AKGEC INTERNATIONAL JOURNAL OF TECHNOLOGY, Vol. 11, No.

General Data Protection Regulation and Its

Impact on Indian Enterprises
Dr. Brijesh Kumar Gupta
Braanet Technologies Pvt. Ltd., Ghaziabad 201 016 UP India
profguptabk@gmail.com, director@braanet.com

Abstract – The General Data Protection Regulation (GDPR) has complexity of different business models has only increased
come into force and will have wide implications for the digital [4], [5], [6] and [7]. The seminal business model research and
economy and business models of various technology firms. canvas done by Osterwalder et al. [8] had a profound impact
The GDPR aims to provide consumers with the control of their in the start-up world.
personal data, provide trust in the digital economy and harmonize
data protection.
Privacy and data protection have always been a priority policy
Clearly, the GDPR would impact the services sector, especially for the European Union law maker. The legislation gradually
data entry, customer care, advertising, banking and IT, among developed to reach the point of adopting the General Data
others. These services cannot be provided to a European client Protection Regulation. Claiming to promote the protection of
unless the Indian data protection laws are considered adequately fundamental rights, the GDPR also supports lawful business
rigorous by European Union (EU) standards, or on par with procedures to create a balanced environment.
GDPR. The study outcomes presented in this paper attempt to
analyse and outline how the GDPR will impact the digital data II. GENERAL DATA PROTECTION REGULATION
business of Indian enterprises, as well as providing new challenges
The GDPR builds upon many existing concepts in European
and opportunities for innovation. Key highlights of the similarities
and differences between IT Act 2000 and GDPR are presented.
privacy law and creates new rights for the users whose data is
being processed [9]. The result is new compliance obligations
Keywords: Data economy, Data portability, Data protection, European for organizations handling data. The Regulation addresses
union, GDPR, IT Act 2000 two main ideas: to strengthen and unify data privacy rules for
individuals in the European Union; and to widen the territorial
I. INTRODUCTION scope of the data protection by regulating the export of personal
GATHERING of data and its subsequent commercialization data of European citizens outside EU. It is known that the main
transformed contemporary economies, politics, societies and goal of the GDPR is for both citizens and business to benefit
cultures. The surge in digital technologies and platforms in from the new rules – common welfare has always been first
recent years and the progression towards a digital economy priority for the EU legislator.
has at its core, the monetization of personal data and the use
of ‘Big Data’ to create value [1]. In the European Union (EU) The General Data Protection Regulation is a European Union
for example, the value of the data economy is continuously Law implemented on May 25, 2018 requires organizations
increasing. In 2016, the value was calculated to be EUR 300 to safeguard personal data and uphold the privacy rights of
billion (1.99% of the EU’s GDP) and is estimated in 2020 to anyone in EU territory [10]. The regulation includes seven
be EUR 739 billion (4% of the EU GDP) [2]. Indeed, over the principles of data protection that must be implemented and
last few decades, multinational companies mushroomed with eight privacy rights that must be facilitated. It also empowers
several of them ascending very swiftly to top of the Fortune member state-level data protection authorities to enforce the
500 list and whose source of revenue and business models are GDPR with sanctions and fines. The GDPR replaced the 1995
dependent on the gathering and use of personal data. Data Protection Directive, which created a country-by-country
patchwork of data protection laws. The GDPR, passed in
A business model reflects how a firm attracts and provides European Parliament by overwhelming majority, unifies the
value to consumers and converts this into a financial profit EU under a single data protection regime.
[3]. A successful business model can differentiate a firm
from its competitors, provide huge financial returns and can GDPR is the toughest privacy and security law in the world.
ultimately create a paradigm shift in how an industry functions Though it was drafted and passed by the European Union, it
and conducts business. With an increase in digitization and the imposes obligations onto organizations anywhere, so long as
emergence of the digital economy, the variety as well as the they target or collect data related to people in the EU. The

28
 GENERAL DATA PROTECTION REGULATION

GDPR will levy harsh fines against those who violate its privacy liability and criminal liability under Chapter IX and Chapter
and security standards, with penalties reaching into the tens of XI respectively. Section 43 under Chapter IX of the Act covers
millions of euros. penalty and compensation in case of unauthorized access or
damage to computer, computer system or network. This section
III. BRIEF COMPARISON OF INFORMATION is important for establishing criminal liability under Section 66
TECHNOLOGY ACT, 2000 AND GDPR of Chapter XI.
The relevant Indian laws governing online data protection are
the Information Technology Act, 2000 (IT Act) and Information This section brings out the similarity and difference between
Technology (Reasonable Security Practices and Procedures and key features of the GDPR and the IT Act. A brief overview of
Sensitive Personal Data or Information) Rules, 2011. The IT the notable features of these data protection legislations has also
Act was enacted to give “legal recognition for the transactions been given. The following table presents key highlights of the
carried out by means of electronic data interchange and other similarities and differences:
means of electronic communication” [11]. It provides for civil

TABLE 1 -- KEY FEATURES OF THE GDPR AND THE IT ACT

Principle
Section and Article Similarity Difference

GDPR specifically confers protection to natural persons and

Objective Data transfer for electronic com-
their rights and freedom upon data processing. This is not ex-
merce
pressed in the IT Act.

The principles given in GDPR apply in relation to data pro-

Principles of Both laws require that: cessing.
processing and Art.5 of GDPR Collection of data should be for On the other hand, the principles under IT Act apply to collec-
collection of Rule 5 of IT Rules, lawful purpose. tion of information and use. It does not mention processing.
data 201110 Collection should be necessary for Principles listed in the GDPR but not mentioned in IT Act are
the purpose specified data integrity, protection from unlawful processing, account-
ability, fairness and transparency.

Consent of provider of informa-

Unlike the GDPR, the IT Act does not have a provision that
tion11 or the data subject12 is a
specifically deals with “lawfulness” of processing.
Lawfulness of Art.6 of GDPR prerequisite for the purpose of col-
GDPR lists five additional conditions on necessity of process-
processing Rule 5 of IT Rules, lection of information and for pro-
ing and also confers upon the Member States the power to
2011 cessing under IT Rules and GDPR
introduce specific requirements for processing.
respectively
Similar conditions are not mandated under the IT Act.
Under both laws:
Unlike GDPR, the IT Act does not:
i. Consent prior to data collection
Consent Art.4, 8 of GDPR i. Define consent
is needed
ii. List special conditions for child’s consent
ii. The provider has the option to
iii. Require demonstration of consent by the data controller.
withdraw consent
Art.9 of GDPR
Sensitive per- Both laws include biometric data,
Sec.43A of the IT GDPR and IT Act lay down additional categories of sensitive
sonal data health records and sexual orienta-
Act, 2000 and Rule personal data that are not common to the two laws.
tion in the list of sensitive data.
3 of IT Rules, 2011

Some rules under Sec.43A of the IT Unlike the GDPR, IT Act does not use the word “Right”.
Art.(14 -18), Art.(20 Act loosely correspond to the rights IT Act excludes reference to some important rights given in
- 22) and Art.7(3) of GDPR. These are Right of access, Right to restrict process-
under GDPR.
Rights GDPR ing, Right to data portability, Right to object, Right to erasure,
Rule 5(6), Rule Right in relation to automated decision making and profiling.
5(3), Rule 5 (7) of These are: Right to rectification, The Rights have been described in considerable details in
IT Rules, 2011 Right to be informed and the Right GDPR. On the contrary, the IT Act gives a vague description
to withdraw consent. of some of these rights.
Common data protection security
GDPR consists of additional and elaborate measures for se-
Art.32, 35, 37, 30, practices include adoption of inter-
Security and Ac- curity of data processing. These include appointing a data
33 of GDPR nal policies, security audit, adher-
countability security officer, conducting privacy impact assessment, main-
Rule 4 of IT Rules, ence to voluntary code of conduct
tenance of records of processing
2011 and certification mechanism.

29
AKGEC INTERNATIONAL JOURNAL OF TECHNOLOGY, Vol. 11, No. 1

Compensation and Liability

Art.82, Art.82(2) of Both contain provisions that
Compensation is a right under the GDPR but not under the
Compensation GDPR award compensation from dam-
IT Act.
for damages Sec.43A of IT Act, 2000 ages arising due to infringement.
Different mechanisms and procedures, for claiming com-
and Rule 8(1) of IT Rules, Both contain exemption from li-
pensation, have been given under the two laws.
2011. ability under certain conditions.
Punishment
Art.83 of GDPR Both provide a provision for GDPR imposes civil liability only.
for disclosure
Sec.72A of IT Act, 2000 fines in case of breach. IT Act imposes criminal liability also.
of information
Redress is a matter of right under GDPR but not under IT
Art.77, 78, 79, 82 of
Both laws provider redress Act.
Redress GDPR
mechanisms. The laws prescribe different redress procedures.
Rule 5(9) of IT Act, 2000
There is ambiguity regarding authority that can be ap-
Sec.72A of IT Act, 2000
proached under IT Act, 2000.
GDPR covers data transfers to international organisations
Both laws obligate that data as well. IT Act does not specifically mention international
transfers will be allowed only if organisations.
Data transfer Art.(44 - 50) of GDPR
the receiving party offers same As compared to the IT Act, GDPR lists many more param-
Rule 7 of IT Act, 2000
level of data protection. eters for valid data transfer such adequacy decision, appro-
priate safeguards, derogations and judgement of a court of
third country.

IV. GDPR IMPACT ON INDIAN ENTERPRISES Indian IT industry to keep continuing to do business in Europe, it
Following the Cambridge Analytica data hacking case reported needs to comply with the GDPR. The GDPR imposes a penalty
in March 2018, the European Union (EU) enacted the GDPR structure of 20 million EUR or 4% of global turnover (on the
2018. As a result, e-commerce companies registered in non- higher side) in cases of non-compliances.
European jurisdictions are subject to a legal framework on
par with these regulations. To enforce such legislation, India’s The regulation requires a programmatic approach to data
e-commerce companies need to have a similarly stringent protection and a defensible programme for compliance will be
legislation besides infrastructure and technologies in place. required to prove that are acting appropriately. As part of these
efforts, answers to the following questions need to be sought:
Clearly, the GDPR would impact the services sector, especially ●● What is our data footprint in the EU (e.g. data about
sectors like data entry, customer care, advertising, banking employees, consumers and clients)?
and IT, among others. These services cannot be provided to ●● Are we prepared to provide evidence of GDPR compliance
a European client unless the Indian data protection laws are to EU or US privacy regulators who may request it?
considered adequately rigorous by EU standards or on par with ●● Do we have visibility of and control over what personal data
GDPR. Even if Indian companies do not directly interact with we collect? How do we use it? With whom do we share it?
European citizens, they would still require GDPR compliance. ●● Do we have a privacy-by-design programme, with privacy
This is so because personal data of European citizens have impact assessments (PIAs), documentation and escalation
the potential to be exploited for other related data processing paths?
activities. ●● Do we have a tested breach-response plan that meets
GDPR’s 72-hour notification requirement?
If so, Indian companies would attract heavy penalty for non- ●● Have we defined a roadmap for GDPR compliance?
compliance. For instance, if an Indian company uses data of ●● Have we identified a Data Protection Officer (DPO) as
former European customers, it would be liable for penalisation required by the GDPR?
under the GDPR. Accordingly, the differences between the ●● Have we adopted a cross-border data transfer strategy?
existing legal framework in India and the EU on data privacy
merits consideration. Both government agencies and trade V. THE CHALLENGES
bodies like FICCI and NASSCOM would have to formulate a Weak data protection law in India: India’s outsourcing
regulatory regime to accomplish synergy between Indian and industry, which is estimated to be worth over 150 billion USD,
EU data protection regimes to promote India-EU trade to its contributes nearly 9.3% of the GDP. The EU has been one of
full potential. the biggest markets for the Indian outsourcing sector and India’s
relatively weak data protection laws make us less competitive
Europe is a substantial marketplace for the ITeS, BPO and than other outsourcing markets in this space.
pharmaceutical industry in India. The size of the IT industry
in the top two EU member states (i.e. Germany and France) Cross-border restrictions: Largely inflexible, the GDPR
is estimated to be around 155–220 billion USD. Thus, for the reduces the extent to which businesses can assess risks and

30
 GENERAL DATA PROTECTION REGULATION

make decisions when it comes to transferring data outside the REFERENCES

EU. Indian companies would need to implement sufficient [1] M.P. Hartmann, M. Zaki, N. Feldmann and A. Neely, “Capturing
safeguards, as required under the GDPR, to transfer personal value from big data – a taxonomy of data-driven business
data outside the EU, thereby further increasing compliance models used by start-up firms”, International Journal of
Operations & Production Management, vol. 36, pp. 1382 –
costs.
1406, 2016.
[2] European Commission, Building a European data economy.
Greater risk of penalties and litigation: Article 3 (Territorial retrieved from https://ec.europa.eu/digital-single-market/ en/
scope) of the GDPR makes it clear that the regulation will be policies/building-european-data-economy on July 21st, 2018.
applicable regardless of whether or not the processing takes [3] D. Teece, “Business Models, Business Strategy and Innovation.
place in the EU. This means no business for Indian companies Long Range Planning”, vol. 43, pp.172-194, 2010.
that do not comply with the GDPR or increased compliance [4] A. Afuah and C. Tucci, Internet Business Models and Strategies:
costs for those who do and the risk of huge penalties on failing Text and Cases, McGraw-Hill, Boston, 2001.
to do so. [5] L.M. Applegate,“Emerging e-business models: Lessons from the
field”, HBS No. 9-801-172. Harvard Business School, Boston,
MA, 2001.
VI. THE OPPORTUNITIES [6] R. Amit and C. Zott, “Value creation in e-business”, Strategic
Business opportunity rather than compliance burden: Indian Management Journal, vol. 22, pp. 493-520, 2001.
IT companies serving the EU market, their second largest after [7] E. Brousseau and T. Penard, “The economics of digital
the US, would be required to comply with the GDPR. However, business models: A framework for analyzing the economics
rather than seeing this as an additional burden in terms of of platforms”, Review of Network Economics, vol 6, no.2, pp.
compliance, Indian companies should see it as a massive 81-110, 2007.
business opportunity knocking at their doors. [8] A. Osterwalder, Y. Pigneur and T. Clark, Business model
generation. A handbook for visionaries, game changers and
challengers, Wiley, Hoboken, NJ, 2010.
Opportunity to stand out: Over the years, India has become a
[9] M. Hintze, “Viewing the GDPR through a De-Identification
technology hub equipped with deep expertise and a talented Lens: A Tool for Clarification and Compliance”, 2017.
resource pool. The GDPR could be an opportunity for Indian [10] EU General Data Protection Regulations (GDPR): https://
companies to stand out as leaders in providing privacy ec.europa.eu/info/law/law-topic/data-protection/reform/rules-
compliant services and solutions. business-and-organisations.
[11] The Information Technology Act, 2000.
Developments in India’s privacy landscape: The ‘adequacy
requirements’ under the GDPR allow the European Dr. Brijesh Kr. Gupta is Founding Director
of “BRAANET Technologies Private Limited”
Commission to consider whether the legal framework NCR-Ghaziabad. He joined teaching profession
prevalent in the country to which the personal data is sought in 1991 after his post graduation. He possesses
to be transferred affords adequate protection to data subjects 27+ years of teaching, research, administrative
in respect of privacy and protection of their data. In the wake and industry experience at various levels in Indian
Education System & abroad. He served in Ministry
of recent developments and the Supreme Court verdict, a data of Defence, Govt. of India as a civilian officer. To
protection framework has been proposed by the Srikrishna carry out his research work in the area of High Speed
Committee. It will be interesting to see how the forthcoming Communications, he enrolled himself at Indian
legislation shapes up and whether it will satisfy the criteria Institute of Technology, Roorkee, India in Jan. 1999. Worked on two major
research projects sponsored by UGC and AICTE. Served reputed technical
laid down under the GDPR. institutes of UP Technical University, Lucknow since 2003.

VII. CONCLUSION Published 51 research papers. Chaired Technical Sessions in International

As GDPR has a very high benchmark of data protection, Conferences. Authored book on Mobile Computing. Guided M. Phil. and
M.Tech. students. Organized conferences/workshop and faculty/students. Has
the Indian laws on data protection will have to be worked keen interest to organize Industry–Institute collaboration programs. He is ITU-
out accordingly. Data protection procedures like breach certified faculty for Information Security & Cyber Security for Enterprises,
notification; excessive documentation and appointment of data Visiting faculty for Central Detective Training Institute, BPRD, Ministry of
protection officer may have to be incorporated in the Indian Home Affairs, Govt. of India and Entrepreneurship Certified Faculty, Ministry
of Skill Development & Entrepreneurship, Govt. of India.
laws as well. As non-compliance involves high fines, inability
of India or the organizations situated in India to qualify as data Received “ShikshaGaurav Puraskar-2014” for contribution in the field of
secure destinations is likely to divert business opportunities to Technical Education, Listed in Albert Nelson Marquis Lifetime Achievement
safer locations. It is important to note that data transfer will Award -2017, 2018 USA, Honoured with “Howard Cosell Memorial
International Honour Award-2018”, West Bengal, National Education Day
also be permissible if a model contractual clause authorised Awardee – 2019, New Delhi alongwith Roll of Honour 2019-2020, Govt. of
by supervisory authority is entered into. India could look at India (E).
similar arrangements to qualify as an approved destination for
data transfer.

31