Indian IT companies and GDPR risk

On 25 May 2018, the EU GDPR (General Data Protection Regulation) came into force, expanding the rights of individuals to control how their personal data is collected and processed, and placing a range of new obligations on organisations to be more accountable for data protection.

However, the GDPR hasn’t gone down well with Indian organisations, particularly IT companies that see the Regulation as a big threat to their business.

Why are Indian IT companies against the GDPR?

The Economic Times reports that major IT companies such as Tata Consultancy Services, Wipro and Mindtree believe the GDPR is a ‘compliance risk’.

In their fiscal 2018 annual report, the three organisations said that the Regulation carried “severe consequences for non-compliance or breach”.

Wipro added that data privacy regulations such as the GDPR “relating to personal information dealt with both by and on behalf of Wipro increases the risk of non-compliance.”

The Indian IT outsourcing industry, worth $160 billion, gets about 30% of its revenue from European clients by offering services to companies such as Deutsche Bank and BNP Paribas. In case of any breach, non-compliance or inadequate privacy policies, Indian companies might have to pay hefty fines and could suffer reputational damage.

According to Livemint, the average cost of a data in India rose 7.9% to R11.9 crore in 2017–18, and the average per-capita cost per lost or stolen record rose 7.8% to R4,552.

What have Indian IT companies done to comply with the GDPR?

All major IT companies have updated the privacy policies on their websites, detailing the rights of data subjects as mandated by the GDPR. Below are other major steps taken to comply with the Regulation:

  • India’s largest IT provider, TCS, has listed a ten-point mitigation process to avoid any non-compliance, which includes obtaining the consent of data subjects, ensuring the rights of individuals, demonstrating accountability and assessing data protection.
  • TCS has been reworking data transfer agreements with EU clients. It has requested explicit consent in data sharing, adopted measures to enhance vendor contracts and invested in securing personal data of individuals through ‘privacy by design’.
  • Some companies have formed data privacy teams. Mindtree has assembled a core team of four people from different departments.

What else can Indian companies do to achieve GDPR compliance?

  • According to a PWC report, Indian companies must review their policies, conduct data discovery exercises to understand what personal data they process, and implement processes to conduct DPIAs (data protection impact assessments).
  • Indian organisations can use technologies such as pseudonymisation and encryption while processing personal data, update data loss prevention and SIEM (Security Information and Event Management) solutions, and review data transfers, privacy notices, etc.

View our GDPR compliance checklist for more steps you need to take to demonstrate compliance >>

Free GDPR green paper

Our free green paper, EU GDPR – A Compliance Guide, explains the key changes introduced by the GDPR, the critical areas organisations should be aware of on their compliance journey, and the Regulation’s scope and impact.

Download your free copy of EU GDPR – A Compliance Guide >>


The GDPR - key steps for companies in Asia-Pacific. Our compliance checklist will take you through the essential steps.