Indian IT Firms Flag GDPR As a 'Compliance Risk'
“Data privacy regulations (such as the General Data Protection Regulation in Europe) relating to personal information dealt with both by and on behalf of Wipro increases the risk of non-compliance,” Wipro stated in the risk management framework in the annual report.
GDPR is a new European law that puts in place strict rules for collecting, storing and processing personal data of EU citizens. The $160-billion Indian IT outsourcing industry derives close to 30% of its revenue from clients in Europe by offering services to companies such as Swiss Re, Deutsche Bank, Daimler and BNP Paribas. Any violation or security breach, observed non-compliance or inadequacy of privacy policies can result in hefty fines and reputational damage.
Depending upon the nature and severity of noncompliance, companies can face fines up to 4% of annual turnover or €20 million, whichever is higher.
All IT companies have already updated their privacy policies on their websites detailing rights of data subjects as mandated by GDPR. In addition, companies have formed dedicated data privacy teams known as “organisational units” that have been working to avoid non-compliance. Mindtree, for instance, “decided to get a core team of four people, two from quality, one from legal and one from delivery-IMTS (to ensure compliance),” said Erwan Carpentier, its senior vice-president and general counsel.
India’s largest IT provider, TCS, in its FY18 annual report listed a 10-point risk mitigation process for GDPR. Besides forming a separate unit for compliance, TCSNSE 0.52 % has been reworking data transfer agreements with EU clients, requesting explicit consent in data sharing, adopting measures to enhance vendor contracts, and has invested in securing personal data of individuals through ‘privacy by design’.
TCS declined to share additional information, citing the silent period ahead of the announcement of first-quarter results next month. Infosys and Wipro too cited the same reason.
Gagan Sabharwal, senior director of global trade development at Nasscom, said: “The fine, if it is applied, could wipe out a substantial part of the balance sheet; that hit alone will be difficult to take. That’s why you see many companies calling this out as a risk specifically.”
Industry body Nasscom has been a part of multiple roadshows with EU regulators, and “the sense we get is they will be accommodative and lenient initially. They are not trying to name and shame companies that are non-compliant. But, we are not sure about the duration of the accommodative stance,” Sabharwal said.
In fact, the EU regulators themselves are still not sure in some cases. For instance, GDPR legally provides for a certification authority that will authorise/validate a company’s audit system and compliance towards GDPR.
However, the guidelines for creation of these authorities have not been drafted yet.
In this background, consultancies have been in high demand, receiving multiple audit requests from clients trying to be GDPR compliant. “The positive side we have observed from our DSCI-Deloitte survey is that over 60% see GDPR as brand differentiation, that adds a reputation element to compliance,” said Vishal Jain, partner at Deloitte India.
Though there was no mention of GDPR as a risk in Infosys’ FY18 annual report, the company hinted at the tools it uses to institutionalise privacy practices and controls. “In fiscal 2018, there were four incidents involving customer data and none of them had any material impact,” the company disclosed in its sustainability report.