General Data Protection Regulation

In this article, Chaitanya Dhruv discusses the General Data Protection Regulation and its Compliance by Indian Companies.

What is GDPR

The European Union (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Directive 1995 to synchronise with data privacy laws across Europe and to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.  GDPR was approved by the EU Parliament on 14 April 2016 and will be enforced on 25 May 2018 to strengthen the data protection of individuals within EU as well as to regulate the flow of data outside EU. This Regulation lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. It protects fundamental rights and freedoms of natural persons and their right to the protection of personal data. The free movement of personal data within the EU shall be neither restricted nor prohibited for reasons connected with the protection of natural persons for the processing of personal data.[1]

Who is affected by GDPR

The regulation applies to the data collectors and data processors based in EU. It also applies to the companies based outside EU who collect, or process data of individuals based in EU or outsources personal data to EU.[2]

Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.[3] The data controller controls the overall purpose and means, or the why and how the data is to be used. Most of the companies fall under this category.

Download Now

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.[4] It is pertinent to note that the data processor does not control the data and cannot alter the purpose or use of the particular set of data. The data processor is limited to processing the data according to the instructions and purpose given by the data controller. Data processor is appointed to carry out specific tasks to undertake the goals set by the data controller. Companies like telemarketing companies, accountant businesses fall under this category.

How will Indian companies be affected by GDPR

GDPR is not only limited to the companies having their businesses in EU region but also applies to the companies who are based outside EU but deal with the personal data of individuals based in EU. Large or small corporations having their operations in EU but based in India will be affected by the regulation. Indian companies who processes personal data wholly or partly by automated means or processes data by other methods which affect the data of natural persons based in Europe will come under the scope of regulation.[5]

How to be GDPR compliant

It is important for Indian companies who are either data controller or processor in EU to comply with GDPR to avoid heavy penalties[6] imposed in the companies for the breach of personal data. Therefore, a company should be aware of the personal data it holds and be aware of how this personal data flows in and out and where the personal data is stored and how is it processed. The company should be aware of who has the access of such personal data.

Indian Companies need to develop a suitable framework to address the gap between their current compliance program and the requirements of GDPR. Create an accountability framework for data protection compliance. Companies need to develop the operational structures to facilitate such requirements of the regulation. Further, they need to document their data processing activities affecting the data subjects. Reviewing of the third-party contracts to avoid data breach is essential.

Following are the areas which should be focused to be complaint under GDPR:

  • Data processing
  • Consent
  • Data subject rights
  • Data Protection Officers
  • Cross-border data transfer
  • Data security, storage, breach, breach notification
  • Training and awareness

Data Processing[7]

Personal data may be processed on the basis that such processing is necessary to perform or to enter into a contract with the individual. It should be processed on the basis that the individual has consented to such processing. If the organisation uses an individual’s consent as a lawful basis, then the individual will have stronger rights under the GDPR to withdraw that consent. Personal data may be processed on the basis that the data controller has a legal obligation to perform such processing. Such obligations must be set out in the third-party contracts by the Indian Organisation thus meeting objectives of the regulations.

Notices and Consent

Principle of fairness and transparency means that the data controllers should provide information about the processing of personal data to the individuals in a transparent manner. The information provided should be in a concise, easily accessible and easy to understand. Information can be provided in the website of the company with the help of visual representations such that it is even easily understandable by the child if the company processes personal data of a child.[8]

How can Indian companies give notices to individuals about processing of their data?[9]

Information provided by the organisation about the processing of the data of individuals can be provided in writing or electric form or any other means. Such information can also be given orally when requested by an individual. Companies should provide with the following information’s:

  • The identity and the contact details of the or its representatives
  • the contact details of the data protection office
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
  • the recipients or categories of recipients of the personal data
  • the period for which the personal data will be stored, or the criteria used to determine that period
  • Procedure to lodge a complaint with a supervisory authority

Companies are to provide such information’s when such information is obtained directly from the individuals and in case the information is not obtained directly such information is to be notified to the individuals within one month of having obtained the data. If the data are used to communicate with the individual, at the latest, when the first communication takes place; or If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

How to obtain consent

Consent of the individuals forms the basis of GDPR. It means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.[10] Thus consent obtained should be freely given[11], specific[12] and the individuals should be informed[13] of such consent obtained.

Data Subject Rights

Companies should pay attention to the rights of the individuals while basing their data protection policies and while dealing with the processing of data of such individuals. The regulation recognises the following rights of the individuals for the protection of their data –

Right to Access

Data Subjects have a right to obtain confirmation of whether personal data concerning data subjects is being processed; If the data of the individual is being processed then such individuals has the right to obtain such information. Companies have the obligation to give the purposes for the personal data obtained and the information about the retention period of such data.[14]

Right to rectification

Individuals have the right to rectify the personal data which is inaccurately used by the companies.  Companies are under obligation to ratify such inaccuracy without any delay. If the personal data of the individuals is incomplete the individuals have right to complete such personal data by providing supplementary information to the companies. [15]

Right to erasure or Right to be forgotten

The right to be forgotten entitles the data subject to have the companies erase personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, individuals withdrawing consent, personal data used for unlawful purpose. Once the organisation receives such request by the data subject for the removal of the personal data then the companies should erase such personal data without any delay.

Right to restrict processing

The deletion of personal data by the organisation will require the permission of the data subjects. Right to restrict processing personal data applies where the data subjects have objected to processing of the personal data or where the accuracy of such data is challenged. In such case the restriction applies until the companies have determined such accuracy of the data or the outcome of the objection raised. Data subjects can request restriction when such processing of data is unlawful. Further, the data can be restricted when the organisation no longer needs the personal data and if the data subject requires the data for a legal claim. [16]

Right to data portability

Data subjects can obtain their personal data from an organisation and can reuse the data. They can also transmit the personal data obtained from one organisation to another organisation without any hinderance. This is referred as Right to data portability. [17]

Data Protection Officers

Indian companies need to appoint a data protection officer if it’s a data controller or processor. If an organisation deals with the processing of sensitive data of individuals in EU or monitors such data, then the company needs to appoint a data protection officer. Data protection officer can be an individual who is the employee of the company or such officer can be an organisation.

The most essential role of data protection officer will be to ensure that the organisation processes the data in compliance of GDPR. Data protection officer is to inform and advice the companies and the employees in accordance with the regulations. The officer is to ensure that the employees, data subjects and the companies are informed about their data protection rights and raise awareness about the rights.

The data protection officer appointed should be able to report to top management of the company instead of a direct superior. Such officer should have the responsibility for managing own budget.

Cross border data transfer[18]

Organizations need to define the circumstances for managing the personal data transfers while protecting the rights of data subjects when transferring the data to other parties. To perform the data transfers to third countries the processing should be protected by the mechanism which has been recognised by GDPR. Mechanisms can include agreements where European Commission declares a data protection law of a country or agreement between parties to be suitable for transferring the data. To transfer the personal data the companies, need to enforce such contracts which protect the personal data of the individuals.

Data security, storage, breach, breach notification

Article 32 deals with the guidelines that the companies are to follow to protect the personal data. Companies should engage and work only with such other companies, which implement necessary measure to protect the data and report the data breaches on the time to the regulatory in EU. Companies can protect the data by pseudonymisation and encryption of data. It should ensure the confidentiality, integrity, availability and resilience of processing systems and services. They should have the ability to restore the access to the personal data in a timely manner and should set up a process for testing of such personal data.

In case of a data breach the organizations are to report the data breach to the regulators within 72 hours through the data protection officers. In case the organisation is a data processor then the organization is to inform about the data breach to the data controllers.

What is the current data protection regime in India

Data -protection in India is currently facing many challenges with inadequate developments in the law related to the data protection. There is no specific act governing data protection in India but there are many legislations as listed below inter alia that govern the data protection laws in India:

  • The Information Technology Act 2000 (IT Act)
  • The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules)
  • The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and
  • Services) Act, 2016 (Aadhaar Act)
  • Credit Information Companies (Regulation) Act 2005 (CIC Act)

Time and again legislative attempts have been made to update the data security laws in India. Section 43A of the SPDI rules made under IT Act deals with the compensation for failure to protect data where the companies are under obligation to ensure reasonable security practices and procedures for the protection of the personal data of individuals. SPDI rules further deals with the restriction on collection of data, specification of the purpose for which such data is collected by companies, restriction on use of such data and individual participation.

Corporate entities are to comply with certain guidelines while collecting data of individuals[19] and requires the entity to collect such information only for lawful purpose[20]. Companies are to have detailed privacy policy and set out the time for which they will retain such data. [21]However, the SPDI rules only apply to corporate entities and not to government authorities. [22]

The controversial Aadhar Act enables the government to collect the identity information from citizens including their biometrics.[23] The Aadhar Act established an authority called as Unique Identification Authority of India (UIDAI) to validate the information collected from the information and provide targeted service to the individuals based on their biometrics. [24]Aadhar Act also establishes a repository called Central Identities Data Repository (CIDA) [25]which hold the Aadhar numbers and biometric information of individuals.

Aadhaar (Data Security) Regulations 2016 regulates the personal information collected through the Aadhar Act. This Aadhar data security regulation imposes obligation on UIDAI to enforce security polices for the protection of the personal data of individuals. [26]

Data protection in financial sector is largely governed by Credit Information Companies Regulations (CIC Regulations) under CIC Act and various other circulars issued by RBI from time to time. CIC Regulations apply to credit information companies and imposes obligations on such companies to ensure privacy protection at the stage of collection and use and disclosure of credit information of individuals.  The CIC regulations further ensure that the credit information companies adhere to data secrecy.

Recently, Government of India constituted a committee under the chairmanship of former Supreme Court Justice B N Srikrishna to study issues relating to the protection of data in India and recommend suggestions on the current data protection regime. The committee has come up with a white paper on the data protection framework in India to invite public comments on the data protection in India.  This paper is based on the practices of GDPR to help bring the data protection regime in India. The committee has noted that IT Act is limited in its applicability and does not consider the wide range of instances of data protection violation which may occur due to advancement in technology used towards processing of personal data.

Conclusion

Non-compliance by the companies would render penalties for the breach of the regulations by the data controllers and data processors. Failure to comply with the regulations would result in a penalty of 2% of the annual turnover or 10 million euros whichever is higher, in case of breach of personal data. Failure to comply with the regulations in case of breach of sensitive personal data would result in a penalty of 4% of the annual turnover or up to 20 million euros, whichever is higher.

Thus, companies who processes or controls the personal data of individuals based in EU must reconsider their policies and their existing contracts with the third parties. Companies should have contingency plans in their agreements in case of unforeseen events and should appropriately update their liability clauses in their existing agreements which might in any way affect data subjects. The agreements and the policies must reflect the clear understanding of the scope and objectives of GDPR. It has become imperative for the Indian companies to implement the requirements of the data protection under GDPR, moreover the counterparts of the companies in the EU will insist on compliance with the requirements of the regulations as a part of their standard contractual obligations.

[1] Article 1 deals with the subject matter and objectives of the regulation.

[2] Article 3 deals with the territorial scope of the regulation where the data of is processed of an individual based in EU but the data controller or data processor is outside EU.

[3] Article 4(7) GDPR.

[4] Article 4(8) GDPR.

[5] Article 2(1) GDPR.

[6] Article 83 GDPR prescribes for the penalties which can be up to 4 % of the total worldwide annual turnover of the company.

[7] Article 5 to Article 11 of GDPR lays down the principles relating to the processing of personal data and conditions under which such data can be lawfully processed.

[8] Recital 58 deals with the principle of transparency to be adopted by the organizations to whom the regulations are applicable.

[9] Article 12 to 14 provides for the procedure for the companies to give information to the individuals when the data is obtained from the individuals or when the data is not obtained from the individuals.

[10] Article 4(11) GDPR defines consent.

[11] Recital 43 GDPR: To ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

[12] Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

[13] Article 7(3) GDPR.

[14] Article 15 GDPR.

[15] Article 16 GDPR.

[16] Article 18 GDPR.

[17] Article 20 GDPR.

[18] Article 44 – Article 50 GDPR.

[19] Rule 5(1) SPDI Rules.

[20] Rule 5(2) SPDI Rules.

[21] Rule 4 SPDI Rules.

[22] Section 43A IT Act.

[23] Section 30 Aadhaar Act.

[24] Section 8 Aadhaar Act.

[25] Section 10 Aadhaar Act.

[26] Regulation 3 Aadhar (Data Security) Regulations 2016.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here