Everything you need to know about GDPR and what it means for India.
What is GDPR :
General Data Protection Regulation (GDPR) is legislation that will update and unify data privacy laws across the European Union. GDPR was approved by the EU Parliament on April 14, 2016 and goes into effect on May 25, 2018.
GDPR replaces the EU Data Protection Directive of 1995. The new directive focuses on keeping businesses more transparent and expanding the privacy rights of data subjects. When a serious data breach has been detected, the company is required by the General Data Protection Regulation to notify all affected people and the supervising authority within 72 hours. Mandates in the General Data Protection Regulation apply to all data produced by EU citizens, whether or not the company collecting the data in question is located within the EU, as well as all people whose data is stored within the EU, whether or not they are actually EU citizens. Under GDPR, companies may not legally process any person’s personally identifiable information without meeting at least one of six conditions.
- Express consent of the data subject.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Legal & Compliance
The GPDR introduces new requirements and challenges for legal and compliance functions. Many organisations will require a Data Protection Officer (DPO) who will have a key role in ensuring compliance. If the GDPR is not complied with, organisations will face the heaviest fines yet –up to 4% of global turnover. A renewed emphasis on organisational accountability will require proactive, robust privacy governance, requiring organisations to review how they write privacy policies, to make these easier to understand.
Fines of up to 4% of annual global turnover
Serious non-compliance could result in fines of up to 4% of annual global turnover, or €20 million –whichever is higher. Enforcement action will extend to countries outside of the EU, where analysis on EU citizens is performed.
Data Protection Officers
Organisations processing personal data on a large scale will now be required to appoint an independent, adequately qualified Data Protection Officer. This will present a challenge for many medium to large organisations, as individuals with sought-after skills and experience are currently in short supply. Organisations will also be challenged to demonstrate an independent reporting line, which could cause issues with incumbent positions.
The current requirement to provide annual notifications of processing activities to local regulators will be replaced by significant new requirements around maintenance of audit trails and data journeys. The focus is on organisations having a more proactive, comprehensive view of their data and being able to demonstrate they are compliant with the GDPR requirements.
Privacy Notices and Consent
Organisations will now consider carefully how they construct their public-facing privacy policies to provide more detailed information. However, it will no longer be good enough to hide behind pages of legalese. In addition, there is a significant shift in the role of consent, with organisations required to obtain ‘freely given, specific, informed and unambiguous’ consent, while being able to demonstrate these criteria have been met.
New GDPR requirements will mean changes to the ways in which technologies are designed and managed. Documented privacy risk assessments will be required to deploy major new systems and technologies. Security breaches will have to be notified to regulators within 72 hours, meaning implementation of new or enhanced incident response procedures. The concept of ‘Privacy By Design has now become enshrined in law, with the Privacy Impact Assessment expected to become commonplace across organisations over the next few years. And organisations will be expected to look more into data masking, pseudo-anonymisation and encryption.
- Breach reporting within 72 hours of detection. Significant data breaches will now have to be reported to regulators and in some circumstances also to the individuals impacted. This means organisations will have to urgently revise their incident management procedures and consider processes for regularly testing, assessing and evaluating their end to end incident management processes.
- The GDPR formally recognises the privacy benefits of encryption, including an exemption from notifying individuals of data breaches when data is encrypted. However, this does not mean that organisations can afford to be complacent, and the exemption may not apply when weak encryption has been used. Given the potential fines, organisations will have to further increase their focus on a robust information and cyber security regime.
- Individuals will have new rights to opt out of and object to online profiling and tracking, significantly impacting direct-to-consumer businesses who rely on such techniques to better understand their customers. This applies not just to websites, but also to other digital assets, such as mobile apps, wearable devices, and emerging technologies.
The concept of Privacy By Design (PbD) is nothing new, but now it is enshrined in the GDPR. Organisations need to build a mind set that has privacy at the forefront of the design, build and deployment of new technologies. One manifestation of PbDis Data Protection Impact Assessments (DPIA), which are now required to be undertaken for new uses of personal data where the risk to individuals is high.
- Individuals and teams tasked with information management will be challenged to provide clearer oversight on data storage, journeys, and lineage. Having a better grasp of what data is collected and where it is stored will make it easier to comply with new data subject rights –rights to have data deleted and to have it ported to other organisations.
- Organisations will have to take steps to demonstrate they know what data they hold, where it is stored, and who it is shared with, by creating and maintaining an inventory of data processing activities. Data leads will have to work closely with privacy colleagues to ensure all necessary bases are covered. A thorough system for maintaining inventories needs to be implemented.
Right to be Forgotten
- A new ‘right to be forgotten’ is further evidence of the consumer being in the driving set when it comes to use of their data. Depending on regulatory interpretation, organisations may need to perform wholesale reviews of processes, system architecture, and third party data access controls. In addition, archive media may also need to be reviewed and data deleted.
Right to Data Portability
- A new right to ‘data portability’ means that individuals are entitled to request copies of their data in a readable and standardised format. The interpretation of this requirement is debatable, but taken broadly the challenges could be numerous –
- amongst them achieving clarity on which data needs to be provided, extracting data efficiently, and providing data in an industry-standardised form.
New Definitions of Data
- The GDPR recognises the concept of pseudo-anonymous data and at the same time expands the definition of personal data, placing an greater emphasis on data classification and governance. But it remains unclear if and when certain data, for example IP addresses, will be classed as personal data and subject to requirements.
Data Protection Bill 2018
In year 2017, the Government of India constituted a committee of experts under the chairmanship of former Supreme Court Justice Shri B N Srikrishna to study various issues relating to data protection in India and make specific suggestions on principles to be considered for data protection in India and suggest a draft Data Protection Bill. The committee, formed with the idea to create a powerful data protection law in India, has submitted its draft bill to the Ministry of Electronics and Information Technology (MeitY) on 27 July 2018.
This submission comes after a year of consultations with various stakeholders. The bill lays down penalties, ranging from five crore rupees or 2% of total global turnover to fifteen crore rupees or 4% of the total global turnover*. It is thus changing the way privacy is perceived and practiced within Indian business.
The proposed bill applies to both government and private entities. The applicability of the law will extend to data controllers/fiduciaries or data processors not present within the territory of India, if they carry out processing of personal data in connection with:
- Any business carried in India
- Systematic offering of good and services to data principles (also generally referred to as data subject) in India
- Any activity which involves profiling of data principals within the territory of India
Key highlights for a data fiduciary
Grounds for processing personal data include consent, functions of state, compliance with law or order of court/ tribunal, for prompt action in case of emergencies, purposes related to employment or reasonable purposes of the data fiduciary
Grounds for processing sensitive personal data include explicit consent, functions of state, compliance with law or order of court/tribunal, for prompt action in case of emergencies for passwords, health data, financial data, official identifiers, genetic data and biometric data
Age verification and parental consent is required for processing personal and sensitive personal information of children Transparency and accountability principles such as privacy by design, record keeping, data protection impact assessment and data audits should be undertaken by organizations Organizations will have to appoint a data protection officer as per their processing activities Data breaches have to be reported by data fiduciaries to the authority and based on the gravity of the incident the same has to be notified to the data principal Adequate security controls should be in place: de-identification, encryption, prevention of unauthorized access, misuse, disclosure or destruction
Restrictions have been imposed on transfer of personal data outside India for sensitive critical personal data. For other personal data one local copy (mirroring provisions) has to be maintained in India only Organizations will have to build capability to complete data principal rights
What should organizations do?
Accountability of data protection: Data fiduciaries need to maintain accountability for the personal data they own and assert the responsibility to comply with the personal Data Protection Bill. Organizations need to be transparent and fair in terms of :
Privacy governance , Provide a fair and transparent notice , Update the digital presence, Refresh consents, Consent for children , Review data processing activities, Accuracy
Data localization and mirroring: Data fiduciaries will need to store at least a copy of the personal data acquired by data principals in India. Additionally, the central government may describe categories of “critical data” which has to be stored only in India. This would require organizations to perform an assessment their data storage practices and maintain servers/ data centres in India, if needed, to fulfil the obligation. Contractual agreements approved by the authority need to be in place for transferring personal data outside India
Privacy by design and default :The draft bill proposes that data fiduciaries be obligated to take necessary measures and implement policies to ensure that privacy is embedded in all the systems, applications and architecture at each stage- collection, processing, usage, transmission, storage and disposal. Additionally, it requires data fiduciaries to implement appropriate safeguards to ensure security of the personal data.
Data principal rights The personal data protection bill intends to confer controlling power in the hands of the data principles and hence provides them with the right to access and correction, the right to data portability and right to be forgotten. It attempts to provide its citizens with comprehensive data protection rights and create a trust based relationship between the data principal and the data fiduciary
Data breach management :The draft bill requires data fiduciaries to inform the data protection authority any personal data breach that is likely to cause harm to any data principal. Failure to notify a breach will make the organization liable to a penalty under the provisions of this bill.
Data storage limitations Data fiduciaries need to identify the retention periods for personal data and conduct regular reviews to ascertain the need to retain the personal data.
Enhance security of personal data Every data fiduciary and data processor shall undertake a review of its security safeguards periodically and take appropriate measures accordingly to ensure security of personal data
Additional ask for significant data fiduciary The Draft Bill lays down certain additional obligations that apply to a specific class of data fiduciaries conducting high risk processing known as Significant Data Fiduciary.
To identify if an organization qualifies to be categorized as a Significant Data Fiduciary, the authority would consider the parameters given in the adjacent figure.
Identify if the organization comes under the category of Significant Data Fiduciary according to the parameters defined by the data protection bill, If yes, consider the following:
- Register with the data protection authority
- Undertake data protection impact assessments (DPIA) for high risk processing
- Appoint a data protection officer
- Get the privacy policies and the conduct of processing of personal data audited annually by an independent data auditor
8 differences between Indian data protection bill and GDPR!
- Unlike in GDPR, Indian draft legislation does not require the data fiduciary to share the names and categories of other recipients of the personal data with the data principal.
- There is no obligation on data fiduciary to share with the data principal for how long the data will be stored while collecting or at any time, as GDPR mandates
- The data fiduciary does not need to share the source of the personal data to the data principal in case the data has not been collected from him/her which is an explicit requirement in GDPR
- Unlike GDPR, there is no requirement that the data fiduciary share with the data principal the existence of automated decision making, including profiling
- GDPR requires that the data subject (data principal) is provided with a copy of data undergoing processing. The Indian legislation mandates a summary of that data to be shared, with no definition of what that summary is.
- One of the biggest differences is that in India, a citizen has not been given the right to demand his/her data to be erased. Data reassure, which is an article in itself in GDPR does not even find a mention in the Indian draft bill.
- In case of a breach, there’s no requirement by Indian draft bill to share it with the data principal; rather, the data protection Authority shall determine whether such breach should be reported to the data principal. This is also in contrast to GDPR provisions.
- The provision that has attracted the most criticism—as well as the only dissent note from one of the members—is the issue of where the personal data resides. “Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies,” says the bill. The draft bill also mentions that the Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India. GDPR leaves this to specific countries most of which have chosen to allow free flow of data, though Germany and France require personal data to be resident in their countries. A few others like Bulgaria have very specific requirements like gambling data to be stored in the country. Globally, many countries require government data to be stored in their countries. Today, that is the requirement in India too. Australia, for example, mandates that the health data should be stored inside country. This is the most contentious issue.
Overall, while the whole concept of GDPR starts with the premise that the ownership of data must belong to the data subject, Indian bill does not even provide that!
Overall, Indian bill is a diluted version of GDPR, with lesser power for the citizens!
Authored by – Yogendra Rajput, Director, MapleCloud Tech Services