The General Data Protection Regulation (“GDPR”) was adopted by the European Union on 27th April 2016 and came into full effect on 25th May 2018, allowing for a transition time of a little over two years. In an increasing data-dependent world, the GDPR aims to protect individuals from the misuse of their personal data and breach of their privacy.
The GDPR has a universal impact, due to its extraterritorial scope and its precedential nature, for other countries to enact stronger data protection laws. Following is a brief overview of GDPR and the compliances it requires.
Scope
The GDPR is applicable to all entities that process personal data of individuals in the European Union (and not only citizens of the European Union (EU)), for providing goods or services or for monitoring their behavior. Therefore, Indian businesses servicing the EU market will have to ensure GDPR compliance, if they collect or process personal data.
Personal Data
Personal data, under the GDPR, includes any information of an identified or identifiable natural person. The GDPR further provides for special categories of personal data, the compliances for processing of which are more stringent. Similar to Sensitive Personal Data and Information (SPDI) under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 in India, the special categories of personal information under the GDPR include biometric data, health records, sexual orientation. However, GDPR extends the special categories of personal information to include data revealing a person’s ethnic or racial origins, political opinions, religious beliefs or trade union memberships.
Control and Processing
The GDPR identifies entities as “Controller” or “Processor”. A Controller is an entity that determines the purpose and means of processing personal data and has several accountability obligations. A Processor is an entity that processes i.e. collects, records, organizes, stores etc. personal data on behalf of the Controller. A Processor must process personal data only under a contract with the Controller and in accordance with documented instructions of the Controller.
It is important for businesses to identify the capacity in which they act and the nature of data they deal with to ensure full GDPR compliance.
Consent
The foundation of GDPR is consent of the data subject for processing personal data. Till now, online service providers had the practice of providing lengthy privacy policies, full of legal ease and practically incomprehensible for a lay person. GDPR requires that consent is sought from the data subject distinct, from any other terms and conditions, in an intelligible and easily accessible form, using clear and plain language. Separate and explicit consent must be sought for processing of special categories of personal data.
The data subject also has the right to withdraw her consent and the option to withdraw consent must be made as accessible as the option to provide consent.
GDPR Privacy Policy
On top of every GDPR compliance checklist for every business should be updating of website privacy policy.
Under the GDPR, the Controller is required to provide the data subject with relevant information relating to the collection and processing of data at the time of collection of such data. To do so the Controller should maintain a GDPR-compliant privacy policy. The privacy policy should be concise, transparent and easy to understand.
The privacy policy should include details of the Controller, the purpose of processing the data, the period for which data will be stored or the criteria for determining such period and the recipients of the data. The privacy policy should also inform the data subject of her rights under the GDPR, such as the right to request for access, rectification and erasure of data, right to withdraw consent, right to object to processing and right to data portability.
If the Controller undertakes further processing of the personal data, a fresh disclosure is to be made prior to such processing.
Security Measures
The Controller must maintain a record of the processing activities it or the Processor, acting on its behalf, undertakes. The records should include details of the controller, processor, purpose of processing, categories of data subjects and personal data.
The GDPR lays down several technical and organizational measures to be implemented to ensure the security of personal data, including pseudonymization and encrypting data, backup protection, ability to ensure the integrity of processing systems, regular testing, and audit of the safety mechanisms.
The GDPR also lays down a “code of conduct” to be adhered to by Controllers and Processors. In addition, there is a provision for certification by a certifying authority to be established under the GDPR. Whilst such certification does not reduce the responsibilities under the GPDR, it will act as prima facie evidence of GDPR compliance.
Conclusion
Non-compliance of the GDPR entails high fines and it is advisable for businesses dealing with EU markets to make themselves GDPR compliant. With the Supreme Court judgment on privacy and the Srikrishna Committee issuing its white paper on Data Protection framework, India too seems to be moving towards a more robust legislation on data protection and adherence to the GDPR requirements may be viewed as preparation for the same.
Contributed by: Ishan Johri
Comments