In As data becomes the new oil in the digital age, data protection act and data privacy as a right are becoming increasingly important because of the huge scope of how data can be collected, stored, processed, and used (or brokered). Data protection and data privacy in the EU are governed by the General Data Protection Regulation (GDPR) that comes into effect on May 25, 2018. As a result of the GDPR, companies handling personal data of users will be required to comply with a stringent framework for processing and protecting their data. The GDPR replaces the 1995 EU Directive on Data Protection.
Application and scope
An individual’s personal data are those that are related to him or her. A person who is identifiable under the GDPR is one that is able to be identified, either directly or indirectly, by an identifier, such as a name, a number, a location, an online identifier, or by a number of other factors that define that natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity. Personal data is defined as any information or data relating to a natural person that can be used to identify that person.
A key component of the GDPR is the notion that the individual (read ‘data subject’) is in complete control of her personal data and that the rights of the data subjects are protected against unauthorised use of such data. Furthermore, GDPR applies to any EU citizen whose personal data is processed by an EU data controller or processor inside or outside the EU, as well as to those whose personal data is processed by such data controllers or processors. As a result, Indian entities with a presence in the EU or organisations dealing with EU vendors, clients, and customers will be subject to GDPR.
Controllers and processors of personal information have obligations
Data controllers and data processors are defined under the GDPR and a data controller is responsible for determining what personal data to collect and how it will be processed; a data processor acts on behalf of the controller when it comes to processing personal data. It does not matter whether the entities directly collect the data from the data subject, the entities determining the means of processing personal data are controllers. When a bank (controller) opens an account with a customer or provides them with other services, it collects personal data about that customer from the bank; however, it may outsource the processing, storing, digitising, and cataloguing of its customers’ data to another entity (processor).
Under the GDPR, organizations must ensure and demonstrate that data processing is conducted in accordance with the GDPR by incorporating ‘privacy by design’ and implementing appropriate technical and organisational measures. A data protection measure should ensure that by default a limited number of natural persons have access to personal data, unless the data controller consents otherwise. Google’s permission pop-ups when downloading apps from its Play Store provide an example of privacy by design. Data subjects can decide which types of data can and cannot be collected by the apps, and their respective privacy policies determine how the apps can use such data. A previous version of Google apps did not allow users to grant permissions and reject others.
All entities that process EU data subjects must have measures in place to obtain the data subject’s express and informed consent to the processing of the data as part of ‘privacy by design’. As per GDPR, all data subject rights must also be accessible to the data subject. As part of these rights, the data subject is informed of the purpose of collecting and processing their information in an open, transparent manner, the right to access all data, including whether the data is being processed, its purpose, its categories, its copy, and the logic that goes along with automated processing. In the case that the continued processing of data is not justified, the right to be forgotten, and the right to modify data are all rights that belong to the individual. Both controllers and processors are required to meet GDPR requirements in order to avoid fines under the GDPR. Since fines are assessed based on a data controller or processor’s “degree of responsibility” as well as their technical and organisational measures.
Information flowing across borders
A violation of the GDPR will result in data transmissions to third countries (transfers outside the EU) that are not considered to be “adequate” under their data protection act regime. In terms of data protection, India does not meet the criteria for adequate protection as of now. Therefore, cross-border data transfers must be made possible through alternative mechanisms that provide adequate protection. Among these are binding corporate rules, certification mechanisms, and codes of conduct, along with standard contract data protection clauses that are enforceable. Consequently, it’s crucial for Indian entities doing business with EU-based data subjects to establish an EU-based data protection regime The GDPR infrastructure and ensure that BCRs are executed according to GDPR provisions, such as the GDPR compliance tracking system.
What Indian companies should do in the future
A new India data protection law is in the works and it will lay the groundwork for an ‘adequate’ data protection regime. In order to comply with all GDPR requirements, depending on the level of responsibility of the data controller or data processor, Indian businesses processing personal data of EU citizens must ensure that all GDPR requirements are followed. From a risk-mitigation perspective, the following measures should be considered:
- Data collection and processing, data privacy, and other company policies and processes are reviewed and updated.
- Data storage, transmission, and use contracts signed with third parties should be reviewed and updated.
- Data privacy and data protection should be included in employee handbooks and employment agreements as a right and a zero-tolerance policy should be implemented.
- Employees and management need to be informed about and sensitized to data privacy.
- Perform risk-assessment exercises/audits to evaluate whether any data processing will result in a high risk of breaching the GDPR rights of data subjects, and build appropriate risk mitigation mechanisms as necessary. Data processing risks usually involve assessing financial information and big data analytics to make marketing and profile decisions based on sensitive personal data.
- It may also be necessary for businesses to hire a data protection officer dedicated to ensuring compliance with requisite frameworks, depending on the extent of their data processing.
- Implement technology solutions to protect data. Some of the requirements under the GDPR can be met through the ISO 27001 model (which is mandated to be implemented under the Information Technology Act, 2000 in India).
- In addition, additional measures must be put in place to ensure that the rights of data subjects are properly maintained, such as mechanisms for transferring or flowing data outside the EU, data breach policies and procedures, and procedures for ensuring data breaches.
Disciplinary measures for noncompliance
GDPR enforcement mechanisms do not appear to be effective for entities outside the EU, such as India. A significant point to note is that non-compliance with the GDPR may result in hefty penalties that range from 4% to 20 million Euros (or higher, whichever is greater). If an Indian company conducts business in the EU and has access to the data of EU citizens, it must comply. The GDPR is considered to be the ‘global gold standard’ of data protection today. To ensure compliance with the GDPR, businesses must address specific measures and best practices.