Indian companies that hold data on EU residents could face large fines and jeopardize commercial relationships if their compliance with the new GDPR is not watertight, writes Oliver Yaros
The General Data Protection Regulation (GDPR) introduces a new regime for the protection of personal data in the EU.
Global research conducted last year by software company Veritas found that 86% of organizations participating worldwide were worried about failing to adhere to the GDPR and concerned that such a failure could have a major negative impact on their business. Indeed, almost half feared that they would not be ready by the implementation date to meet legal requirements.
The issue is even more acute in India, which is not on the list of countries approved for data portability and transfer. A forensic data analytics survey by Ernst & Young released in the lead-up to the GDPR’s effective date revealed only 60% of firms surveyed were familiar with the GDPR and just 13% of firms surveyed had a plan in place at the time to comply with it.
WHAT IS THE GDPR?
The GDPR was adopted on 27 April 2016 and came into force on 25 May 2018. It is a harmonization of data protection laws across the EU on storing, transferring, collecting and processing of personal data.
Personal data is defined as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This could include, for example, a person’s name, their employment status and location, as well as online identifiers like an IP address. There is a further subset of personal data called special category data, which includes race, biometrics (fingerprint), religion and sexual orientation.
Crucially, the GDPR brings a full range of compliance obligations for companies both inside and outside the EU. This means, for instance, implementing “privacy by design” to ensure that an appropriate level of data protection is provided by default in the processing of personal data. It also means companies that rely on consent as a basis to process personal data need to seek “unambiguous” consent in the form of a statement or clear affirmative action from the customers to whom the data relate.
Moreover, companies undertaking higher risk processing are required to map their personal data processing and carry out data protection impact assessments. If a data breach takes place, companies are obliged to notify the relevant EU data protection authority without undue delay and where feasible within 72 hours, as well as notify the individuals concerned if the breach presents a high risk to them. There are also circumstances under which companies may need to appoint a data protection officer who would ensure compliance within the organization.
DOES THE GDPR APPLY TO INDIAN BUSINESSES?
This is not just a concern for organizations based in the EU. Organizations based outside of the EU will have to comply with the GDPR if they have a presence in Europe or hold data about EU residents.
Companies based in India will have to comply with the GDPR where those businesses:
- Have subsidiaries, offices or other operations in the EU that use personal data to operate their business;
- Process personal data about individuals located in the EU to offer them goods or services; or
- Monitor those individuals’ behaviour.
Take the example of an Indian-based business offering products or services to individuals located in the EU via a global website. It may provide a mobile device application available to individuals in the EU to download, which collects users’ personal data and profiles their online behaviour. That business will have to comply with the new EU data protection rules.
The restrictions imposed by the GDPR relating to the transferring of data from the EU to India may also present a practical challenge to Indian companies, particularly those that are outsourcing service providers. In the context of the new regulations, even remote access to personal data stored in an EU-based subsidiary or server by a member of staff at an Indian-based business will fall under the definition of “transfer”. Under the GDPR, a transfer is not permitted unless certain conditions are met.
PREPARING FOR GDPR COMPLIANCE
If a preliminary assessment determines that an Indian-based organization must comply with the GDPR, the business should take the following key steps:
- Inform the leadership of the change in data protection law, appoint a cross-departmental or cross-border GDPR implementation team and plan for how the organization should comply;
- Review all relevant processes and systems that deal with the collection, processing and use of personal data from the EU. Also map out the flows of personal data comprehensively;
- Review the legal basis under which personal data is being processed and consider whether any changes need to be made with the GDPR’s introduction;
- Conduct a data protection impact assessment where it’s required to minimize the risk of “high risk” processing activities;
- Appoint a data protection officer if necessary;
- Implement new compliance systems to ensure that the company can respond to: a data breach, data portability, objection to automated data profiling, provision of access to personal data, as well as the new data breach notification requirements, the right to be forgotten, and other rights that individuals can exercise in relation to their personal data;
- Update the data governance controls within the business and provide training and updates to employees regularly;
- Draft and maintain written/electronic records of processing activities, which should specify, among other things, a description of the processing activity, the categories of data subjects and personal data concerned, the purposes of the processing activity, and the parties that the personal data is being shared with;
- Review the organization’s supply chain contracts and other arrangements to ensure that the company has imposed the contractual requirements that are required under the GDPR to ensure their compliance – it may be necessary to renegotiate these contracts and arrangements; and
- Assess the international data transfers taking place within the company – pay particular attention to the restrictions on the transfer of personal data from the EU/European Economic Area to India and accordingly update the mechanisms that are being used to achieve this.
PENALTIES BUSINESSES COULD FACE
The consequences for failing to comply can be severe. Under the GDPR, the maximum fine issued by a data protection authority is up to 4% of an enterprise’s worldwide turnover or €20 million (US$23 million) per infringement, whichever is higher, whether the violation is intentional or unintentional. In addition, most Indian companies will be expected by their European counterparts, business partners and customers to demonstrate compliance with the GDPR as a matter of good business practice. By not complying, they could risk losing significant commercial relationships or face repetitive auditing.
DATA PROTECTION REGULATIONS IN INDIA
Data protection is governed by two pieces of legislation in India: the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Although there are similarities between the Indian law and the GDPR, the latter goes much further and provides considerably more detail on the principles of consent and individual rights. The GDPR’s prescriptive approach means Indian companies risk falling foul of the GDPR even when they comply with the IT Act and rules in India.
The release earlier this year of the White Paper on Data Protection Framework, by India’s Ministry of Electronics and Information Technology, underlines that future reform in this area is on the horizon. It follows that enacting the right measures to comply with the GDPR will stand Indian companies in good stead for the eventual arrival of a data protection bill that could bring the country closer to the EU approach.
Ultimately, becoming GDPR-compliant is more than a matter of compliance. It is not just a box-ticking exercise, it is an opportunity to improve the way companies do business day-to-day. It is also about a company instilling confidence in its customers by demonstrating that it understands the importance of data protection and has put in place a programme to effectively govern the way it uses personal data.
OLIVER YAROS is a partner in the IP & IT group at the London office of Mayer Brown International.