Indian tech start-ups may struggle to comply with new EU data law

The European Union’s (EU’s) upcoming General Data Protection Regulation (GDPR), which envisages strict rules for handling personal data of users, is proving to be costly for Indian technology start-ups that have operations in Europe.

The new regulation that takes effect on 25 May specifies new protocols for handling and storing private data, and sharing it with third parties. Flouting GDPR regulations can attract fines of up to €20 million, or 4% of the company’s global annual turnover.

Europe is an important market for start-ups operating in the business-to-business (B2B) segment and mobile gaming. Hefty fines and strict regulations could hinder a firm’s operations or lead to a complete shutdown, according to start-ups and policy experts whom Mint spoke to.

According to Gaurav Kapoor, chief operating officer of MetricStream, GDPR is enforceable even if companies do not have an office in the EU or do not operate in the EU, but handle private data of EU citizens. MetricStream is a provider of governance, risk and compliance solutions.

“For small start-up businesses, since they deal with smaller workflows and smaller set of data, I believe the cost of compliance increment will be in the range of 4-5%. While for bigger corporates, it would range between 10-20% of their compliance budgets,” said Kapoor.

A top executive at a Bengaluru-based tech start-up that has operations in the EU said on the condition of anonymity that most small tech companies that export software to Europe do not sign any formal service or legal agreement, in an attempt to stay away from auditors.