Indian Startups Struggle to Comply With GDPRCybersecurity Companies Outline the Challenges
With the European Union's General Data Protection Regulation now in full effect, cybersecurity startups in India are facing their own set of challenges. While many have complied with the regulations as much as possible, some have for now put on hold plans to expand into the European market.
For many startups, the journey on the path to GDPR hasn't been easy, especially in light of ambiguities in the law.
"It has definitely not been an easy journey [toward GDPR compliance] as there have been multiple interpretations of a particular clause," says the founder of a startup providing cybersecurity auditing services, who asked not to be named. "I am sure the case is more or less the same for big firms as well. However, for startups like us it becomes tough to comply. So for now I am not looking at the European market. Hopefully we should get more clarity with time. I'm hoping to expand in European market in the next three years." (See: GDPR: Payments Sector Compliance Challenges )
A few Indian startups have blocked access to their websites from the EU.
Meanwhile, some startups that serve Europeans have made GDPR compliance a top priority.
"We basically deal with security as a service, and thus GDPR becomes one of the key parameters for committing toward the success of our customers," says Sandip Kumar Panda, CEO and co-founder at InstaSafe. "We have done proper research and analysis on GDPR, which has resulted in a continuous improvement process for our products, services, documentation and contracts to show our own compliance to GDPR requirements."
But other startups have yet to comply, thinking they are too small to get noticed by auditors. These companies will only understand the seriousness of GDPR compliance when they hear about a company of a similar size getting slapped with a noncompliance penalty, some security experts say (see: Europe's Strong GDPR Privacy Rules Go Into Full Effect )
"I agree that compliance means a huge cost for startups, but they should avoid getting around the law," says a venture capitalist who has invested in three cybersecurity startups, who asked not to be identified. "I am aware of companies who are dealing with European clients but not signing any formal agreement [in an effort to] stay away from the prying eyes of auditors. Their argument is that they are too small to get noticed by auditors."
He warns startups against such practices. "At some point in time, one has to start complying because I am sure every startup wants to grow their business. Yes it's a burden on the balance sheet, but I'm not sure if this [noncompliance] game plan will work in the long run," he says.
For Dhruv Khanna, CEO at Data Resolve Technologies, a startup that builds products around insider threat management, the biggest challenge has been deciphering the law's requirements. "There are multiple interpretations of a single clause. So yes, there is no uniformity as of now," Khanna says.
What to Expect
Security experts say startups need be prepared to answer certain specific questions from their European clients, such as what data is stored, who has access to it, how the data is used and what steps are taken to keep it secure.
"One has to have proper answers so that the trust that we wish from the customers can be achieved," says Panda of InstaSafe. "This brings the need for proper documentation, and that, I feel, is a big challenge, because every aspect of GDPR compliance needs to be documented eventually to become fully compliant."
InstaSafe had to restructure their business model toward being consent-based, Panda notes. "Also, in order to make us and our customers more GDPR compliant, we are constantly updating them regarding how our business model is letting them keep their data secure and easily accessible by the selected people," he says.
Prashant Pandey, CTO with Kratikal Technologies, a startup cybersecurity company providing end-to-end solutions, says the company, to become GDPR compliant, had to revamp employee contracts to include nondisclosure agreement in various clauses. "Our employee as well as NDAs and other documentation had to be modified to factor in the recommendations of GDPR," he says. "As a cybersecurity firm specializing in compliances like GDPR, legal documentation is the only challenge."