What Indian businesses should know about GDPR compliance
The article explores the necessity for Indian businesses to comply with the General Data Protection Regulation (GDPR) and outlines key compliance measures. It begins by elucidating GDPR's impact on global data privacy regulations and clarifies its applicability to Indian businesses. The piece then delves into essential compliance steps, including updating privacy policies, safeguarding data subject rights, and securing personal data processing. Consequences of non-compliance are underscored, emphasizing hefty fines and citing high-profile cases to illustrate potential repercussions. Ultimately, the article stresses the imperative for Indian businesses to adhere to GDPR guidelines to mitigate financial risks and uphold data privacy standards.
Introduction:
In today's digital age, the sharing of personal data has become a common practice in various aspects of our lives, from online transactions to social media interactions. However, the fate of this data and how companies utilize and process it raise important questions about privacy and consent. Understanding the implications of data usage and the necessity of consent is crucial in safeguarding individuals' privacy rights.
As countries worldwide are recognizing the significance of protecting personal data, laws and regulations are being enacted to ensure data privacy. The General Data Protection Regulation (GDPR), implemented in 2018 by the European Union, stands as a prominent example of legislation aimed at safeguarding personal data. While India is yet to pass its Personal Data Protection (PDP) Bill, 2018, the existing Sensitive Personal Data or Information Rules (SPDI) 2011 under the Information Technology Act, 2000 provide some level of protection for personal data.
The applicability of GDPR to businesses in India raises important compliance considerations. Understanding whether GDPR regulations impact Indian businesses and how they can adhere to these regulations is essential for ensuring data protection and compliance with international standards.
What is GDPR and Indian businesses that need to comply with it?
The General Data Protection Regulation (GDPR) is a robust legislative framework designed to safeguard the processing and transfer of personal data for individuals within and beyond the European Union. While initially targeted at EU member states, the global impact of GDPR has prompted countries worldwide to enhance their data privacy regulations. Businesses are increasingly focusing on GDPR compliance and are aligning their practices with its principles. Understanding the roles of data processors, data controllers, and data subjects is fundamental in grasping the essence of GDPR and ensuring adherence to its provisions.
According to Article 4(7) of the GDPR, a 'controller' is defined as an entity that determines the purposes and methods of personal data processing, while a 'processor' is an entity that processes data on behalf of the controller (Article 4(8)). A 'data subject' refers to any identified or identifiable natural person under the GDPR. The regulation's applicability, outlined in Article 3, extends to all data processors and controllers within the EU, those outside offering goods/services in the EU or profiling EU individuals, and those processing data through EU-established branches. The GDPR's extraterritorial reach ensures protection for EU residents' personal data even beyond EU borders, necessitating compliance for Indian businesses offering services in the EU, handling EU-transferred data, or profiling EU residents.
How should Indian businesses comply with GDPR?
1. Having an updated privacy policy:
Categories of personal data collected: Indian businesses need to clearly outline the types of personal data collected, including special categories like name, email, address, religious or political beliefs.
· Usage of personal data: The purpose and lawful basis for data collection and processing must be explicitly stated in the policy, aligning with one of the six lawful bases under Article 6 of GDPR.
· Consent: Businesses must obtain explicit, free, and unambiguous consent from individuals for processing their data, ensuring individuals have control over their privacy.
· Data subject rights: Privacy policies should detail how data subjects can enforce their rights, such as withdrawing consent, restricting processing, being forgotten, or requesting data portability as per GDPR regulations.
2. Safeguarding the data subject’s rights:
· Indian businesses must establish a mechanism to handle data subject requests effectively to uphold the rights outlined in Chapter 3 of GDPR. These rights include access to data, right to erasure (be forgotten), right to restrict processing, explicit consent, data portability, and rectification.
3. Understanding whether you are a data controller or processor:
· Businesses need to understand if they are data controllers or processors based on their role in deciding how data is used or processing it. Obligations and liabilities differ for controllers and processors as outlined in Chapter 4 of GDPR.
· Data controllers must implement appropriate measures to ensure compliance with GDPR and regularly review and update these measures. Processors are responsible for implementing these measures on behalf of the controller and cannot engage other processors without authorization.
4. Securing the processing of personal data:
· Indian businesses must prioritize securing the processing of personal data. This involves implementing technical and organizational measures to safeguard against risks such as unauthorized access, alteration, or loss of data. Encryption techniques should be employed to anonymize and protect sensitive information. Additionally, measures should be in place to ensure the confidentiality, integrity, availability, and resilience of processing systems and services. Regular testing and evaluation of these measures are essential to identify and address any vulnerability effectively.
5. Data protection impact assessment:
· This assessment involves systematically describing processing activities, evaluating their necessity and proportionality, and assessing risks to individuals' rights and freedoms. Measures should be outlined to mitigate identified risks and ensure compliance with GDPR requirements. By conducting thorough assessments, businesses can proactively address potential privacy risks and demonstrate their commitment to protecting personal data.
6. Easy to read the privacy policy:
· Indian businesses should ensure their privacy policies are easily understandable to all individuals, regardless of their level of familiarity with data protection laws. This involves using simplified language and avoiding technical jargon or legal complexities. Privacy policies should be readily accessible to users and may be translated into local languages to cater to diverse audiences. Transparency and clarity are key, with the policy clearly outlining the types of data collected, purposes of processing, and individuals' rights regarding their personal information. Providing contact information for inquiries or concerns further enhances transparency and builds trust with users.
What happens if Indian businesses don’t comply with GDPR?
Non-compliance with GDPR can have severe consequences for Indian businesses, including hefty fines. These fines are divided into two levels: Level 1 fines amount to 10 million euros or 2% of the company's annual global turnover, while Level 2 fines can reach up to 20 million euros or 4% of the annual global turnover. The number of fines for GDPR non-compliance has been increasing steadily, reaching a staggering total of 332 million dollars as of January 2021.
High-profile cases of GDPR violations highlight the substantial penalties that businesses can face. For instance, Google was fined $55 million by French regulators in 2019 for inadequate disclosure of data collection practices for personalized advertisements. Similarly, H&M faced a fine of nearly $41 million in October 2020 for unlawfully storing excessive personal data of its employees, including details about their families, religions, and illnesses.
These cases underscore the significant impact GDPR penalties can have on businesses, particularly considering the substantial size of the IT industry in Europe, estimated at 155-220 billion USD in countries like Germany and France alone. Indian businesses must heed GDPR regulations to avoid facing similar financial repercussions and reputational damage associated with non-compliance.
Conclusion:
Ensuring compliance with GDPR is paramount for Indian businesses engaged with EU partners or operating within the EU, as it mitigates the risk of facing substantial fines and financial liabilities. Given the increasing emphasis on individual privacy rights, adherence to GDPR not only fosters trust but also enhances transparency and accountability, thereby bolstering organizations' credibility and reputation among customers and clients.
