General Data Protection Regulations, 2018 or GDPR as it is popularly called has become the buzzword today among Indian corporates. GDPR simplistically explained is nothing but a uniform set of data protection regulations that would apply to the personal data collected within European Union from May 25, 2018. The European Union had been making efforts to create a uniform legal framework for data protection since 2012. While the GDPR regulations were notified in 2016, a two-year transition period was given to corporates to become compliant and hence, the enforcement date was fixed as May 25, 2018. Through this article, we shall try to explain the basic tenets of GDPR and what it means for Indian corporates.
What is personal data?
Any personally identifiable information which helps to identify an individual is included within the ambit of personal data. For instance, a person’s name, contact details, address etc. would constitute personal data.
The organisation which collects such personal data and determines the manner in which it is to be used is termed as the Data Controller under the GDPR regulations and the organisation which at the instructions of the Data Controller processes such data is called the Data Processor.
The individual whose data is being collected is called the Data Subject.
Whom does GDPR apply to?
GDPR applies to all organisations which operate within EU and to organisations which in pursuance of providing good or services collect personal data of EU based data subjects. For instance, an Indian company which has an employee from Europe seconded to it and which for such purposes collects personal data of such employee is required to comply with the GDPR regulations. Any transfer of EU based personal data to Non-EU countries would be subject to GDPR compliance.
What are the key compliances required under GDPR Regulations?
The following are some of the key compliances required under the GDPR Regulations:
Typically, it is the data processor which is charged with the data protection obligations. GDPR regulations have departed from this general rule and have imposed accountability requirements on both the data controller and the data processor. As a part of these accountability requirements, both data controllers and data processors would be required to maintain data processing registers and would be responsible for taking measures to prevent data breaches.
GDPR Regulations define consent as, “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”. The GDPR Regulations stress on the terms specific and unambiguous. This means that the consent so taken should be given in clear and concise words and should be given freely by the data subject. Moreover, GDPR also permits the data subject to withdraw his/her consent at a later stage.
GDPR mandates that any occurrence of data breach should be notified to the data subject within 72 hours of such occurrence. It has to be communicated in as many forms as possible (email, telephone, message, public announcement etc.)
Right of Access:
GDPR regulations also require that Data Subjects at their request should be provided with the information pertaining to the process and purpose behind the processing of their personal data. An electronic copy containing such details should be provided to the data subject at the earliest.
Right to be forgotten
Companies are obliged to erase all personal data with regard to data subject, stored by them on the request of such data subject. Typically, this is done, when the data is no longer relevant due to fulfilment of the purpose for which it was collected or when the consent of the data subject is withdrawn.
Companies are required to adopt and implement appropriate technical and organisation measures in order to be compliant with GDPR regulations. Only data which is necessary for business purposes should be processed.
Data Protection Officers
Companies are required to appoint data protection officers who will supervise the compliance with GDPR regulations. Typically, organisations with over 250 employees or over 5,000 data subjects are required to comply with this rule.
What are the penalties for non-compliance with GDPR?
One of the key reasons why GDPR is viewed with such gravity by the corporate world is the severity of its penalties. Non-compliance leads to imposition of fines up to the tune of 4% of the global revenue and non-compliance with respect to record keeping attracts penalty up to 2% of the global revenue.
Implications for Indian Corporates
One of the major questions being raised with respect to GDPR is that what are its implications for Indian companies. Most of the companies today, even if they are based out of India conduct their business globally and in the course of their transactions end up obtaining/sharing personal data of individuals. If such personal data being obtained or shared belongs to an EU based data subject, it would become essential for them to comply with GDPR Regulations. The following circumstances merit the application of GDPR to Indian corporates:
- If the personal data of an EU based subject is collected in EU and transferred to a non-EU country for processing.
- If the personal data of an EU based subject is collected and processed in a non-EU country.
For instance, if A, an EU based data subject comes to India to attend a conference conducted by company B. Company B would be required to be compliant with GDPR Regulations while processing the personal data of A. Similarly, if company B hired A, an EU based data subject, GDPR would apply.
Hence, Indian companies should have a very well-drafted data protection clause inserted in all their agreements and should take the following measures:
- Maintain records of data being collected and processed in accordance with the GDPR.
- Appoint data protection officers if they cross the required threshold.
- Should adopt strong technical and organisational measures to protect data breach.
- Should carry out measures such as privacy impact assessment.
- Preferably should enter into data transfer agreements, if they are transferring the data of EU based data subjects to non-EU based data subjects.
- If their processing facility is in a non-EU country, they should ensure that all obligations contained in the data transfer agreement applies to such processing facility as well.
Did You Like This Article?
If you have any legal queries or need legal assistance, please visit PocketLawyer.com