GDPR and its Implications on India Inc.
Mark 25th May, 2018 on your calendars as the advent of General Data Protection Regulations (“GDPR”), which is a complete overhaul of personal data privacy rules since the birth of the Internet. And while it is applicable primarily to those residing in the European Union (“EU”), in this digital age, it might require even companies operating outside the EU to change the way they do business for a variety of reasons. In itself, GDPR is replacing an outdated EU data protection directive from 1995 with the intention of giving more control to individuals over their personal data by putting forward the most comprehensive set of rules to strengthen data protection and privacy of users.
The purpose of this article is to address the proverbial elephant in the room on how GDPR affects India Inc.
As an Indian business entity, does GDPR affect you?
The short and simple answer is, yes. But only if your business entity deals with data relating to individuals residing in the EU.
GDPR applies to every entity to the extent that it processes or controls the processing of personal data relating to individuals residing in the EU. It does not matter if the processing is done from within the EU or outside. To determine whether you as an Indian business need to worry about GDPR, here are two questions to ask:
- Does your entity process or can your entity be deemed to be processing data governed by GDPR in any manner from within the EU? Even if it is through a small branch or a subsidiary?
- Does your entity process personal data pertaining to those residing in EU – even if they are not citizens of EU nations, either from within EU or outside?
By now you must be wondering what personal data is or when you will be considered to be “processing” such data. Read on to find out.
What does GDPR cover?
Like with most laws, GDPR has used a number of technical terms, which it has gone on to define. We will highlight the five most relevant terms for the current discussion in as simple a language as we lawyers can muster:
- A Data Subject refers to an identified or identifiable natural person. It does not cover deceased persons or a corporate entity.
- Personal data means any information relating to a data subject, such as names, ID numbers, IP addresses, location, cookies, financial data, health data among others.
- Processing means collecting, recording, structuring, storing, erasing, altering personal data, among others, whether or not by automated means.
- A Controller determines the purposes and means of processing personal data.
- A Processor processes personal data on behalf of the controller.
The new law codifies certain requirements for the handling and protection of data such as introduction of stricter conditions for consent; a broader definition of sensitive data; new provisions for protecting children’s privacy; mandatory obligation to report a breach, and the inclusion of the “right to be forgotten”.
What would you need to do to be GDPR compliant?
While we are listing some of the steps that an Indian business needs to take to be GDPR-compliant, it is pertinent to note that GDPR is not like typical prescriptive regulations. GDPR is guideline-driven and, therefore, requires formation of policies; setting up internal processes and measurable controls to provide reasonable assurance to business stakeholders as well as regulators that appropriate steps have been taken. Having said that, some key actionables are listed here:
- Identify the types of personal data stored by you.
- Analyse the use, purpose, means and recipients of such data.
- Have a record about the sharing of such data.
- Have a privacy-by-design program, i.e. by building privacy into the design, operation, and management of your business process in adherence to the principles laid down under GDPR.
- Have a road map for GDPR compliance.
- Adopt a cross-border data transfer strategy.
- Revise your third-party contracts in accordance with GDPR, to implement a breach-response plan that
meets the 72-hour notification requirement under the GDPR.
If you do not comply with GDPR should you be worried?
GDPR imposes equal liability on both controller and processor. You will be non-compliant even if your third-party vendor/ processor is not abiding by the Regulations.
Non-compliance with GDPR risks loss of business in addition to the colossal fine of the higher of 20 Million Euros or 4% of the annual global turnover of the business entity. Such penalties can have a crippling effect on most business entities and may also lead to the foreclosure because of bankruptcy due to such hefty fines.
If GDPR does not affect you should you still be concerned?
Even if GDPR does not apply to you today, the broad net that GDPR casts, leads to the possibility of it becoming applicable to you in the foreseeable future. More importantly, the existing data privacy regime in India in the way of the Information Technology Act, 2000 (“IT Act”) is in itself fairly stringent and in many cases no less severe than GDPR. However, due to a lack of focus on implementing the IT Act by Indian regulators, most businesses here have managed to get away by merely paying lip service to it.
The present data protection regime in India covers principles of processing, collection of data, consent, sensitive personal data among others, which are not as exhaustive as the stringent principles covered under GDPR. In spite of several similarities between the legislation/s, the enforcement of GDPR brings in enhanced rights of profiling, rectification, restriction, erasure, objection to processing, among others.
India is moving towards a new regulatory framework for data protection and privacy. In Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors, the Hon’ble Supreme Court recognized the right to privacy as a fundamental right. Echoing the same view in a recently released white paper on data protection framework for India, the Committee of Experts has highlighted the importance of “consent” and use of data for the limited purpose for which it had been collected. The Committee has also suggested an overhaul of the IT Act, which provides for a quantum of fine that is insufficient to act as a deterrent. It is likely that once the new data privacy law is enacted, it will, in many cases, mirror the GDPR. It might, therefore, make sense for Indian businesses to start preparing themselves by taking stock of the GDPR requirements, even if they are not immediately applicable to them. In the second part of this article, we will cover the key similarities between GDPR and the Indian Information Technology Act.
For further queries or clarifications pertaining to GDPR compliance, please feel free to contact us at email@example.com
- Himanshu Daga (Senior Associate-Legal Operations)
- Vivek Chattopadhyay (Associate, Legal Operations)
- Sharanya Mukherjee (Associate, Legal Operations)