Indian companies that hold data on EU residents could face large fines and jeopardize commercial relationships if their compliance with the new GDPR is not watertight, writes Oliver Yaros
The General Data Protection Regulation (GDPR) introduces a new regime for the protection of personal data in the EU.
Global research conducted last year by software company Veritas found that 86% of organizations participating worldwide were worried about failing to adhere to the GDPR and concerned that such a failure could have a major negative impact on their business. Indeed, almost half feared that they would not be ready by the implementation date to meet legal requirements.
The issue is even more acute in India, which is not on the list of countries approved for data portability and transfer. A forensic data analytics survey by Ernst & Young released in the lead-up to the GDPR’s effective date revealed only 60% of firms surveyed were familiar with the GDPR and just 13% of firms surveyed had a plan in place at the time to comply with it.
WHAT IS THE GDPR?
The GDPR was adopted on 27 April 2016 and came into force on 25 May 2018. It is a harmonization of data protection laws across the EU on storing, transferring, collecting and processing of personal data.
Personal data is defined as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This could include, for example, a person’s name, their employment status and location, as well as online identifiers like an IP address. There is a further subset of personal data called special category data, which includes race, biometrics (fingerprint), religion and sexual orientation.
Crucially, the GDPR brings a full range of compliance obligations for companies both inside and outside the EU. This means, for instance, implementing “privacy by design” to ensure that an appropriate level of data protection is provided by default in the processing of personal data. It also means companies that rely on consent as a basis to process personal data need to seek “unambiguous” consent in the form of a statement or clear affirmative action from the customers to whom the data relate.
Moreover, companies undertaking higher risk processing are required to map their personal data processing and carry out data protection impact assessments. If a data breach takes place, companies are obliged to notify the relevant EU data protection authority without undue delay and where feasible within 72 hours, as well as notify the individuals concerned if the breach presents a high risk to them. There are also circumstances under which companies may need to appoint a data protection officer who would ensure compliance within the organization.
DOES THE GDPR APPLY TO INDIAN BUSINESSES?
This is not just a concern for organizations based in the EU. Organizations based outside of the EU will have to comply with the GDPR if they have a presence in Europe or hold data about EU residents.
Companies based in India will have to comply with the GDPR where those businesses:
- Have subsidiaries, offices or other operations in the EU that use personal data to operate their business;
- Process personal data about individuals located in the EU to offer them goods or services; or
- Monitor those individuals’ behaviour.
Take the example of an Indian-based business offering products or services to individuals located in the EU via a global website. It may provide a mobile device application available to individuals in the EU to download, which collects users’ personal data and profiles their online behaviour. That business will have to comply with the new EU data protection rules.
OLIVER YAROS is a partner in the IP & IT group at the London office of Mayer Brown International.