50 Shades of GDPR:The Startup Scenario

Adhya Dagar
5 min readJun 11, 2018


It didn’t take a second for me to agree to the terms and conditions for use and to go through the revised privacy policy of DataCamp ,Coursera and Instagram , the list is endless. Had I been this quick with my NetCom syllabus there would have been a curvy S instead of a straight A.

Disguised as my trust on these big Silicon Valley giants, emails flooded my inbox and came wrapped inside the fact that with this one tick I was giving consent to share my personal information-name, mobile number, email, gender, information that I would otherwise think twice about before sharing.

Are these big tech and consultancy companies leveraging our trust in them to misuse our information?

I’ll come back to this point later in the passage.

Facebook just saved itself from a $1.6 billion fine thanks to the European General Data Protection Regulation (GDPR) which came into effect on May 25, 2018, two months after Facebook founder and CEO Mark Zuckerberg endured 2 days and 10 hours of public grilling in Washington D.C.

Thycotic’s chief security scientist Joseph Carson mapped the essence and consequences of GDPR very clearly, he stated, “This is exactly why EU GDPR has been put in place to protect EU citizens’ personal information and ensure that companies have explicit consent to use personal data. Let’s think about this — if only the data breach had occurred after May 25th, 2018, and if any of the 50 million impacted users had been EU citizens, Facebook would have been facing a potential whopping $1.6 billion financial penalty from the EU. I believe that would change Facebook’s priority on ensuring data is not being misused. This is going to be an example on what could have been if GDPR was enforced.”

However the kink in this road to protection of one’s right in respect to how their personal data is processed is that individual’s and organisations across the globe are not entitled to follow the steps of GDPR. “For example, if a U.S. citizen was residing in an EU country, their data would be governed under GDPR when it goes into effect. Citizenship is not the criteria used to determine application of GDPR. Residency is, though, and that makes it far more complicated for companies to determine which of the individual records they have are or are not under the mandates of GDPR.”The GDPR rules do not protect people outside the Union.

Hopefully, GDPR will help chasten these Fortune 500 oligarchs but will it be benefiting the small scale companies or ‘startups’ as it has been trending in the tech savvy world these days.

Back to what I discussed in the beginning, how we are more likely to refrain from sharing the same information we share with a popular news site with a lesser known, small scale startup let alone our dubious doubts questioning their authenticity.

How does this affect the innovation ecosystem ?

The point that we are overshadowing is that large companies may have more stringent requirements and this gives its relatively smaller competitors a nascent arena to spread its aroma.

Those companies with fewer than 250 employees are required to hold internal records of processing activities if the processing of data could risk an individual’s rights or freedoms, or if it pertains to criminal activity.

For those with more than 250 employees, more detailed records need to be kept.This gives their relatively smaller counterparts a less severe escape.Hence, they might draw towards them more business opportunities as the risks are less and the impact assessment is on a relatively smaller scale.

This might also eliminate the need of a Data Protection Officer and thus cut costs in startups however if the central purpose requires “regular and systematic monitoring of data subjects on a large scale” then you must appoint a data protection officer.

Startups across different coordinates will be affected differently.

The Indian scenario falls victim to this new regulation due to the lack of strict rules and a clearly outlined data security and privacy act. The Indian IT Act 2000 fails to meet the international standard of information security which, if not regulated and updated will cease business transactions.

India has had a peculiar economic structural transition.India’s outsourcing industry, which is estimated to be worth over 150 billion USD, contributes nearly 9.3% of the GDP. Economic Survey reveals a top down structure of economy with 66.1% contribution of services sector to GDP. Out of this, information technology — business process management (IT-BPM) sector “is expected to touch an estimated share of 9.5% of GDP and more than 45 per cent in total services exports in 2015–2016 as per NASSCOM.”

“Major markets for IT software and services exports are the U.S. and the U.K. and Europe, accounting for about 90 per cent of total IT/ITeS exports”. According to NASSCOM estimates for 2014, UK and Continental Europe respectively accounted for 17.4% and 11.6% of India’s IT/ITES services export.

Given the criticality of IT–BMP services, India must do all it can to protect and promote business in this sector. To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. The EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws make us less competitive than other outsourcing markets in this space. Hence, unlike big firms like Amazon, Apple, Facebook, and Google which require their consumers to log into their services already have the infrastructure in place to streamline the consent-giving process whereas polices need to be designed from scratch and a lot of monetary fund and human effort will have to be put in to ensure required protection and the continuity of business in the case of new Indian Startups.

However International Startups which already adhere to these standardised norms are better off and are front runners ready to grasp the opportunity.

Suffering the most amidst this will be a startup who’s growth model is based on aggressive marketing techniques. This is because a startup will need to gain explicit consent to process and send marketing material to individuals using their personal data. This consent can be revoked at any time and the data must, if requested, be deleted.It’ll be difficult for organisations to get their hands on third-party data lists as their access will be limited and building and maintaining a marketing database will become a slower process with a lot of risks in its scope.

Connecting the dots,I believe any organisation which adapts to proper security measures and is not entirely involved in dealing with marketing and publicising will flourish and remain unaffected.

Howsoever convoluted GDPR is, it was essential keeping in mind how data has been misused and the scale of various data breaches nowadays.



Adhya Dagar

Computer Science Engineer| AI for Social Good| Social Entrepreneurship| linkedin.com/in/adhya-dagar/