Does GDPR apply to companies based in India? And what impact does it have?

“If you are not paying for it, you’re the product being sold.”

Tushar Verma: GDPR (General Data Protection Regulation) has altered the tech-scenario in a big way globally, and almost every company across the world is in the process of analyzing the impact of GDPR on its business, financially and operationally. Huge fines for non-compliances make it even more scary and attention-demanding.

Complying with GDPR is important for the nation as a whole because approximately 17.4% and 11.6% of India’s IT/ ITES export services are to the UK and continental Europe respectively. As per NASSCOM, the  information technology and business process management sector will enhance its contribution to GDP by 9.5%, which is more than 45% of exports of services in 2015-2016. It is vital that Indian companies do whatever they can to protect their business in this sector. Future of businesses in India will surely depend upon how they react to these regulatory changes.

So what exactly is GDPR?

In simple words, the General Data Protection Regulation (GDPR) is a set of guidelines applicable when any organization collects and processes private data of any individual within European Union. It also provides regulations for data management and the rights given to individuals whose data is being collected. It outlines stringent fines in case of violations, and many such fines are also a percentage of the total revenues earned by violating companies. Since GDPR deals with the companies who are collecting data on the EU citizens, it makes it especially critical for the banking and financial sector companies to ensure compliance. GDPR came into effect from 25th May, 2018.

Applicability of GDPR on Indian data processing units:

If we talk about the scope of the definition of data processing under GDPR, it has wide connotations. Data processing may include any operation performed over the personal data, such as, but not limited to, recording, storing, using, structuring and collecting, which even includes erasing of data and destroying of data. As far as Article 3 (territorial scope) GDPR rules are concerned, applicability is regardless of whether the processing is done within EU or not. So it is crystal clear that any data processor in India who is engaged in any of the activity mentioned above shall be counted in the ambit of GDPR rules.

Challenges faced by the Indian companies

  • With EU being one of the biggest, and most revenue-generating markets for the Indian outsourcing segments, and having poor national data protection laws, makes Indian companies less competitive than other outsourcing markets in this division.
  • Sufficient safeguards must be implemented by Indian companies as required under the GDPR, which ultimately enhances the compliance costs significantly.
  • As mentioned above, Article 3 (territorial scope) of GDPR Act says that any data-related processing, whether taking place within EU or outside, will come under the ambit of the Act. This straight away means that there will be no business for those companies who are not GDPR compliant, and huge penalties can be levied ont them.

How can Indian companies become GDPR compliant?

Indian companies should fulfil the necessary requirements for the compliance with the GDPR that includes:-

  • Reviewing the existing policies, programs and the procedures
  • Organising and imparting data privacy training to the employees and conduct such trainings at regular intervals to update them
  • Reviewing the contracts signed by third parties and making necessary changes in that as required by the regulations
  • Conducting data discovery exercises and maintaining documentation so as to demonstrate how the personal data is being processed, and that it is compliant
  • Continuously reviewing and updating the configuration of data loss prevention
  • Continuously reviewing the data retention schedules, consents, cross-border data transfers, etc.

Areas requiring attention under GDPR are:

  • Third-party and vendor management
  • Accountability systems
  • Data processing
  • Noticing and consents
  • Training and spreading awareness
  • Data security, breach and breach notifications.

Does user consent really matter?

Under the earlier laws, it was very easy for companies to manipulate their terms and conditions and hide the consent policy under lengthy clauses and obtain user consent. Thanks to GDPR, they can no longer continue with such malpractices. Companies now require free and unambiguous consent from the users and also need to disclose how the companies will use the data. Power has been given to individuals to prevent companies from collecting their personal data under GDPR.

Fines and penalties for non- compliance:

As per the regulations, organizations breaking the rules and found non- compliant with GDPR shall be liable to a fine of 4% of their annual turnover or 20Mn (whichever is greater). This is the maximum fine that can be imposed on an organization for any violation. A thing to note here is that these rules shall be applicable to both, the controller and the processor of data, which means that “cloud” services also shall not be exempt.

In conclusion..

Although The Information Technology Act, 2000, and associated rules address the provisions regarding data protection standards, GDPR creates very high benchmark for data protection. Slowly, but steadily, Indian laws too will move towards more sophisticated standards of data privacy, and it is important that Indian companies move in this direction to ensure that India builds its stance as a ‘data secure nation’, which is vital for its survival in the IT space..

About the author: Tushar Verma has pursued his LLB from Kurukshetra University, Kurukshetra. His expertise lies in IPR, cyber laws and commercial laws. He often expresses his views and research in the form of various publications.He sincerely believes that through technology, the law can be made more effective.

Disclaimer: The above article is curated based on limited and publicly available open source information. The views and opinions expressed therein and all data and information so provided is solely for informational purposes, to be used at the sole discretion of the reader. If you disagree with any article or any part thereof, please contact us and we will resolve the issue at the earliest. KyaBae makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.