This article is written by Ramanuj Mukherjee, CEO, and Kashish Khattar, Team LawSikho.
As a lawyer, if you are on the lookout for lucrative new emerging areas with massive potential, you cannot ignore data and privacy laws.
Around the world, data and privacy have emerged as major legal and regulatory flashpoints.
From congressional hearings in the USA to massive fines imposed by the EU on companies like Google and Facebook over violations of user privacy, the media has been widely reporting on data privacy, and this is an issue that is definitely at the top of public interest and policy agenda.
The younger generation has also grown up to see their private data as a currency, and they do not take privacy for granted at all, especially online.
There is a growing number of people who care a lot about privacy, to the extent that they may become a political force in the years to come.
Europe has been at the forefront of data protection, which reflects the aspiration of the European population to a great extent. For many in Europe, privacy has been a priority. And this led to the passing of a groundbreaking legislation on data protection, which has not only affected Europe but even businesses around the world and here in India.
In data protection and privacy practice, introduction of General Data Protection Regulation by European Union, better known by the acronym GDPR, has been a turning point.
It has also triggered other countries to look at adopting their own strong data protection laws as well, including in India where a bill is pending in the Parliament.
Currently the Indian data protection bill is before a joint parliamentary committee, and India could soon have its own data protection statute, most probably in the lines of GDPR.
We have been talking about how data and privacy will be a huge area of practice for a while now, but only after GDPR was introduced, lawyers have been seeing a lot of work coming through the door regarding data privacy. Many law firms have set up entire independent verticals to deal with this kind of work.
Why should we care about GDPR in India?
The impact of GDPR was not restricted within Europe. Every business that has European customers or any dealings with European businesses around the world had to comply with GDPR.
Initially, most of the budget went into implementation of GDPR, in which the big 4 consultancies and a few other management consultancies played a role in India as well as in other countries. Lawyers initially played quite a limited role, perhaps because they were not prepared at least as far as India is concerned.
However, there is now increasing levels of legal work, ranging from advisory to responding to notices and data breach incidents, as now the regulator begins to crack the whip and companies scramble to put their houses in order.
If you are a lawyer in India, it is probably worth spending some time figuring out how you could get a piece of this action and whether you have the skills that are needed to address this brand new market.
Notably, this is not a service that only big corporations require, but even small exporters, a vast majority of startups and MSMEs, for many of which Europe is an important market, GDPR compliance is a must. Not all of them can approach big 4 or a big law firm, and that is where a lot of opportunities are arising for individual lawyers and smaller law firms.
Also, interestingly, it is a truly global practice. An internet market company or a niche online media portal focussing on travel in Eastern Europe may be very happy to hire an Indian lawyer with requisite expertise to do a GDPR audit or review their data protection practices.
As India and the rest of the world introduces laws modeled on GDPR, the demand for such services will continue to rise in the foreseeable future, and perhaps even exponentially in the next few years.
It is a great time to gear up!
A few things about GDPR first
What is GDPR?
The General Data Protection Regulation is an EU regulation, which means that it is directly applicable in all EU member states. In the EU, GDPR replaces the earlier EU Data Protection Directive. GDPR requires protection of Personal Identifiable Information (PII) of EU citizens.
The GDPR adopts a different approach towards protecting the data of natural persons. It is a rights-based, consent driven approach towards data protection.
It was adopted on 27th of April 2016 and enforced on 25th of May 2018 marking a new milestone towards data protection all around the world.
How does it impact Indian businesses?
The regulation applies to the processing of personal data of a person (“data subject”) who is in the EU, regardless of where the data is processed in the EU or outside of the EU.
Basically, if any business in the world is doing any work or business with any EU data subject, they need to comply.
Hence, if an Indian company has data of any person based in the EU, they have to be in compliance with the GDPR. This includes companies that are generating any leads of EU citizens, marketing to any EU businesses or citizens, showing an ad to EU citizens online or even making a sales call to people or businesses from the EU.
If any company is found to be in contravention of the GDPR compliances, the law proposes a heavy penalty which imposes a penalty structure of 20 million EUR or 4% of global turnover, whichever is higher. Additional compensation also has to be given to natural persons whose privacy rights have been violated.
This is why no business can really afford to ignore or not comply with GDPR.
What are the sectors most impacted by GDPR in India?
According to a NASSCOM report, Europe is a substantial marketplace for the ITeS, BPO and pharmaceutical industry in India. The size of the IT industry in the top two EU member states (i.e. Germany and France) is estimated to be around 155–220 billion USD. Think of sectors like data entry and customer care which handles so much personal data and generate so much work in the form of GDPR compliance. Then there is the telemedicine sector which most likely will impact the pharmaceutical industry.
Thus, for the Indian IT industry to keep continuing to do business in Europe, it needs to comply with the GDPR. Apart from the IT industry, there are sectors like advertising and banking which will need lawyers to help them process data for their EU clientele.
There is a lot of potential work for Indian lawyers if they know the work and the potential clients to look for.
What will your potential clientele look like?
- If you are not paying for the product, you are the product. Companies collect the user data and in exchange give out free services. This data is used to show you targeted advertisements and sell products that you may want at any given time or to predict what products or services you may buy. This strategy has been undertaken by BigTech giants like Facebook, Google, Microsoft, Amazon. It is only logical that these companies store loads of sensitive and personal data on their servers. These companies require and hire the best talent who can help guide them through the GDPR compliance process. Given how these companies are present in different countries and are massive in size, they also have a lot of audit work as well as training to do apart from designing and following GDPR compliance.
- Then there are freemium services which offer limited services in exchange for user data. There are a lot of large companies in the world and a vast majority of apps in your phone that follow this method. Even for them, your contact details are very valuable so that they can repeatedly contact you and convince you to upgrade from free to the premium version. The success of their business also depends on proper GDPR compliance without compromising the lifeblood of their business, supply of data from potential customers.
- There are media companies who collect personal data from their audience. A media company that heavily relies on advertising revenues and selling subscriptions would require lawyers who would come up with a plan for compliance to the GDPR.
- All kinds of service providers and professionals including lawyers, doctors, architects, auditors, analysts, consultants (professionals) etc who would be dealing with data of their EU clientele.
- There are vendors and BPOs who may have european clientele and have to comply with this regulation.
- There are hotel and restaurant chains who ask for personal data of their clients.
- Then there are Indian import and export related companies which do business with EU clientele.
What kind of work will you be doing
GDPR training
GDPR aims to protect sensitive personal data of the citizens of the EU. This makes every company who is dealing with EU data, a subject to this extensive regulation. In order to understand the complexity, we will have to agree that every company, be it small or big, is like a living organism.
Companies have different departments who will be taking care of different needs of the business. The HR department takes care of the human resources. Then there’s the marketing department taking care of sales, advertising of the product. A product design team is responsible for the management of the final product of the business.
Needless to say, each and every one of these departments will be dealing with sensitive personal data of its customers in the course of their daily work. These customers will include citizens from the EU also. The HR department will be the most exposed to such data and a customer relationship team would also be handling such data.
To understand the nuances of GDPR, training the employees of every company should be trained when it comes to handling sensitive data. There is a massive opportunity for lawyers in organising GDPR training for every business and company who deals with the EU data. A lawyer with a specialised knowledge and experience in GDPR can conduct huge corporate training sessions for the department who engage with such data.
Data flow management
A data flow map should be the first things that should be done when a company plans for their GDPR compliance. This kind of a map helps identify all the information a company has and how it transfers from one location to another. Further, this helps an organisation to understand the gaps and vulnerabilities in data protection and take necessary steps to reduce security risks and unintended data leak.
There are four key elements that have to be taken into account: data items (think names, email addresses and records); formats (there can be a database, online data entries or hard copy forms); transfer methods have to be into place (there are posts, telephone records, internal and external correspondence); and location of data (these could be stored in offices or a cloud service for example).
Each of these come with their own risk. Databases can be hacked and made public. Storage devices can be stolen and the data can be compromised. The cloud services can be disrupted.
All in all, organisations have to be really sure as to what kind of data they are processing and storing. Having a data flow management system in place can do wonders because anyone who has access to such data is a potential leak. A strong data flow map should come to the rescue everytime.
Handling breaches
It can be fairly assumed that even with the best training and strategies in place, some breaches in handling sensitive data will take place. Limiting the exposure at this point would be the role of the lawyer, this has tremendous opportunity for lawyers as they will be the ones who will be negotiating with the authorities and counselling the client on the other hand. The clients will have to be counselled and trained in a manner that they have the least exposure if a breach of such sensitive data takes place.
Fines
Prevention is better than cure. Advising the clients to prevent themselves from adversarial circumstances is the norm, however, handling and extinguishing fires is also the job of a lawyer. GDPR fines are massive and can hit any business to the core.
It would be great to teach the various stakeholders and lawyers of the company about these fines. The point is to how these fines should be handled and minimised when such a situation arises. Prevention of such fines is already a huge opportunity but lawyers should know how to do substantial damage control when the need arises.
Advisory
Advisory work is like bread and butter for a lot of lawyers. GDPR advisory work would entail advising companies on their exposure, liability in their future projects. Lawyers can be expected to analyse the kind of exposure that a company or business will have in their existing projects too. Lawyers will be expected to advise on various policies, processes and procedures of a company which deals heavily with EU data.
Data protection officers
Lawyers who have technical expertise in GDPR can be appointed as data protection officers. GDPR mandates that every organisation who handles personal data should have data protection officers. The size of the organisation is irrelevant but the size of and scope of data handling does. These data protection officers are the ones who are responsible for overseeing the company strategy and implementation to ensure the compliance with GDPR requirements.
Drafting of contracts and privacy policy
Drafting contracts is another opportunity which a lawyer can easily tap into. With the advent of sensitive and personal data being regulated now, companies will now be signing contracts on how to share this data with each other. Selling of such data, transfer, exchange of such data would have to be in accordance with GDPR. There would be specific terms and conditions to cover liabilities in these agreements.
Moreover, when it comes to privacy policy. The companies are mandated to give out what kind of private information is being collected, how the companies intend to collect it, what is this data being used for, how it is being secured and what kind of control does that user have on it. Further, privacy policies will have to be drafted in a way which are in accordance with the GDPR. GDPR mandates that these policies be written in a concise, transparent, intelligible and easily accessible way.
How can you break into this market?
Big4 consulting firms (EY, KPMG, Deloitte, PwC) are highly invested in this work as of now.
However, there are various MSMEs and companies who would not say no to a young lawyer or consultant who can demonstrate that they have the requisite knowledge and experience with this kind of work. There is a lot of potential for growth and opportunities in this area.
It is a great opportunity for young professionals to leave a mark and make a name for themselves in this domai.
Moreover, as we get closer to the GDPR like (Indian) data law, it is only logical to say whoever is an expert in GDPR will be in a hugely advantageous position.
The timing is just right for anyone to break into this domain.
This is where LawSikho can help.
We offer courses that can help you become a better technology lawyer and help companies with their tech and data related work.
We have a specialised diploma course in technology law which deals with all aspects of technology especially data laws and the GDPR. You can also check out the certificate course in technology contracts.
Have you heard about our webinars?
LawSikho offers amazing webinars that you can attend and learn from, with no charges, every day. Now we are even giving certificates to those who attend the full webinar. Check out some of our past webinars here: https://www.youtube.com/c/LawSikho/
While you can see past recordings of webinars on our YouTube channel, to participate in one personally is quite a different experience, as you can ask questions and interact with such amazing speakers and even other attendees. How can you attend these webinars in person? Sign up over here.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: