In Depth

Increased focus on data protection to drive up compliance costs for startups

With the Justice B N Srikrishna report and the EU’s General Data Protection Regulations laying down stringent regulations on how user data is processed by companies, startups have no choice but to fork out more to avoid hefty fines.

The Central government plans to table the draft B.N. Srikrishna committee report in the winter session of the Parliament, and startups in India will have to pull up their socks and seek measures to protect user data.

The operating costs of the startups in India, especially those in the fintech sector, could go up by as much as 10 percent as the report has listed out stringent regulations on how personal data can be collected and used.

V Balakrishnan, Chairman, Exfinity Ventures, says, “The cost for startups may go up by five to 10 percent. Under the recommendations of the committee, startups will have to make sure that the private data they procure is secure. This will incur a lot of costs in the area of compliance and technology.”

This wake-up call comes at a time when startups aspiring to work with European countries are grappling with the ramifications of the General Data Protection Regulation (GDPR), introduced by the European Union (EU) two years ago and implemented a couple of months back, which protects the privacy and data of its citizens within the EU as well as when it is used in international business. Although the US currently does not have a single legislation or regulator that deals with data protection, it goes about it through other regulations that are specific to a sector, like healthcare.

So the cost of doing business both within India and outside will rise. But it is not just money; startups will also have to bring on board experts who will help them make sense of it all.

More than the cost of compliance, startups must worry about appointing a person who understands and documents their technology architecture,” notes Smriti Tipirneni, associate partner with Burgeon, a law firm.

The cost of compliance

If data flows through the platform of a particular startup, then it becomes the collector, or a custodian, of the information, even if not the one processing the data. So in all the ambiguity that comes into play, especially where several businesses work together, the cost of compliance becomes a matter of concern. Investing in a sound chief data scientist or data architect to toe the line makes sense for startups.

The Srikrishna Committee report has recommended that companies processing large amounts of data register themselves with the Data Protection Authority, which would mean that there would be regular company audits and the requirements of a data protection specialist.

But they don’t come cheap. A top-notch data executive, for instance, will come at a price of $50,000 per annum. This is a significant but an avoidable cost for a startup now.

At a time when they are just getting their fledgling business up and running, this five to 10-percent rise in costs for startups can be uncomfortable, seeing that they have to devote a considerable amount of their resources for sales and marketing. “Startups are starved of capital and now they would have no choice other than raising some more money from their investors,” says Balakrishnan.

Fintech takes a blow

Among the startups in the country, it is the fintech segment that is handed the biggest blow, as it collects the most vital data. Bhavik Hathi, Managing Director, Alvarez & Marsal, a global professional services firm, based out of Mumbai, says, “The business model of the fintech companies is likely to change as the old way through which they were collecting data will undergo a change. They will need to re-engineer.”

However, industry observers believe that the recommendations of the Srikrishna report are a step in the right direction, due to the mounting global concern on how data is being harnessed and used, especially in the light of the controversy surrounding Facebook from earlier this year. Fintech startups have their work cut out for them since they also work with banks and NBFCs in the collection and dissemination of data. The expectation is that until there is a clear picture on how the proposed law is going to be implemented, there might be a slowdown for the fintech segment.

Bhavik opines that the cost of acquiring customers for fintech companies is likely to go up as they will have to change the manner in which they are collecting data.

Experts believe that while exceptions may be given to sectors such as healthcare or education on how they source data, it is unlikely that fintech companies will have any such relief.

Indian startups, especially those that use technology that process data, are already getting their act together. Anirudh Shah, co-founder of AI startup Hyderabad-based 3LOQ, says, “All startups that work with machine learning and artificial intelligence use data as the primary source to build technology and business model. We are working with lawyers to understand how we can use the data.”

They are left with little choice but to comply, as failure to do so will attract hefty fines. Hrishikesh Datar, founder of Vakil Search, says the fines for non-compliance with GDPR can run up to 20 million euro, or four percent of the total turnover (whichever is higher). This is definitely steep.

Time to take stock

The forthcoming data protection law in India as well EU’s GDPR are steps in the right direction to protect user data and ensure citizens’ privacy in an increasingly borderless world with limitless opportunities. But a lot of Indian startups are not prepared for it yet. In the case of GDPR, B2B startups that operate in Europe are the ones most likely to be affected. Given that they had two years to prepare themselves, startups now have no excuse but to comply, else face hefty fines.

Then there are all the implications of running a global website. “Startups are forgetting the fact that one does not have control over the geographical location of visitors (unless the website is limited/available to certain geographies) to any website, and hence all websites could potentially be at a risk of non-compliance,” says Hrishikesh.

The reality is many startups may be homegrown and organic but foster the aspirations of becoming global providers of solutions. It is pertinent, therefore, that they ready themselves from the start to make the sacrifices required to shine in the international scene.