Boards must plan to meet EU data protection norms

Challenges of identity theft, cybercrime, profile data breaches, unauthorized extraction and sale of personal data have increased the trust deficit between individuals and business initiatives. While big data (compared to oil by many thinkers) is the lifeline of the emerging digital commerce globally, rights of individuals clearly need to be protected. The EU’s General Data Protection Regulation (GDPR) seeks to achieve the right balance, and the Supreme Court of India has also flagged the issue in its landmark judgment on data privacy, setting the ball rolling for the emergence of a new regime on data privacy in India.

As the GDPR comes into effect from May 2018, Indian companies will need to put into place effective frameworks for data protection in order to comply with the GDPR. Apart from protecting the data of individuals in the EU, the GDPR also seeks to regulate the export of personal data from the EU.

From May 2018, the GDPR requires any breach of personal data impacting a resident of the EU to be reported within 72 hours. Companies failing to comply with this could face the stiff penalty of a fine up to €20 million (US$23.5 million) or 4% of their global turnover, whichever is higher.

Once the GDPR comes into force, all global organizations holding data of EU residents will have to comply with new requirements around control, processing and protection of data. Countries outside of the EU (including India), therefore, need to update their regulations to match the standards of data protection set out in the GDPR.

In India, the boards of directors of Indian companies have to sign off on compliance issues under the provisions of the Companies Act, 2013. Indian boards and directors, therefore, will need to be proactive and ensure compliance with the GDPR.

Major focus areas for the boards of Indian companies include:

Data controller/data protection officer: Companies that handle individuals’ data must have an officer accountable to the board and responsible for data protection, and clearly set out the roles and responsibilities of this officer.

Data protection advocacy: To comply with the GDPR, companies need to implement and monitor a structured data protection advocacy action plan to train and sensitize employees and stakeholders on the impact of the GDPR on the company’s business.

Manoj Kumar is the founder and managing partner at Hammurabi & Solomon, where Shweta Bharti is a senior partner.