Will Data Protection Law be the next curveball for start-ups after GST?

Enterprises envisage a herculean task in complying with changes proposed in the new law as they scramble to ascertain specific requirements

What the goods and services tax (GST) did to businesses across the country, the proposed personal data protection law can do to the internet sector, especially to start-ups whose very business models thrive on customer data.

According to start-up founders and experts, these young companies and internet-enabled businesses would require substantial realignment of their operations and systems to comply with the proposed law. This is expected to extremely disruptive in the initial six to eight months from the date the bill is passed.

The personal data privacy bill, which aims at empowering consumers in terms of how their online data is used by organisations, was cleared by the Union Cabinet last week and would be taken up for approval in the ongoing session of Parliament.

According to the bill, any company collecting and using consumer data has to take explicit consent for every data point it wishes to use, clearly stating the purpose. And the data can only be used for the intended purposes for which they have obtained permission. Further, the bill also divides data into ‘personal’ and ‘sensitive’ data, and the latter has to be stored only in India.

As the bill seems all set to sail through, start-ups are in search for more clarity on rules and provisions, though some have already begun the arduous process of compliance.

“Over the past 10 months, we have been aggressively working towards improving our data storage and increasing the security of our systems,” said Akshay Mehrotra, co-founder and CEO at fin-tech start-up EarlySalary. Started in 2015, EarlySalary offers short-term loans to salaried professionals, and in order to identify them, the company depends on a great deal of data on the beneficiaries to determine their credit worthiness.  

“Four years back, our app would just have a pop up saying we are taking data. Now we explicitly explain to customers what data we are taking, and what is meant for, and they can choose not to share,” said Mehrotra.

The digital NBFC recently became compliant with PCI DSS (Payment Card Industry Data Security Standard), a global standard for lending and credit card companies. It is already compliant with guidelines mandated by the Reserve bank of India (RBI).

But there are several others tech-based start-ups for whom the data privacy law may lead to a bumpy transition. “If you look at start-ups, people (founders) haven’t organised their businesses and data formats in the manner in which data protection or privacy law proposes,” said Rameesh Kailasam, CEO at IndiaTech.org, a domestic think tank that counts Ola, PolicyBazaar and MakeMyTrip among its members.

“Currently, these firms looked at data to deliver the service(s) and run AI (on data) for business intelligence, but never from a compliance and consent stand-point. So, from day one, startups will have to be mindful of the kind of data they seek, their storage, (users’) consent, formalities around protection of data — all these will have to be seriously looked after,” said Kailasam.

Taking granular consent from users is not just the only requirement. The draft guidelines also make it mandatory for companies to store ‘sensitive’ personal data — passwords, bank account details, identification numbers, etc. — within India. This is the bigger hurdle that has left the internet firms, especially the global ones like WhatsApp, in a fix.

All companies use cloud to store and process information, which runs their website or mobile app. The cloud service is provided by tech majors like Amazon Web Services, Google, and Microsoft Azure, which have their data centres located across the globe. 

The way the internet firms or platforms operate is the websites or tools could be linked to any data centre in the world. What the proposed changes would mean them is, say experts, this flow of data will have to be altered, potentially resulting in higher costs for cloud service providers.

Indian companies, especially the MSMEs which are new to the internet, would require enough hand-holding as they transition operations as per the new law, said Pallav Kumar Singh, managing partner at Draconis Capital Future Fund, a startup investment firm. 

“They (the government) have left a lot of fine-tuning to the DPA (Data Protection Authority) which has been envisaged to decide on cases. The bill is bare and it’s just an essence of what is to come out. They haven’t yet defined the timelines or infrastructure,” said Singh, who has worked closely with MSMEs in his previous assignment.