How will India’s data protection regulations change data-driven companies?

by Suman De

Post deliberations that lasted over a year, the Srikrishna Committee presented a 176-page report titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” in July 2018. The data policy entailed a robust framework defining personal data privacy norms within the country. The draft bill borrowed heavily from the General Data Protection Regulation (GDPR), recently adopted by the EU. It suggested steps for protecting personal data, underlining the significance of data processors, providing guidelines for data storage as well as penalties for infringing on privacy. Essentially, the draft mandates data localisation among enterprises that handle sensitive data such as biometrics and financial data; all such information will be stored within local servers that fall under the Indian jurisdiction, with the cross-border flow of this data restricted completely.

Are companies prepared for such a data protection policy?

The framework will transform the way companies collate and store customer data by implementing several strict regulations. Large tech companies that rely heavily on data will, in turn, have to revamp their data protection methods and policies. The bill is likely to deeply impact data-extensive sectors such as IT, Travel, Healthcare, and Banking and Finance.

While the transformation might be cumbersome for some companies, leading companies that already have security infrastructures in place will not have a very hard time achieving compliance. For instance, leading industry players like Cleartrip have always gone the extra mile when it comes to ensuring superlative data security and protection. In fact, such visionary players allow users to delete their accounts and wipe out all their data after using their services, in addition to providing them with the choice to opt out of company newsletters, push notifications, and other marketing campaigns. Advanced data anonymization techniques are employed to make it impossible for customer data to be linked back to identifiable people. Through these endeavors, some of the online players are striving to give the power and control over personal data back to their users – but the number of such players is really small.

Several companies that are frivolous with customer data will, however, be required to reform their ways in order to comply with all the terms of the draft bill. Leading brands need to be more responsible with the data that they collate, as they will be heavily penalized if data is mishandled. This will be a tough deal for players that have been following conventional data processes for years. For such companies, the transformation will occur not just at the point of operations, but at a much deeper, more fundamental level. Change would be required within entrenched organizational ideologies and philosophies when it comes to working with sensitive data pertaining to individuals. Business leaders at such organizations will have to acknowledge that private information needs to remain private and realize why data protection is more than just an added cost.

What’s expected from companies under the new policy?

Increasing smartphone penetration, especially in fast-growing economies such as India, has allowed a massive number of formerly-offline individuals to create an online presence and go digital. These individuals are not well-versed with the implications of personal data leakage, let alone methods to protect their data. It thus becomes the responsibility of companies to spread awareness and knowledge about the importance of data protection, along with providing the necessary tools, in order for them to protect their personal details. Using the right tools to protect data privacy and inform users about the need for said privacy should be the prime focus of companies that fall under the proposed guidelines.

Additionally, companies which require complete overhauls as far as their data protection policies and practices are concerned will have to rely on cybersecurity firms to implement the required IT, data encryption, data protection, and fraud detection policies and strategies. Only through such multilevel transformation will companies be able to become compliant with the new data policy.

The pros and cons for companies

While the impact of the proposed policy on data-driven companies is clear, it is important to segregate the impact into benefits and limitations to truly understand the need for such a large-scale reform. Companies that have strict data protection guidelines in place will be successful in gaining a certain credibility that can only come with a user-centric data protection policy.

On the flipside, organizations which do not implement customer-focussed data policies will face considerable setbacks. Most technological companies rely on customer data accumulated over years to devise targeted marketing strategies. With the lack of data such as consumer preferences, demographics, and biometrics, companies will have restricted insights into customer behavior. Consequently, this will lead to reduced ROI from marketing efforts, thereby decreasing the number of average conversions.

While this can be a cause for concern for Indian tech companies, it must be viewed as a unique opportunity. Once companies adopt the proposed framework, they will be able to bestow the luxury of data privacy onto their users, a scenario that is painfully limited in the current setup. Instead of dreading the policy and perceiving it as a burden, companies must view it as an opportunity to create loyal customers who can choose to opt out of sharing their personal data and enjoy the truly safe and secure digital experience – which they should have anyway been privy to in the first place!

Suman De is the Director of Products at Cleartrip, India’s leading travel aggregator. 

CleartripData PrivacyData Protection BillGDPRIndiaSrikrishna Committee