What is the GDPR?
GDPR is a set of data privacy guidelines which came into force in European Union nations from May 2018. These guidelines were approved in 2016 and there was a 2 year transition period. The acronym GDPR stands for General Data Protection Regulation. It is a result of 4 years of labor by EU member states.
What does it replace?
GDPR replaces an old data protection directive of 1995. Good part is that the across all 28 member states of EU, only one standard is to be met, thus simplifying the process. But the standard is very high and difficult to meet and administer.
There are now new ways of data collection & which could not be foreseen in a pre dot-com era and therefore not covered by the 1995 directive. GDPR aims to address this and regulates the exporting of personal data from EU to outside world.
- EU wants people to have more control over their data
- Internet brought in new ways of exploiting the personal data which needs to be addressed
- Enhance people’s trust in digital economy
- Bring in a simpler and clearer legal framework throughout EU with regards to data protection
What are GDPR Requirements?
The GDPR requirements will force the companies to change the way they process, store, and protect customers’ personal data.
Consent: Companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.”
Portability: Personal data must also be portable from one company to another. Companies now must store people’s information in commonly used formats (such as CSV), so that they can move a person’s data to another organisation (free of cost) if the person requests it.
Right to Access: People can ask for access at “reasonable intervals”, and controllers must usually respond within one month. They can also ask for that data, if it is incorrect or incomplete, to be rectified whenever they want
Right to know: how they collect data, what they do with it, and how they process it . Companies must explain it to them in a clear & plain language. why that data is being processed, how long it’s stored for, and who gets to see it
Right to be forgotten: Companies must erase personal data upon request. Users have right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. They can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.
Reasonable data protection & privacy: Companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined, though.
Report Data Breaches: What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.
Performing impact assessments: It is intended to help in identifying vulnerabilities and how to address them.
Where do Indian Laws Stand?
Indian Information Technology Act, 2000 (IT Act) provides for general obligations for the collection, transfer and use of personal information.
The Privacy Rules (Information Technology Rules 2011) broadly define two classes of information: “Personal Information”, which includes any information that relates to a natural person, which directly or indirectly, is capable of identifying a person; and a another set of Personal Information known as “SPDI” (Sensitive Personal Data or Information), which includes passwords, financial information such as bank account or credit card details, physical or mental health information. biometric information etc
The Privacy Rules set out various obligations including mandatory consent and disclosure requirements for data collection, usage, processing, storage and transfer, and requirements for appointment of a grievance officer. These Rules also require every company to have information security practices, programmes and policies which are in proportion to the information being protected.
Further Department of Electronics and Information Technology published in 2013, a set of rules for the regulation of data privacy and personal data protection including mandatory notification requirements (Cert-In Rules).
While India has laws in place which govern many aspects of data protection, breach and privacy, but the enforcement remains a question.
Will the Indian & Non-EU Consumers gain from GDPR?
Many companies directly or indirectly operate or deal with EU residents and thus they will be required to comply with GDPR. Indian companies having branch offices in European Union member states and also the companies which provide back-office data processing services to EU companies would be affected. Many big E-commerce, food tech and ride hailing companies in India are operating or planning to operate internationally.
As these companies will improve their privacy standards for compliance with GDPR, the Indian & non-EU residents would gain as a side effect.