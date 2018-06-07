Moneycontrol Contributors

The concept of "consent" for data is unique to EU General Data Protection Regulation (GDPR), in its astute characterisation.

It is defined as any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his/her personal data.

Anyone who has consented to any of the above also has the right to withdraw consent.

GDPR, the new regulatory framework governing the collection, usage, storage and destruction of personal data of EU residents, has come into effect from May 25, 2018, and thanks to its extra-territorial applicability, it is relevant not only for entities based out of EU, but also for those Indian companies that use personal information of EU citizens, any organisation that is a processor or controller of EU residents' personal data, including both for-profit and non-profit organisations.

Some Indian entities may have already obtained consent from the requisite natural persons, in accordance with the Indian Information Technology Rules.

However, under GDPR, entities will be required to obtain consent devoid of legalese, and citing the 'purpose' for requiring such personal data. To process "sensitive data" (i.e. details like name, ethnicity, sexual orientation etc.), overt consent is a must.

For 'non-sensitive data' (cookie ids, hashed email addresses- wherein no direct identification is possible, etc.), however, unambiguous consent will be sufficient.

Silence, inactivity or pre-ticked entries will not constitute 'consent' under GDPR.

Further, in case the processing of personal data is for multiple purposes, then GDPR mandates that 'consent' must be obtained for each such purpose, and not in a blanket fashion.

Because of this, it is distinctly clear that data processors and controllers walk a tightrope when it comes to obtaining consent from data subjects to satisfy GDPR, since implied consent is no longer permitted.

So, it becomes crucial for Indian companies to go back and check the purpose for which the consent for procuring the data was obtained. If the data is currently being used for other purposes, then it would be important to circle back to the EU counterpart to obtain it from the respective data subjects for the ongoing projects.

Compliance requirements

It would be obvious for Indian companies to examine why they need to obtain consent again, and the answer lies in the powers given to the data subjects under GDPR and the obligations defined for the data controllers/processors.

A data controller has been tasked with ensuring that it maintains data that is accurate and not outdated, and which the data subjects can rectify in case it is outdated or incorrect.

Data must not be stored for longer than required i.e. till the purpose for which such data was collected is extinguished, by data controllers and rigorous security measures must be in place to protect it.

Data processors are tasked with maintaining documentation about their processing operations and implementing stringent security measures to protect personal data.

Further, they must keep the data controller informed of any breach, carry out impact assessments on data protection and appoint a data protection officer (only if the data processor is a public authority or an organization engaging in large scale systematic monitoring/large scale processing of

sensitive personal data).

Rights of Data subjects

Under the provisions of GDPR, data subjects enjoy several inexorable rights, since one of its prime objectives is to protect the fundamental rights and freedoms of people, chiefly, their right to protection of personal data.

Data subjects have the right to demand an entity to provide access to their personal data and understand how said entity is using it.

Data subjects have a special right of portability, i.e. they can exercise their right to transfer data from one service provider to another. The data subjects are required to be informed before their data is collected and they must opt-in, i.e. allow the entity to gather their personal data, by giving explicit and free consent.

Data subjects can update/correct/complete their personal data, where need be. Data subjects also have the right to request entities to 'not'

process their personal data, but merely hold it.

In addition to restricting processing, data subjects have the right to stop entities from processing their personal data for direct

marketing purposes.

In case there is any data breach, which may affect the data subject's rights and freedoms, the entity must inform the subject of it within 72 hours of it being discovered.

Data subjects have a special right to be forgotten, so in case they are no longer customers of these entities, or in case they withdraw their consent, then they have the right to demand that their personal data be deleted.

With the implementation of GDPR, data processors and controllers in India should have already taken plenteous preventive/precautionary measures by now to ensure that they are in compliance. If not, such ramparts must be formulated immediately and more importantly, executed, in an

endemic manner, with enhanced transparency and accountability.

If somehow this has not yet happened, then it becomes all the more necessary for one to maneuver cautiously around the contours of GDPR.

In case of severe non-compliance, heavy penalties up to 20 million

euros or 4 percent of the worldwide annual turnover of the company in the preceding financial year, whichever is higher, may be levied on the defaulting entity.

So, this is the time to act cautiously and take compliance seriously.

The authors are Joint Partner and Senior Associate at Lakshmikumaran & Sridharan Attorneys.