GDPR: Here's what Indian companies need to know

General Data Protection Regulation as a term, is by now, known to most Indian organisations dealing with personal data. GDPR, or the General Data Protection Regulation is the new privacy law of the European Union (EU), which shall come into force from 25 May 2018.

Does GDPR apply to Indian organisations?

Yes. Though GDPR is a European law, it will apply to an Indian organisation if such organisation provides goods or services to persons in the European Union (EU) i.e. EU data subjects, or monitors their behaviour within EU. An Indian organisation can either act as a controller (i.e. determine how and why data needs to be processed), or a processor (i.e. process data on behalf of a controller). GDPR has prescribed specific obligations and penalties in both the cases.

GDPR protects ‘personal data’ of EU data subjects such as name, email, address, IP address, location data, genetic and biometric data, online identifiers, etc.

This data could be of employees, customers, vendors or business partners of an organisation. Stricter protection is granted to sensitive category data, such as political opinions, religious beliefs, trade union membership, racial or ethnic origin, etc.

What Indian organisations need to do for GDPR compliance?

Indian organisations falling within GDPR ambit will need to provide new rights to EU data subjects going forward. These include: right to be forgotten, right to erasure of personal data, right to rectify data, right to data portability, etc.

GDPR has prescribed detailed obligations and responsibilities for controllers and processors. Some critical ones include:

• Controller will now need to implement appropriate technical and organisational measures to ensure and demonstrate that it complies with GDPR, such as have appropriate data protection policies, pseudonymisation, encryption, privacy by design and privacy of default at the time of product development and implementation, etc.
• The contract between controller and processor for processing of personal data will need to incorporate GDPR requirements;
• Controllers and processors outside EU will need to designate a local representative in EU, and a data protection officer, in certain cases, which will be additional compliance and costs for Indian companies;
• Consent sought by controllers from data subjects should be clear and explicit. Pre-ticked consent boxes/implied consent will not work under GDPR. Opt-outs must be explicit;
• Records to be maintained if an organisation employs more than 250 persons;
• Data breach notification to authorities within 72 hours, and to data subjects without any undue delay;
• Cross-border data transfers with third parties / countries will need to satisfy adequate level of protection as GDPR. India is not a notified country as yet.

The penalties are significant under GDPR. For non-compliance with customer consent requirements, data subject rights (discussed below), cross-border data transfer requirements, etc. the monetary penalty could be higher of: 4% of annual worldwide turnover in the preceding financial year or EUR 20 million.

For non-compliances by controller and processors of their obligations under GDPR, the fines could higher of: 2% of annual worldwide turnover in the preceding financial year or EUR 10 million.

These could have significant financial implications for any organisation doing business in Europe. Additionally, there’s also reputational risk and the risk of losing out EU clients/ customers if an Indian organisation is not GDPR compliant.

Key takeaways for Indian organisations

Privacy has taken a centre stage in the digital era, as is evident from the recent Facebook -Cambridge Analytica controversy. EU is a significant market for Indian IT/BPO/ tech industry. Therefore, GDPR compliance has taken priority for all Indian organisations having business in EU.

With 25 May approaching, if not already done, Indian companies can assess the following for immediate compliances:

• Conduct an assessment of personal data in their systems, review privacy policies and contracts to ensure that they are GDPR compliant;
• Assess source of EU data, how it is stored, whether security measures are in place;
• Assess if consent as per GDPR requirements was taken for collection of personal data; If not, one must reach out immediately and procure consents before 25 May 2018;
• Ensure that you have systems to enable new data subject rights of individuals, including how you would delete personal data;
• Ensure that you have adequate procedures in place to detect, report and investigate a data breach.(By Anshul Prakash, Partner, and Shweta Dwivedi, Principal Associate, Khaitan & Co)