Official effort must be made to make Indian firms aware and capable of dealing with GDPR compliance
India is negotiating a Free Trade Agreement (FTA) with the European Union (EU), expecting to boost trade. However, the EU’s data privacy laws, particularly the General Data Protection Regulation (GDPR), represent a non-tariff barrier that can hinder Indian exports to the EU. Not resolving the higher transaction costs due to the GDPR would be detrimental to the FTA.
Non-compliance with GDPR can result in heavy penalties of up to 4 percent of a firm’s annual revenue or €20 million. European regulators have been vigilant in enforcing these laws, and have collected €1.27 billion in 2021 by imposing 434 fines, an average of €2.94 million per fine. Therefore, non-compliance with GDPR is not a viable option, even if the EU business is tiny. Even companies that are merely scoping the market for viability may have to comply with GDPR if it involves collection of individual data. Further, a breach of data privacy regulations is perceived negatively by EU residents, damaging the company’s reputation and harming its long-term prospects.
Even companies that are merely scoping the market for viability may have to comply with GDPR if it involves collection of individual data.
In India, while Parliament passed the ‘Digital Personal Data Protection Act’ in 2023, its rules are yet to be notified. Thus, many Indian companies would not be familiar with the stringent expectations of privacy laws, and especially not of EU laws. Thus, GDPR creates an additional compliance burden for current and potential exporters, harming trade. The United States Trade Representative (USTR), in their trade barriers report in 2019, had identified that the implementation and administration of the GDPR may create disproportionate barriers to trade for all countries outside of the EU.
GDPR implementation has resulted in several economic consequences for firms, which helps us understand the potential impact of such compliance for Indian exporters.
Exporters would be forced to allocate resources towards compliance. This cost increase can be due to:
GDPR also makes it harder for companies to collect, extract, and process personal data. Thus, companies would have to contribute a higher cost for collecting, processing, and using data in the EU, as compared to the home market of India, which can lower the productivity of such organisations.
GDPR increases ‘friction’ in the sales process due to the cost incurred by users when they are prompted for consent to use their data. GDPR compliance was found to lead to an average reduction in sales and profits of 2.2 percent and 4 percent respectively. With reduced profitability, Indian exporters’ incentive to enter the EU market decreases.
Companies would have to contribute a higher cost for collecting, processing, and using data in the EU, as compared to the home market of India, which can lower the productivity of such organisations.
Indian exporters may have a small percentage of sales coming in from the EU. The higher costs of GDPR compliance would be distributed across that fraction of sales. This contrasts with those companies where a large percentage of sales are from the EU. Thus, GDPR provides a competitive advantage to companies from the EU and countries integrated tightly with the EU (such as Switzerland).
Firms with less than 500 employees had a disproportionately higher impact on sales and profits, than larger firms. In the technology sector, larger firms gained market share at the expense of smaller firms. Indian companies are often smaller than their European counterparts and are at risk of being impacted more severely. In fact, 92 percent of Indian companies are below 100 employees and any first-time exporter drawn from this pool would face a much larger barrier.
Removing structural disadvantages:
In August 2020, the United States and the European Union initiated discussions specifically to deal with GDPR. Subsequently, an agreement was arrived at, which saw the creation of a US-EU data privacy framework. By 2023, the European Commission ruled that the privacy laws in the United States were adequately comparable to the GDPR, thereby removing the trade barrier for US companies.
Indian companies are often smaller than their European counterparts and are at risk of being impacted more severely.
Similarly, Indian Free Trade Agreement (FTA) negotiators should push for a privacy adequacy agreement with the EU. Any concerns related to GDPR can be incorporated into implementing the Digital Personal Data Protection Act 2023.
Pre-empting the changes:
Many of the expected costs of compliance are predictable, and governmental efforts can aid in reducing these costs. Indian technology companies can be motivated to develop GDPR-compliant tools at a subsidised cost through one-time grants. A further advantage is that ‘GDPR-compliance tech’ is a vast market, and Indian technologies could find a market for those. For MSMEs and first-time exporters, some of these utilities could be subsidised for a limited time to aid their compliance. Along with the free tax and payment utilities developed in India, a free GDPR-compliance utility would go a long way in making compliance technology accessible.
Indian technology companies can be motivated to develop GDPR-compliant tools at a subsidised cost through one-time grants.
As a further exercise, it would be prudent to make new and potential exporters aware of GDPR through sensitisation programmes carried out in partnership with industry associations. This would enable companies to be proactively prepared for GDPR’s necessity of compliance. Developing easily accessible knowledge tools and self-certification modules in multiple Indian languages would aid the development of the capabilities of Indian companies. Export-promotion programmes typically identify and engage with companies in sectors with a high potential for EU exports. Integrating GDPR compliance within those programmes can further reduce this barrier that companies face.
Leveraging GDPR as a market opportunity:
GDPR also throws up opportunities that could be exploited by India for its own economic gains and for boosting service exports. Hiring EU-based expertise for GDPR compliance is expensive and cumbersome. Developing a local talent pool conversant with GDPR can enable service exports in GDPR compliance. This would require introducing GDPR-specific courses in law, management, and technology schools. Further, focussing on technology markets like Bengaluru, Delhi, and Pune to create industry-academia pathways can lead to the forging of consultancy services that can cater to EU-based clients. An added advantage is that this can directly contribute to Indian efforts to export workers. The demand for data protection officers has increased in the EU, and Indian technology workers with expertise in GDPR can gain a distinct advantage in the market, opening emigration channels for them.
Developing a local talent pool conversant with GDPR can enable service exports in GDPR compliance.
Compliance with the General Data Protection Regulation represents a non-tariff barrier for Indian exporters. GDPR compliance is costly for Indian exporters and increases transaction costs. GDPR’s stringent enforcement and heavy penalties disincentivises entry into the market for small Indian export firms. However, governmental efforts can aid in mitigating the impact of GDPR compliance, and help boost exports.
Omkar Sathe is Partner at CPC Analytics
Sahil Deo is Co-founder at CPC Analytics
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Omkar Sathe is a partner at CPC Analytics a data-driven consulting firm with offices in Pune and Berlin.
Read More +
Non-resident fellow at ORF. Sahil Deo is also the co-founder of CPC Analytics, a policy consultancy firm in Pune and Berlin. His key areas of interest ...
Read More +
PREV
