The jargon relating to General Data Protection Regulation (GDPR) (EU)2016/679, has been plaguing Indian corporates for quite some time now. The “stick” policy adopted by European Union (EU) with respect to data protection has the scared corporates world over. With the advent of the web, the world has shrunk. Hence, laws framed in one region are not merely confined to that territory but have a worldwide effect. GDPR or General Data Protection Regulation, 2016 is one such piece of legislation which owing to cross-border businesses has the potential to affect the businesses world over.
GDPR was framed by the EU in 2016 as an attempt to upscale the data protection regime extant in the region. The enforcement date of GDPR was fixed as May 2016. An intermittent period of two years was given to the corporates and multinationals to comply with the regulations.
GDPR protects the personal data of EU-based individuals. If such data is shared with a company based in a non-EU region, then the company collecting the data is responsible to comply with the GDPR. This is where the companies situated in India come into the picture. Indian businesses owing to their global interactions collect the personal data of EU-based individuals on numerous occasions. Now, they are required to be GDPR compliant before they can do so. GDPR imposes heavy penalties on those who fail to comply and hence has triggered concern among the Indian corporate giants.
Let us discuss the key features of GDPR and what measures should the Indian companies take in order to become GDPR compliant.
Key features of GDPR
(a) Important definitions
(i)?Data controller: Data controller is the party which determines how the data is to be used. Typically, it is the party which shares the data. However, there could be a situation where both the parties involved in a data sharing transaction may be data controllers.
(ii)?Data processor: A data processor is the one who processes the data according to the instructions given to it by the data controller.
(iii)?Data subject: The person whose data is being collected is termed as the data subject.
(iv)?Personal data: Personally, identifiable information is called personal data. Information such as name, contact details, address, identification number or any information which can be used to identify the individual is treated as personal data.
Both the data processors and data controllers are required to demonstrate that they are complying with GDPR. For this purpose, data processing registers are required to be maintained and extensive measures for data protection are to be adopted. Privacy impact assessments are also required to be carried out to assess the impact of company’s actions on data privacy.
(c) Breach notification
GDPR has introduced a very effective rule which mandates that the data controllers are required to intimate the authorities within 72 hours of the occurrence of any data breach. Non-compliance with this requirement attracts heavy penalties.
(d) Obligations on data processors
GDPR imposes obligations not only on data controllers but also data processors. Data processors are required to adopt and implement adequate security standards for data protection and immediately inform data controllers if a breach occurs. If they fail to comply they face punitive action under GDPR.
(e) Fines and enforcement
The teeth of GDPR are the massive penalties it imposes. It has significantly increased the exposure to penalties and the quantum of fines to be levied. For the breach of record-keeping, security, breach notification, etc., a penalty equal to the greater of €10 million or 2% of the entity’s global gross revenue may be imposed and for violation of obligations pertaining to data subject rights, cross-border transfers, etc., a penalty of the greater of €20 million or 4% of the entity’s global gross revenue may be imposed.
(f) Data protection officer
Another novel aspect of GDPR is the creation of a data protection officer. A data protection officer is required to be appointed where large scale data is being collected. These data protection officers are required to be experts in data protection laws and are required to ensure compliance with GDPR.
(g) Informed consent
GDPR defines consent as, “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. This indicates that not only prior consent of the data subject is necessary but also that such consent should be free and informed. To give greater protection, GDPR also requires the companies to demonstrate that how was the consent obtained. One can always withdraw their consent.
(h) Data subject access requests
Data subjects can request and get access to their data and how it is being processed. The timeline for providing such access is one month from the date of request.
Implications of GDPR on Indian corporates
GDPR has extraterritorial jurisdiction, that is, any entity (whether located in the EU or elsewhere) that controls or processes the personal data of a EU-based data subject is required to comply with GDPR. Hence, the threshold for GDPR compliance to trigger is the collection of personal information of a EU-based individual. The corporates in India these days carry out numerous cross-border transactions and deals. There is free flow of resources including human resources across the borders. In such a situation, no company can claim that it does not collect personal data of an EU based individual. Even a simple thing such as collecting information of a conference delegate or sharing information with cab drivers can trigger GDPR compliance. Hence, Indian companies need to strengthen their data protection frameworks in order to become GDPR compliant. Indian companies may adopt the following measures in order to boost their data protection infrastructure:
(i)?Have a strong data protection clause built around GDPR in all their contracts.
(ii)?Always collect data after obtaining prior consent.
(iii) Have strong technical safeguards to protect data.
(iv) Have data protection officers in accordance with the GDPR.
(v)?Have a strongly worded data protection policy imbibing the GDPR and such policy should be circulated and the employees should be made aware of the same.
Apart from the above, Indian companies should also have strong data protection measures in place and should ensure that in no manner the personal data being collected is being leaked. It is advisable to have a contract entered into with the sub-processors of the data as well confirming that they are GDPR compliant. This way, Indian corporates would be able to mitigate the risk of facing penalties under the GDPR.
Bhumesh Verma is Managing Partner at Corp Comm Legal and can be contacted at firstname.lastname@example.org and Soumya Shekhar is Research Associate.