CONTACT
If you would like to learn more about how Riskpro India is helping Indian companies to meet GDPR compliance, drop an email to info@riskpro.in