With the advent of digital life, data proliferation has gone beyond our imagination. Digital presence has become an integral part of our personal and professional lives and it is hard to remove the information which is once posted online. With the aim of safeguarding customer’s trust in digital technology, European Union has introduced a set of rules for data handling. General Data Protection Regulation are the comprehensive set of rules put forward to globally strengthen data protection and privacy of users. The primary aim of the regulation is to give all control of the data to the user.
The sole purpose of GDPR is to protect the misuse of personal identifiable data of citizens residing in the European Union. As per GDPR, companies across internet are required to obtain consent from users before collecting any personal data. They are required to revise their privacy policies and collection practices. These regulations also entitles users the right to be forgotten. As per Article 17 of the regulation, individuals can exercise the right to be forgotten. European citizens can ask the controller to delete their personal data. The controller will also have to ensure the erasure of the links to the information.
Challenges faced by companies:
Inadequate data protection laws in India - currently, the outsourcing industry of India is estimated around US$ 150 billion and contributes over 9.3% towards the Gross Domestic Product of the country. The European markets are considered the biggest for Indian outsourcing sector and India does not have proper data protection laws in place. This makes our country less competitive as compared to other outsourcing markets.
Stringent restrictions - GDPR imposes strict restrictions on data handling and processing. The Indian companies are required to implement safeguards under GDPR in order to transfer personal data outside the European Union.
High risk of penalties and litigation - As per the Article 3 of the GDPR, it is clear that the regulation is applicable even to the organisations that are not based in EU but only using data of EU citizens. This implies increased compliance costs for the Indian companies. However, companies should not take this as imposition of rules rather it should be observed as a practice and norm. GDPR will act as inspiration for other countries to have similar data protection laws in place. Currently, data protection in India is addressed under Information Technology Act, 2000. This Act clearly states civil and criminal punishment in case of wrongful disclosure of personal information. A codified law on data protection is likely to be introduced in the near future.
India also needs its own version of GDPR. The regulation shall regulate the collection and use of consumer of data. Presently, the Indian users receive unsolicited calls, e-mails and texts. Recently, the Supreme Court of India has held that privacy is a fundamental right and to give teeth to this right, it is imperative to have a legislation to safeguard data privacy issues of individuals. Currently, Indians are absolutely ignorant on how their personal data is used by the organisations and the importance of data protection. There should be stringent penalties in case of intentional misuse by data of data by organisations.
For the effective implementation of GDPR, it is imperative to have coordination between the IT, legal and database management teams in any company.
Here are a couple of things that Indian organisations can do to become GDPR compliant-
- Spread awareness and conduct training of employees- in order to become GDPR compliant, first and foremost the companies should tell employees about the new age privacy regulation.
- Establish a framework to keep records of personal data of processing activities companies must keep a record of how the personal data is processed within the organisation.
- Establish a framework to process personal and special categories of data in the EU.
- Draft privacy and consent notices - At the time of collecting the data from the data subject, or when the personal data is not collected directly from the data subject, communicate information about the processing of personal data to the relevant data subjects in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.
- Handle privacy incidents effectively - Maintain an incident response strategy and define roles for incident response team to execute the strategy or an operational incident detection team.
- Appoint a data protection officer- Companies must appoint a data protection officer as per GDPR.
- Protection during transfer of data- Create a process for ensuring personal data transfers and adequately protect the rights and freedom of data subjects when data is transferred to internal or external parties.
- Create accountability for data processing- Keeping in mind the GDPR, companies are required to perform due-diligence over third parties before entering a contract.
The companies or startups will understand the consequences only when they see someone being prosecuted for the same. After the enforcement of GDPR a lawsuit has already been filed against Facebook imposing a fine of 3.9 billion and 3.7 billion euro against Google. The GDPR could be an opportunity for Indian companies to stand out as leaders in providing privacy compliant services and solutions.