This article is written by Sukrutesh Bhat who is pursuing a Diploma in Cyber Law, Fintech Regulations & Technology Contracts from LawSikho.
Table of Contents
Introduction
With the advent of technology, one of the major concerns which is faced by us is protection of personal data and at the same time, there are a large number of Companies specially MNCs which have to keep an eye on protection of their confidential data such as Financial Data, details of their investors, etc. In a country like India where most of the Companies are based in Foreign countries and their Business are carried in India, it is very important that Personal Data of such companies are protected at any cost as any breach of the personal data may cost huge loss to such Foreign based companies.
Data Protection Laws in India
As of now, there is a particular statute which deals with Data Protection in India. However, there are few sections under the Information Technology Act, 2000 there are certain provisions that state about breach of Data Protection.
In the year 2019, the Personal Data Protection Bill, 2019 was introduced in Parliament. The Bill serves the following purpose:
- Protecting personal data of the individual.
- Creating a framework to process such personal data.
- Establishing a Data Protection Authority for the purpose.
On the other hand, with the absence of any proper statute there are certain provisions which state about the protection of Data Protection and their implications if they are breached.
Section 43A of Information Technology Act, 2000 states that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.
General Data Protection Regulation
General Data Protection Regulation shortened to GDPR was introduced from European Union which deals with data protection and privacy in European Union as well as European Economic Area. This regulation also addresses the transfer of personal data outside the EU and EEA. It is considered as one of the toughest laws in the world in terms of security as well as privacy. Whoever breaches or violates the security and privacy standards, huge amounts of fines are levied which extends to the amount of millions of Euros, which is a huge amount as per the Indian Rupee value. It focuses on the rights and consent of natural persons when it comes to data protection.
How is GDPR helpful in India
The processing of the regulation under GDPR is applicable regardless of whether the data has been processed in the EU or outside of the EU. Any country in the world which is conducting its business with any subject of data of the EU, that country needs to comply.
Thus, if any Indian company which has data of any kind, of any person who is based in the European Union, the Company will have to comply with the GDPR. This includes companies which by any means are generating any leads of EU citizens, marketing any EU businesses or any EU citizens, displaying any form of advertisement to EU citizens via online or even making any sales call to the people or businesses that belong to the EU.
If it is found that any company has acted in any manner which leads to contravention of the GDPR compliances, in such a case the law imposes a heavy penalty to the extent of 20 million EUR or 4% of global turnover of that country, whichever is higher. Further, an additional compensation is also imposed which has to be given to natural persons whose privacy rights have been violated.
With the growth of technology, almost every sector of the economy is dealing with foreign countries for business purposes.
Following are the sectors where India is dealing with in European Union Countries and which can be affected by GDPR:
- The Information Technology sector and the ITES will be affected heavily if any breach of data takes place;
- Advertising and in particular, the digital marketing industry will be affected;
- Medical tourism, telemedicine, health record management services as the records of the patients and their medical history will have a lot of affect in any data is breached;
- Fin-tech sector and digital banking sector is another area as it will supply to the needs of Indians living in the European Union with their financial records;
- Block-chain and IoT, Software as a Service;
- Aviation sector where there are Indian carriers who can have people with EU passports flying with them;
- Hospitality sector where the Hotels can have tourists who carry EU passports;
- Cloud computing where the servers are storing data which belong to EU citizens;
- Online retail, this scenario can take place where a citizen from the European Union who has travelled to India and is shopping on Flipkart;
- Import-export, where they have to work with clients in European Union and a lot of their internal information is there all along;
- Law firms, accountants and other consultants, service providers with European Union clients are also impacted if any kind of breach is observed.
Role of a Data Protection Officer
A Data Protection Officer’s job is to protect the interest of the Company and has to make sure that the Company is not breaching any kind of regulations. As a Data Protection Officer, the Officer has to be very thorough with his knowledge as to what actions of the company might end up into any legal consequence.
There are following functions the Data Protection Officer can help the Company with respect to the Data protection:
- Training: There are various departments that exist in the Company such as Human Resource, IT Department, Engineers, Marketing, Sales etc. who have the collection of various types of Data of either employees or clients that too in various forms. The Data Protection Officer can train them or inform them by way of SOP (Standard of Procedure) as to how not to misuse the data and what can be the legal consequences of it.
- Check on Data flow Management: A data flow map needs to be prepared when a company goes for GDPR compliance. This data flow map helps to identify all the information that a company has and how it is transferred from one location to another. Further, it helps the organisation to understand the loopholes and vulnerabilities in data protection and take necessary steps to reduce the security risks and unintended data leak by the company.
- Handling of Breaches: It is important that whenever any breach takes place, it has to be reported immediately and protocols need to be followed to avoid any further breach to protect from fines. A Data Protection Officer can make a case before the regulatory authority.
- Fines: As discussed before, GDPR imposes heavy fines in case of breach of Data Protection. In such a case, the Data Protection Officer’s role comes into picture to control the damage if any need arises and the Officer can show or prove that there was no mala fide intention or any negligence to leak the data where the Data Protection Officer can save the Company to pay for the heavy damages.
- Drafting contracts and Privacy Policy: When it comes to privacy policy, it becomes mandatory for the Companies to specify as to what kind of data is being collected, how the companies are collecting it, what is purpose for which the data is being collected and how it will be used, what procedures are followed to keep it secured and how much control does that user have on data. Also, the privacy policies have to be drafted in a manner which are in accordance with the GDPR. It is mandatory that these policies are written in a concise, transparent, intelligible and easily accessible way as specified in GDPR. This is where the Data Protection Officer can be helpful to properly go through the mandates and draft such contracts which is acceptable as per the GDPR standards and there shall be transparency between both the parties.
Conclusion
There are various ways by which the Data Protection Officer can play a very important role with respect to securing the data protection of any company as well as following the regulation as per GDPR. Also, with the introduction of the Data Protection Bill, 2018 which also requires a few amendments before being passed, it will be easy for the Companies to know about the laws relating to Data Privacy and how these data can be protected in order to avoid any legal consequences.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: