Puneet Bhasin: How India can match up to global needs of data protection

GDPR is applicable to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not, writes Mumbai-based advocate and cyber law expert, Puneet Bhasin.

Jan 24th 2018

The General Data Protection Regulation (GDPR) has been in the limelight since the end of 2017 and is soon going to be applicable for all companies in India. We have cyber security laws and data protection laws in India embodied within the Information Technology Act and the Rules thereunder, which includes the Intermediary Guidelines and The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Under the Information Technology Act the failure of a Body Corporate to protect the sensitive personal data and information (SPDI) is served with a penalty of up to Rs. 5 crore per instance of breach. Section 72A of the Act also imposes fines and imprisonment for breach of contractual obligation between a Body Corporate and users when the contractual obligation clearly specifies that the Body Corporate has to maintain the cyber security of the user’s data.

Under Indian law companies have to secure the personal information of users too. SPDI and personal information are distinctly different. SPDI refers to a user’s biometric data, bank account data, passwords, sexual orientation, credit card information, etc. Personal information means the name, address, contact number or any detail which can be used to identify a user and may not be sensitive personal data.

Compliance Levels
The Right to Privacy has the status of a fundamental right in our nation today by virtue of an order passed by the Supreme Court in August 2017 (Justice K.S. Puttaswamy (retd.) and Another versus Union of India).
This has clearly imposed a huge responsibility on companies collecting user data to maintain cyber security and comply with the Reasonable Security Practices Guidelines under the Information Technology Act and now GDPR – which will be in force from 25th May, 2018.

The European Union Parliament adopted the new GDPR regime in 2016 and that has the ramification of Indian companies having multiple compliance levels for data protection. There is a clear classification of parties involved as Data Subject, Data Controller and Data Processor for the purpose of this regulation.

If the Data Subject belongs to the EU and if his data is being controlled or processed outside the Union in India, then GDPR will apply to the company in India too, which is the Data Processor or Data Controller. There are more instances outlined in which GDPR becomes applicable to a company in India. In a nutshell, GDPR is applicable to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the Union or not.

Cross-Border Transfer
This regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the Union, where the processing activities are related to the said parties offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behavior as far as their behavior takes place within the Union.

The European Union Parliament adopted the new GDPR regime in 2016 and that has the ramification of Indian companies having multiple compliance levels for data protection.

This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. It also has rules applicable to cross-border transfer of data.
For the purpose of GDPR, personal data means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Companies that have more than 250 employees, need to have complete documentation of why people's information is being collected and processed, descriptions of the information that is held, for how long it is being kept, and the descriptions of technical security measures in place.

Data Protection
Additionally, companies that engage in "regular and systematic monitoring" of individuals on a large scale or process a lot of sensitive personal data (SPDI) have to employ a data protection officer (DPO) and his duties are outlined in the Regulation. The companies also have to conduct Privacy Impact Assessments as specified at regular intervals.

Companies have to obtain consent to process data in some situations. When a company is relying on consent to lawfully use a person's information it has to clearly explain that consent is being given and there has to be a "positive opt-in" after clear understanding of the implications – not a default setting of “I Agree”.

The Enforcement Authority under GDPR is the Information Commissioner's Office in the UK. The most dreaded element of the GDPR is the power which regulators have to fine businesses that don't comply. If an organization does not process an individual's data in the correct way, it can be fined. If it exceeds 250 employees and does not have a DPO, it can be fined. In the event of a security breach, it can be fined. These monetary penalties for smaller offences could result in fines of up to €10 million or 2% of a company’s global turnover (whichever is greater).

In case of more serious offences there are fines of up to €20 million or 4% of a firm's global turnover (whichever is greater). The GDPR gives the Data Subject the following rights, which have put the Data Subject in a position of power with respect to his information:
•    The Right to Information
•    The Right to Access
•    The Right to Object
•    The Right to be Forgotten

India has its set of cyber security and information technology laws and the same will be read along with the GDPR for Data Privacy in India for data subjects covered under GDPR. Hence, GDPR is clearly going to change the way Indian companies perceive and implement Data Privacy. Data privacy, which has so far not received the importance it deserves, is going to be a key priority for companies, considering the level of penalties imposed.

The author is cyber law expert and a Certified Professional in GDPR & Data Privacy Compliance from EUGDPR Institute, Copenhagen.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).