GDPR compliance in India

WHAT IS GDPR?

The General Data Protection Regulation (GDPR) is the core of Europe's digital privacy legislation which was adopted and approved in April 2016 by European Parliament and it was effective in May 2018 replacing the 1995 Data Protection Directive which was in force when the internet was in its infancy.It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It acts as a watchdog for the transfer of personal data outside the EU and EEA areas.

WHY WAS GDPR INTRODUCED?

The objective of GDPR is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR was adapted to harmonize the data protection and privacy requirements across the EU. Many other countries have either implemented data protection requirements or are in the process of considering them

WHAT IS GDPR COMPLIANCE?

It is witnessed that data breaches take place inevitably where the information gets released to the people who were never intended to have any access to the same and have malicious intentions. The implementation of the GDPR on the organizations ensures not only personal information being gathered but also to protect and prevent from it getting misused. The rights of the data owners are protected and if their information gets exploited, penalties shall be levied under GDPR.

WHAT IS PERSONAL DATA UNDER THE GDPR?

Data of an identifiable person directly or indirectly by the identifier where name, address, and photos amount to personal data. Also, IP addresses an identification number, location data, an online identifier and sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual is included under GDPR.

WHO DOES GDPR APPLY TO?

• GDPR applies to the organizations operating in EU and organizations outside of the EU which offer goods or services to customers or businesses in the EU. There are two different types of data-handlers to whom the legislation applies to are the processors and the controllers.

• A controller is a person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data, while the processor is a person, public authority, agency or other body which processes personal data on behalf of the controller.

• GDPR ultimately places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability if the organisation be breaches. Controllers are also forced to ensure that all contracts with processors are in compliance with GDPR.

WHAT ARE THE GENERAL PRINCIPLES OF GDPR?

• Processing should be done lawfully, fairly and in a transparent manner. Particularly, for lawful processingat least one of the prescribed requirements under GDPR are to be met, such as where the Data Subject has consented to the processing; or processing is necessary for the performance of a contract to which the Data Subject is a party; or processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority etc.

• Personal Data should be collected for specified, explicit and legitimate purposes and not further processed if incompatible with those purposes (except where specifically permitted under GDPR), and it should be adequate, accurate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

• Personal Data should be kept in a form which permits identification of data subjects for no longer than is necessary.

WHAT IS GDPR BREACH NOTIFICATION?

• When there is an unauthorised access to or loss of personal data to the relevant supervisory authority. In some cases, organisations must also inform individuals affected by the breach.

• Organisations are obliged to report any breaches which are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage.

• So, if the name, address, data of birth, health records, bank details, or any private or personal data about customers is breached, the organisation is obliged to tell those affected as well as the relevant regulatory body so everything possible can be done to restrict the damage.

• This needs to be done via a breach notification, which must be delivered directly to the victims. This information may not be communicated only in a press release, on social media, or on a company website. It must be a one-to-one correspondence with those affected.

WHAT IS GDPR FINES AND PENALTIES FOR NON-COMPLIANCE?

• Fines depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.

• Failure to comply with the GDPR requirements can attract administrative fines of up to EUR 10,00,000 or 20,000,000, or in the case of an undertaking, up to 2% or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, depending on the nature of provisions breached.

WHAT IS GDPR’S CONTEXT TO BUSINESSES?

• GDPR is a data privacy legislation having a set of rules which are applicable to the companies doing business within EU member states which also includes the international organizations also to comply with, where it brings benefits to the businesses the European Commission claims that by having a single supervisor authority for the entire EU, it will make it simpler and cheaper for businesses to operate within the region creating a business opportunity and encouraging innovation.

• Organisations are also encouraged to adopt techniques in order to benefit from collecting and analysing personal data, while the privacy of their customers is protected at the same time.

WHAT IS GDPR’S CONTEXT TO CUSTOMERS OR CITIZENS?

• It is unfortunate and inevitable that repeated hacks and data breaches take place where data like an email address, password, social security number, or confidential health records gets exposed on the internet. The customer shall have the right to know when their data is being hacked due to GDPR where it is the responsibility of the organizations to notify the national bodies at the earliest in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.

• Consumers are also promised easier access to their own personal data in terms of how it is processed, with organisations required to detail how they use customer information in a clear and understandable way. GDPR also brings a clarified 'right to be forgotten' process, which provides additional rights and freedoms to people who no longer want their personal data processed to have it deleted, providing there's no grounds for retaining it.

OPPORTUNITIES DUE TO GDPR

• Indian IT Companies are the second largest after US to serve the EU market who shall comply with GDPR, thereby which shall make it a massive business opportunity rather than compliance burden. Indian Companies shall stand out as leaders in providing privacy compliant services and solutions due to GDPR.

• The ‘adequacy requirements’ under the GDPR allow the European Commission to consider whether the legal framework prevalent in the country to which the personal data is sought to be transferred affords adequate protection to data subjects in respect of privacy and protection of their data.

CHALLENGES POSED WITH GDPR

• The EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws makes India less competitive than other outsourcing markets in this space. Also, Indian companies would need to implement sufficient safeguards, as required under the GDPR, in order to transfer personal data outside the EU, thereby further increasing compliance costs.

• GDPR will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties on failing to do so.

COMPLIANCE EFFORTS ON THE PART OF THE INDIAN ORGANIZATIONS

• Develop a vision and strategy for compliance with the GDPR.
• Assess gaps between your current compliance programme and the requirements of the GDPR, and analyse risks.
• Create an accountability framework for data protection compliance.
• Develop the operational structures needed to facilitate compliance.
• Document processing activities and data flows.
• Review lawful processing bases and third-party contracts.
• Create processes for privacy by design and privacy impact and risk assessments.
• Identify and prioritise key remediation activity to reduce your risk profile.

AREAS OF FOCUS UNDER GDPR

• Data processing
• Notice and consent
• Data subject rights
• Accountability
• Cross-border data transfer
• Third-party and vendor management
• Transparency of information and communication
• Data security, storage, breach, breach notification
• Training and awareness

PREPARATION OF INDIAN ORGANIZATIONS FOR GDPR

• Review policies, procedures and existing privacy programmes;
• Conduct data discovery exercises and maintain documentation in order to demonstrate visibility of the personal data processed;
• Impart data privacy training to employees or subcontractors;
• Implement processes to perform data protection impact assessments (DPIAs), manage data subject requests, privacy by Design, etc.;
• Review/update contracts signed with third-party vendors.

TECHNOLOGIES TO BE FOCUSED ON FOR GDPR

• Pseudonymisation and encryption required while processing personal data;

• Reviewing and updating configurations of data loss prevention (DLP), Security Information and Event Management (SIEM) and other technical solutions;

• Equipping the security ecosystems with effective identity and access management solutions;

• Reviewing data retention schedules, cross-border data transfers, privacy notices, consent, etc.;

• Logging monitoring and incident management solutions;

• Investing in systems to carry out data discovery exercises to determine what/how/where PII (specifically unstructured data i.e. PII stored on local workstations, emails, file servers, etc.) is handled within the organisation will help Indian companies to enter the GDPR regime smoothly.

GDPR COMPLIANCE CHECKLIST

1. Records of Processing Personal Data Activities

As per Regulation 30 the information to be recorded by the controller and processor shall be in writing, when the personal data is transferred to third countries or international organisations, and the identification of such third countries and international organisations should be made along with the safeguards taken to ensure the safety of personal data in such cases.

2. Determine if the company is a data processor or a Data controller

Article 24 of the Regulations speaks about the “Responsibility of the Controller”. Paragraph 1 of the article lays an obligation on the controller company to implement appropriate technical and organisational measures to ensure compliance with the Regulations. Article 28 elaborates on the processor and his obligations both towards the controller and the data subject.

3. Updating the privacy policy with privacy notices and consent

As per Article 12-14&19 the Indian companies have to update their internal procedures to be GDPR compliant. One of the procedures that they have to adhere to is issuing notices and taking consent from the data subjects (identifiable natural person – citizen/customer).

4. Rights of Data subjects (identifiable natural person- citizen/customer)

• Under Article 15 there is a right to access any information as to the data obtained by the controller from the data subject and can also has the right to be notified if his personal data is being transferred to a third country or international organisation.

• Article 16 provides the right to rectify personal data to the data subject.

• The right to request the controller for erasing any personal data pertaining to them and the controller is liable to oblige without undue delay under Article 17.

• As per Article 18 he right to place restrictions on the processing of data by the controller.

• Article 20 enumerates the rights the data subject has in relation to portability of the data provided by him to the controller and how he can obtain it from the controller and transfer it to another person.

• The right to object to the processing of his personal data under Article 21.

• As per Article 22 the right to not be subject to profiling resulting from the processing of his data. If the Indian company is successful in incorporating all these rights into their framework, they will be GDPR compliant.

5. Update the security incident management processes

• Ensuring the security of the personal data of natural persons belonging to the EU are at the core of the GDPR guidelines.

• Article 33 lays down that in case of a personal data breach the controller shall without delay (not more than 72 hours) notify the personal data breach to the supervisory authority. The controller has an obligation to document the data breaches, its effects and the remedial action taken.

• Under Article 34, when there is personal data breach, the controller has the responsibility to communicate this breach to the data subjects without undue delay.

6. Working of the Data Protection Impact Assessment (DPIA)

• Article 35 provides for data protection impact assessment which is done by the controller to assess the impact of the processing of data especially if a new processing technique is used and the risk to the rights and freedoms of the natural persons is higher.

• Article 36 lays down an obligation on the controller to consult the supervisory authority prior to the processing in case there is a higher risk present.

7. Appointment of a Data Protection Officer

Articles 37,38 and 39 are the provisions which are dealing with the appointment and functioning of the data protection officer.

8. Displaying legitimate interest as to why the Personal Data is being collected and how the company intends on using it

• Recital 47 under the GDPR explains that legitimate interest could exist:

i. Where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

ii. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.

iii. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

The implementation of GDPR ensures that there is transparency and the personal data is safeguarded. Hence the Regulations mandates that disclosures are made to the data subject as to the purpose of collecting the data.

9. Transferring personal data outside the European Economic Area (EEA)

If personal data transfers take place outside the EEA the data controller must inform individuals in the privacy policy and specify mechanisms which will be used to protect the same.

10. Policy language

Privacy policies should be clear and easy to understand by individuals who have no knowledge of privacy law. There should be a translation of the policy to the relevant local language made available if the website targets users of different countries.

Conclusion

The compliance requirements will be significantly simpler and easier if the Data Protection Bill (2019) is passed and the provisions in the Bill are accepted as adequate by the EU for the protection of personal data. In the eventuality of this acceptance, India stands to gain a lot of benefits. It will have a positive impact on the IT sector and it will also ensure that the personal data of her citizens are protected.Therefore, companies having business interest in EU should take comprehensive look at evolving their data protection practices not just to be GDPR compliant but also in preparation for a more stringer data protection regulatory framework likely to be introduced in India in the near future.