This article is written by Kashish Khattar and Ramanuj Mukherjee.
As a lawyer, if you are on the lookout for lucrative new emerging areas with massive potential, you cannot ignore data and privacy laws.
Around the world, data and privacy have emerged as major legal and regulatory flashpoints.
From congressional hearings in the USA to massive fines imposed by the EU on companies like Google and Facebook over violations of user privacy, the media has been widely reporting on data privacy, and this is an issue that is definitely at the top of public interest and policy agenda.
The younger generation has also grown up to see their private data as a currency, and they do not take privacy for granted at all, especially online.
There is a growing number of people who care a lot about privacy, to the extent that they may become a political force in the years to come.
Europe has been at the forefront of data protection, which reflects the aspiration of the European population to a great extent. For many in Europe, privacy has been a priority. And this led to the passing of a groundbreaking legislation on data protection, which has not only affected Europe but even businesses around the world and here in India.
In data protection and privacy practice, introduction of General Data Protection Regulation by European Union, better known by the acronym GDPR, has been a turning point.
It has also triggered other countries to look at adopting their own strong data protection laws as well, including in India where a bill is pending in the Parliament.
Currently, the Indian data protection bill is before a joint parliamentary committee, and India could soon have its own data protection statute, most probably in the lines of GDPR.
We have been talking about how data and privacy will be a huge area of practice for a while now, but only after GDPR was introduced, lawyers have been seeing a lot of work coming through the door regarding data privacy. Many law firms have set up entire independent verticals to deal with this kind of work.
Table of Contents
Why should we care about GDPR in India
The impact of GDPR was not restricted within Europe. Every business that has European customers or any dealings with European businesses around the world had to comply with GDPR.
Initially, most of the budget went into the implementation of GDPR, in which the big 4 consultancies and a few other management consultancies played a role in India as well as in other countries. Lawyers initially played quite a limited role, perhaps because they were not prepared at least as far as India is concerned.
However, there is now increasing levels of legal work, ranging from advisory to responding to notices and data breach incidents, as now the regulator begins to crack the whip and companies scramble to put their houses in order.
If you are a lawyer in India, it is probably worth spending some time figuring out how you could get a piece of this action and whether you have the skills that are needed to address this brand new market.
Notably, this is not a service that only big corporations require, but even small exporters, a vast majority of startups and MSMEs, for many of which Europe is an important market, GDPR compliance is a must. Not all of them can approach big 4 or a big law firm, and that is where a lot of opportunities are arising for individual lawyers and smaller law firms.
Also, interestingly, it is a truly global practice. An internet market company or a niche online media portal focussing on travel in Eastern Europe may be very happy to hire an Indian lawyer with requisite expertise to do a GDPR audit or review their data protection practices.
As India and the rest of the world introduces laws modeled on GDPR, the demand for such services will continue to rise in the foreseeable future, and perhaps even exponentially in the next few years.
It is a great time to gear up!
What is GDPR
The General Data Protection Regulation is an EU regulation, which means that it is directly applicable in all EU member states. In the EU, GDPR replaces the earlier EU Data Protection Directive. GDPR requires protection of Personal Identifiable Information (PII) of EU citizens.
The GDPR adopts a different approach towards protecting the data of natural persons. It is a rights-based, consent driven approach towards data protection.
It was adopted on 27th of April 2016 and enforced on 25th of May 2018 marking a new milestone towards data protection all around the world.
How does it impact Indian businesses
The regulation applies to the processing of personal data of a person (“data subject”) who is in the EU, regardless of where the data is processed in the EU or outside of the EU.
Basically, if any business in the world is doing any work or business with any EU data subject, they need to comply.
Hence, if an Indian company has data of any person based in the EU, they have to be in compliance with the GDPR. This includes companies that are generating any leads of EU citizens, marketing to any EU businesses or citizens, showing an ad to EU citizens online or even making a sales call to people or businesses from the EU.
If any company is found to be in contravention of the GDPR compliances, the law proposes a heavy penalty which imposes a penalty structure of 20 million EUR or 4% of global turnover, whichever is higher. Additional compensation also has to be given to natural persons whose privacy rights have been violated.
This is why no business can really afford to ignore or not comply with GDPR.
What are the sectors most impacted by GDPR in India?
According to a NASSCOM report, Europe is a substantial marketplace for the ITeS, BPO and pharmaceutical industry in India. The size of the IT industry in the top two EU member states (i.e. Germany and France) is estimated to be around 155–220 billion USD. India has a very big outsourcing industry in place, which include several BPOs, KPOs and ITOs that will be affected by this regulation.
The sectors which will be impacted by GDPR include:
- The IT sector and the ITeS will be impacted heavily as explained above;
- Advertising, and in particular, the digital marketing industry will be affected;
- Telemedicine, health record management services and medical tourism;
- Fintech sector and digital banking sector as they would cater to the needs of Indians living in the EU;
- Blockchain and IoT, Software as a Service;
- Aviation sector: Indian carriers can have people with EU passports flying with them;
- Hospitality sector: Hotels can have clients with EU passports;
- Cloud computing: Servers can be storing data which belong to EU citizens;
- Online retail: Think about a citizen from the EU who travels to India and shops something on Flipkart.
- Import-export: if they have to work with clients in Europe;
- Law firms, accountants and other consultants: service providers with EU clients are also impacted.
There is a lot of potential work for Indian lawyers if they know the work and the potential clients to look for.
What will your potential clientele look like as a GDP expert in India
- If you are not paying for the product, you are the product. Many large internet companies collect user data and in exchange give out free services.
This data is used to profile users to show them targeted advertisements and sell products that one may want at any given time or to predict what products or services the users may buy.
This strategy has been undertaken by BigTech giants like Facebook, Google, Microsoft, Amazon.
It is only logical that these companies store loads of sensitive and personal data on their servers. These companies require and hire the best talent who can help guide them through the GDPR compliance process.
Given how these companies are present in different countries and are massive in size, they also have a lot of audit work as well as training to do apart from designing and following GDPR compliance.
- There are freemium services which offer limited services or limited period trials in exchange for user data. The idea is that you use the free product and come to love it, and then you will want to buy a paid, premium access.
There are a lot of large companies in the world and a vast majority of apps in your phone that follow this business model. For them, your contact details are very valuable so that they can repeatedly contact you and convince you to upgrade from free to the premium version.
Even at LawSikho we follow a model like this, as we provide our potential customers with free content in the form of ebooks, webinars and blog posts, and over time convince them to buy paid courses from us.
The success of this business model also depends on proper GDPR compliance if there are EU based users, or if one wants to target EU based users (LawSikho does not market to users in the EU, so we are not GDPR compliant).
Failure to comply with GDPR without compromising the lifeblood of such a business, which is the supply of data from potential customers in relevant target groups, is not an easy task and requires expertise.
- Media companies collect personal data from their audience either to market their subscription services or to sell data and advertising to advertisers.
Shift from traditional advertising to online media has been massive and mostly driven by efficacy of data driven marketing technology. Advertisers are able to micro target their customers with very specific messaging.
This was famously done in several elections by Cambridge analytica using Facebook data, for instance. Any company, for instance, can show an add to all the lawyers in the certain pincode using Facebook’s marketing tools.
Think of a media company with readers or viewers in the EU, if they heavily relies on advertising revenues and selling subscriptions, would require lawyers who would come up with a plan for compliance to the GDPR.
- All kinds of service providers and professionals including lawyers, doctors, architects, auditors, analysts, consultants receive and often need to store a significant amount of data about their clients. All of them now have to comply with GDPR if they have enough clients in the EU.
- There are vendors in India, such as BPOs and SaaS companies, that primarily serve an international clientele. Many of them have large european clientele. They must comply with this regulation.
For instance, the BPO industry deals with a massive amount of personal and sensitive data such as contact information, personal details, and sometimes even medical or insurance details, depending on the nature of work.
- There are hotel and tourism operators who ask for personal data of their clients and deal with a large volume of European clients. There is a lot of personal and sensitive information that is collected and stored by these businesses and they will need help to comply with these regulations.
- Then there are Indian import and export related companies which do business with EU clientele. They are also being asked by their clients in the EU to comply with GDPR, and it is also important for them from another perspective – to do business in Europe they have to market themselves to European clients. Marketing and sales always handles customer data, just as the customer services department will also have to do.
- E-commerce companies with international sales in the EU, telemedicine companies that provide services abroad, mobile app companies with many EU based users as well as online education companies catering to the EU will have to comply.
- Indian media companies will be in the greyzone because most of them have some users from the EU. As per SimilarWeb, a leading online traffic data aggregator, Times of India’s online version attracts a massive fopreign traffic. While 58% comes from India, the rest is international, 18% coming from the USA, and more than 10% comes from EU countries. As this portal attracts approximately 54 million unique users a month, this is very valuable traffic given higher purchase ability and better ad rates the portal would get for it’s EU based traffic. It would appear that sooner or later, most Indian media companies will need to comply with GDPR.
What kind of work lawyers will be doing in India for GDPR compliance, advisory and litigation
Companies have different departments who will be controlling or processing data for different needs of the business. The HR department will be controlling and processing personal data of employees. Then there’s the marketing department which will hold and collect massive amounts of personal data in form of emails, contact numbers, professional and personal background of potential leads and buyers, for effective marketing and advertising. Sales team will be in possession of data as they have to keep in touch with the leads. Accounting and collection departments will also be in possession of data, apart from the customer service team. All of them will have a different and important role to play in the data protection regime introduced by GDPR.
Even the product design and engineering team has to be given training in GDPR, because the law mandates certain features and requirements that need to be on the drawing board when a product is being planned! Even they would have to be trained to understand these requirements minus the legalese.
The senior management also have to be sensitized and trained about GDPR.
All these teams need different and specialised training. In fact, the nature of training will change depending on what exactly these teams do with the data and one size fits all is hard to achieve.
Once the GDPR compliance of a business has been achieved, it is essential to train all the employees about how things must function to be compliant and stay compliant with GDPR in their specific work context.
There is a massive opportunity for lawyers in India in organising GDPR training for every business and company who deals with the EU data. Clients regularly have been hiring law firms or big 4 consultancies to design and provide such training.
Things have become more complicated and complex with everyone being forced to work from home.
Advice regarding data flow management and precautionary measures to be taken
Where does data come from and where does it go, step by step? Who is in possession of data in the organization at different times, who has access and who loses access at what point? A data flow map has to be prepared when a company plans for their GDPR compliance. This kind of a map helps identify all the information a company has and how it transfers from one location to another. Further, this helps an organisation to understand the gaps and vulnerabilities in data protection and take necessary steps to reduce security risks and unintended data leak.
There are four key elements that have to be taken into account: data items (think names, email addresses and records); formats (there can be a database, online data entries or hard copy forms); transfer methods have to be into place (there are posts, telephone records, internal and external correspondence); and location of data (these could be stored in offices or a cloud service for example).
Each of these come with their own risk. Databases can be hacked and made public. Storage devices can be stolen and the data can be compromised. Cloud services can be disrupted and hijacked.
What kind of data flow management is appropriate as per GDPR? Are the data practices followed by a business appropriate and compliant? How to achieve business objectives without compromising on data practices! What steps can be taken to mitigate risks? What precautionary measures would constitute sufficient action under GDPR? Lawyers have to advise businesses about these issues all the time.
Everytime a startup begins to grow big, or a large company starts a new business or even acquires a new company, they have to get legal advice regarding GDPR as there will be a substantial change in data handling practices.
Breaches are red alert situations under GDPR. Breaches need to be reported and specific protocols need to be followed. Failure can result in massive fines and bad publicity.
It can be fairly assumed that even with the best training and strategies in place, some data breaches will take place.
Limiting the exposure after a breach requires legal inputs. Lawyers can be hired to make a case before the regulatory authority as well.
Prevention is better than cure. Advising the clients to prevent themselves from adversarial circumstances is the norm, however, handling and extinguishing fires is also the job of a lawyer. GDPR fines are massive and can hit any business to the core.
GDPR lawyers should know how to do substantial damage control when the need arises. If you can present a good case for the business when the possibility of a fine arises, such as by showing that there was no negligence or bad intention on part of the business, or that many measures were taken to comply and prevent breach, this can reduce the quantum of fine to a great deal.
Data protection officers
Lawyers who have technical expertise in GDPR can be appointed as data protection officers. GDPR mandates that every organisation who handles personal data should have data protection officers. The size of the organisation is irrelevant but the size of and scope of data handling matters. These data protection officers are the ones who are responsible for overseeing the company strategy and implementation to ensure the compliance with GDPR requirements.
Hence, learning GDPR could open up those opportunities for you as many companies in India will have to appoint data protection officers in near future especially pos-COVID as business with the EU will go up.
Drafting contracts is another opportunity which a lawyer can easily tap into. With the advent of sensitive and personal data being regulated now, companies will now be signing contracts on how to share this data with each other. Selling of such data, transfer, exchange of such data would have to be in accordance with GDPR. There would be specific terms and conditions to cover liabilities in these agreements.
Past contracts are also being renegotiated to comply with GDPR. Most major contracts should take into account GDPR aspects – related to transfer of data. For instance, an M&A lawyer drafting contracts for acquisition of a company in the EU or with major EU clientele now needs to think of GDPR issues and address those in the agreement. An insolvency lawyer dealing with assets in the EU needs to think about the implications of GDPR while trying to liquidate assets.
How can you break into this market
Big4 consulting firms (EY, KPMG, Deloitte, PwC) are highly invested in this work as of now. Large law firms are also providing services related to GDPR and many of them have set up specific teams to deal with GDPR. Knowledge of GDPR, therefore is highly sought after and appreciated in any lawyer these days, whether you want to work for a law firm or a company.
However, there are various MSMEs and companies that find the charges of big law firms and big 4 consultancies very steep and would prefer a young lawyer or consultant who can demonstrate that they have the requisite knowledge and experience with this kind of work.
There is a lot of potential for growth and opportunities in this area.
It is a great opportunity for young professionals to make a mark in this domain.
Moreover, as we get closer to the GDPR like (Indian) data law being introduced, it is only logical to say whoever is an expert in GDPR will be in a hugely advantageous position when Indian data law becomes a reality.
Is this the right time for you to get into this area of practice? It is early days, and you will not face too much competition. So our verdict is yes, this is a great time.
How can LawSikho help if I want to learn GDPR and make a career around it
We train you to do all the work described above in our unparalleled technology law course.
Check out our specialised diploma course in technology law which deals with all aspects of technology especially data laws and the GDPR.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: