This article has been written by Rupali Lekhi, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
Almost every day we share our personal data in some way or the other such as, by booking flight tickets, movie tickets, making hotel reservations, logging onto social media websites, or for employment purposes. But have you ever wondered what happens to this data? How do companies use and process this data? Can you choose to refuse the collection or processing of your data? Do you think companies must take your consent before they decide what to do with your personal data?
Countries around the world are enacting laws towards the protection of personal data. UNCTAD statistics show that 66% of the countries worldwide have legislation on data protection. The General Data Protection Regulation (GDPR) is one such legislation, enacted in 2018 for the protection of personal data of all member states of the European Union. India is yet to enact the draft legislation on data protection known as the Personal Data Protection (PDP) Bill, 2018. Currently, personal data is protected by the Sensitive Personal Data or Information Rules (SPDI) 2011 under the Information Technology Act, 2000.
Despite the absence of a specific personal data protection law in India, it is extremely important to understand if GDPR is applicable to businesses in India. If yes, then how can they comply with it?
What is GDPR and do all Indian businesses need to comply with it?
GDPR is comprehensive legislation that aims to protect the processing and movement of personal data of individuals within and outside the EU. Even though it was enacted for the protection of personal data of all member states of the European Union, the impact of GDPR is worldwide. Many countries are taking data privacy and protection more seriously after the enactment of GDPR. Businesses are trying to ensure that they comply with the GDPR and are also drafting regional legislation in line with it. In order to understand this regulation and its applicability, it is important to know who is a data processor, data controller, and data subject.
Article 4(7) defines ‘controller’ as, a natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data. A ‘processor’ on the other hand means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller as per Article 4(8). A data subject is referred to as an identified or identifiable natural person, as per the GDPR.
The applicability of GDPR is discussed under Article 3 of the GDPR. It is applicable on:
- All data processors and data controllers within the territory of the EU
- All data controllers and processors outside the territory of the EU who are offering goods or services in the EU are profiling individuals in the EU
- Processing of personal data as part of activities of one of its branches established in the EU.
To ensure the protection of the personal data of the residents of the EU member states, the GDPR also has extraterritorial applicability. This means that the scope of GDPR extends to nations, not within the jurisdiction of the EU. However, not all Indian businesses need to comply with GDPR. Those Indian businesses that are offering any goods or services in the EU, are processing any personal data transferred from the EU, or are profiling the personal data of the EU residents, have to comply with GDPR.
How should Indian businesses comply with GDPR?
After ascertaining if GDPR is applicable to your business in India, you need to ensure the following:
- Having an updated privacy policy:
To have a GDPR compliant privacy policy, Indian businesses can update their privacy policy by including:
- Categories of personal data collected: The policy must clearly list out the type of personal data and special categories of personal data collected such as name, email id, home/work address, religious and political beliefs, etc.
- Usage of personal data: The purpose and the lawful basis for collecting and processing data must be clearly indicated in the policy. There must be at least one lawful basis to collect and process personal data out of the six lawful bases for processing data mentioned under Article 6 of GDPR.
- Consent: Explicit, free, and unambiguous consent must be taken from the data subjects for processing their data. This gives individuals real choice and control over their data and privacy.
- Data subject rights: The details of processing requests by the data subject in relation to enforcing their rights that include the right to withdraw its consent, right to restrict the data controller from processing their data, right to be forgotten or the right of data portability as given under the GDPR are necessary to mention in a privacy policy/notice.
2. Safeguarding the rights of the data subject:
For any Indian business to be GDPR compliant they have to ensure that they create a data subject request mechanism to safeguard the rights of the data subject. Chapter 3 of the GDPR is dedicated to the rights of the Data subject which includes the right to access the data, right to be forgotten, right to restrict data from being processed, right of the data subject to give explicit consent of the data subject, right of data portability and right to rectification.
3. Determining whether you are a data controller or processor:
Indian businesses must know if they are data controllers or processors based on whether they are deciding the way the data is used or merely processing the data. Chapter 4 of the GDPR sets out different obligations and liabilities for the data controller and data processor. The data controller is obligated to implement appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with this Regulation. The controller must also review and update these measures as and when it becomes necessary to do so. Whereas, the processor is obligated to implement the aforementioned measures on behalf of the controller and cannot engage any other processor without the data controller’s authorization, as per Article 28 of the GDPR.
4. Maintaining records of processing personal data:
Every data controller and processor who has more than 250 employees are required to keep a record of processing activities, as per Article 30 of GDPR. The records of processing personal data must broadly contain the following:
- Name of the data controller or/and processor.
- Purpose of collecting the data.
- Type of data collected.
- Categories of data subjects whose data is collected.
- Names of recipients to whom the data is disclosed.
- Processing activities carried out on behalf of the processor.
- Documentation in case of transfer of personal data of data subjects to third parties or international organizations.
- Security measures are undertaken for processing.
These records must be maintained in writing or in electronic form and have to be made available to the supervisory authority on request.
5. Securing the processing of personal data:
While collecting and processing personal data, there can be a huge risk such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. In order to ensure the security of data, the controller and the processor shall implement technical and organizational measures which include:
- The pseudonymization and encryption of personal data.
- Maintaining the confidentiality, integrity, availability, and resilience of processing systems and services.
- Mechanism to restore the availability and access to personal data in a timely manner.
- Process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
6. Data protection impact assessment:
A data protection impact assessment is a way to assess the impact of processing activities on the protection of personal data by the data controller prior to actually processing it. It is mandatory for those businesses that use systematic and extensive profiling which significantly affects the natural person, process special category or criminal offense data on a large scale, or systematically monitor publicly accessible places on a large scale. A data impact assessment must contain the following:
- systematic description of processing activities and the purposes of the processing
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects
- the measures taken to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
7. Easy to read the privacy policy:
The privacy policy shall be written in such a way that it can be easily understood by everyone who may or may not have knowledge of data protection and privacy laws. It can also be made available in the local languages where the company is operating.
What happens if Indian businesses don’t comply with GDPR?
Non Compliance with the requirements of the GDPR can have huge consequences for a business. There are two levels of administrative fines levied upon companies for non-compliance. Level 1 includes a fine of 10 million euros or 2% of the company’s annual global turnover and level 2 includes a monetary penalty of 20 million euros or 4% of the company’s annual global turnover for non-compliance with certain provisions of the regulations as listed under 83(4) and 83(5) of the GDPR.
The total number of fines for non-compliance of GDPR has been on a rise from 2018 to 2021. In fact, the penalties have almost doubled up to 332 million dollars as of January 2021. In 2019, Google had been fined $55 million by the French regulator for not disclosing properly to their users about the collection of their data for personalized advertisements. Recently, in October 2020, H&M had been fined for close to $41million dollars for illegally keeping excessive records about the families, religions, and illness of its workforce. This information was collected by company managers of H&M’s in Germany through informal chats and was then used to evaluate their work performance and make employment decisions.
This shows how some of the big companies in the world have been fined upon non-compliance with GDPR regulations. GDPR penalties are huge and will impact Indian businesses largely if they fail to comply with GDPR, given the size of the IT industry business in Europe which is estimated to be around 155-220 billion USD in Germany and France alone.
Conclusion
Compliance with GDPR is extremely essential for Indian businesses who are in business with their EU counterparts or have a presence in the EU to avoid fines and financial risks to the company. As more people are looking to have control over their privacy and personal data being used by large and small organizations, compliance with GDPR will make organizations trustworthy, transparent, and accountable amongst their customers and clients.
References
- https://www.spirion.com/blog/gdpr-fines-increase/
- https://www.pwc.in/consulting/cyber-security/blogs/gdpr-what-it-means-for-indian-businesses.html#sources
- https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: