By: Sharanya Ranga and Probal Bose
What is the GDPR?
In the digital age, where data is the new oil, data protection and data privacy as a right has become a critical issue due to the far-reaching possibilities of how data is collected, stored, processed and used (or brokered). The European Union’s (EU) General Data Protection Regulation (GDPR) which comes into effect from May 25, 2018, brings in a binding regulatory framework in the EU for data protection and data privacy for all individuals in the EU. The GDPR sets out a stringent framework for processing and protection of personal data and outlines new compliances for businesses handling personal data of users, migrating from the existing 1995 Directive on Data Protection in the EU.
Scope and applicability
Personal data refers to any data relating to an identified or identifiable natural person. As per the GDPR, an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In short, any data or information relating to natural persons and capable of identifying such person may be considered as personal data.
The GDPR envisages a framework where the individual (read ‘data subject’) is in complete control of her personal data and seeks to enforce the rights of the data subjects by protecting such data from unauthorized use. Besides being binding on all member states of the EU, the GDPR applies to a data controller or a data processor in the EU or if the data controller or data processor has access to the personal data of any EU citizen inside or outside the EU. Therefore, Indian entities with a presence in the EU or dealing with vendors/clients/customers and their data from the EU will be covered under the scope of GDPR.
Obligations of Data Controllers and Data Processors
The GDPR distinguishes between a data controller and a data processor and emphasizes the role of a data controller as someone who is responsible for determining the purpose and means of collection or processing of personal data while a data processor processes the data on behalf of the data controller. So, the entities that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the personal data of its customers when they open a bank account or avail other services from the bank; however, it may be enlist the services of another entity (processor) to process, store, digitize or catalog the personal data of its customers.
The GDPR mandates that both data controllers and data processors incorporate ‘privacy by design’ and implement appropriate technical and organisational measures to ensure as well as demonstrate that data processing is performed in accordance with the provisions of the GDPR. Such measures must ensure that by default personal data is not accessible to an indefinite number of natural persons unless the data controller consents to the contrary. An example of privacy by design is the permission pop-ups that appear at the time of downloading apps from the Google play-store, where the data subject has to select the types of data that can and cannot be collected by the apps and the use of such data is subject to their respective privacy policies. Previously, the option to grant certain permissions and reject other was not provided by Google apps.
The need for ‘privacy by design’ makes it critical for all entities processing data of EU data subjects to have in place measures to receive the data subject’s express and informed consent for processing the data while at the same time enabling the data subject to access its various other rights as per the GDPR. These include the right of transparent communication where the data subject is expressly informed about the purposes of data collection and processing, right of access of all data including whether it is being processed, purpose of processing, categories of data being processed, copy of the data being processed and logic involved in automated processing, right to be forgotten where continuous processing of data is not justified and the the right to modify data. The GDPR imposes fines based on “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them”; therefore, these requirements are to be adhered to by both data controllers and data processors alike.
Cross-border flow of data
The GDPR allows third country data transfers (transfers outside the EU) to countries designated by the European Commission to be “adequate” against their data protection regime. As on date, India does not qualify as a jurisdiction providing an adequate level of data protection. Therefore, alternative mechanisms providing adequate protection to enable cross-border data transfers have to be put in place. These include standard data protection contractual clauses, approved certification mechanisms, Binding Corporate Rules (BCRs), and approved codes of conduct together with binding or enforceable commitments. Thus, it is critical for Indian entities doing business with data subjects based in the EU, to create the requisite infrastructure for complying with the GDPR and ensure that any binding terms such as BCRs are executed as per the provisions of the GDPR.
The way forward for Indian companies
While a new data protection law for India is in the pipeline and expected to lay the groundwork for an ‘adequate data protection’ regime in India, it is critical for Indian businesses processing personal data of EU citizens to ensure that all GDPR requirements relating to a data controller or a data processor, subject to their degree of responsibility, are adhered to. Some of the measures to be considered from a risk-mitigation perspective are below:
Review and update company policies, practices and processes relating to data collection, data processing, data privacy and other aspects.
Review and update all contracts signed with third parties relating to data storage, transmission or use of data in any form.
Review and update employee handbooks and employment agreements to include data privacy and data protection as an obligation for all its employees and ensure there is a zero tolerance policy regards data privacy and protection.
Impart data privacy training to employees and management for employee sensitization and awareness.
Undertake risk assessment exercises/audits to determine the risks associated with processing any data that is likely to result in a high risk to the data subject’s rights under the GDPR and build appropriate risk-mitigation mechanisms. This would typically involve assessing risks associated with the processing of sensitive personal data such as financial information or big data analytics for marketing/profiling purposes.
Depending on the extent of data processing, businesses may also consider engaging a data protection officer dedicated to ensure compliance with the requisite framework.
Put in place technological solutions for data protection and security. From a very basic security requirement, the ISO 27001 model (that is required to be implemented under the Information Technology Act, 2000 in India) covers some of the requisites under the GDPR.
Additional measures such as mechanisms for transfer/flow of data outside the EU, data breach policy and procedures to be followed in case of a data breach, procedures for ensuring the exercise of the rights of data subjects, will have to be put in place and implemented properly.
Penalties for non-compliance
The effectiveness of the enforcement mechanism of the GDPR with respect to entities outside the EU, such as India still remains to be seen. However, it is significant to note that the GDPR prescribes hefty monetary penalties for non-compliance that may extend upto 4% of the non-complying entities’ global turnover (or 20 million Euros, whichever is higher). Indian entities doing business in the EU and dealing with personal data of EU citizens must consider incorporating specific measures and best practices to ensure that their businesses are compliant with the GDPR lest they run the risk of getting pulled up by the regulators in what is touted as the ‘global gold standard’ for data protection today.