Preparing for GDPR in India: A Brief Guide for Indian Companies

What is the GDPR?

The General Data Protection Regulation (GDPR) of 2016 is one of the first significant legislative initiatives aimed at safeguarding the personal data of individuals in the European Union and the European Economic Area. According to Article 1 of the GDPR, its objectives are threefold: Firstly, to protect natural persons with regards to the processing of their personal data; Secondly, to secure the fundamental rights and freedoms of individuals, particularly their right to privacy regarding their personal information; and finally, to facilitate the free flow of personal data within the Union.

[1] GDPR was primarily inspired by the Cambridge-Analytica data breach in the 2010s, where millions of consumers’ data was collected without consent and exposed. [2] GDPR imposes stringent regulations on the way corporations handle their customers’ personal data and imposes hefty administrative fines for non-compliance.

How and why does the GDPR apply to Indian companies?

Articles 2 and 3 of GDPR emphasize that it is a borderless and sector-neutral legislation, which means its compliance standards apply to organizations outside of the EU that have: (a) operations within the EU, (b) third-party operators in the EU, and (c) serve EU consumers.

As a result, Indian companies doing business in the European Union must assess their data privacy and protection policies against the standards set by the GDPR. Article 40 of the GDPR requires Member States to promote the creation of a Code of Conduct based on its requirements. Some of the broad themes covered include fair and transparent processing, collection of personal data, pseudonymization of personal data, transfer of data to third-party countries or international organizations, and the establishment of mechanisms for resolving disputes.

It is essential to note that the GDPR supports the creation of Binding Corporate Rules (BCR) through Article 4(20). BCR refers to a set of internal regulations that govern the transfer and processing of personal data within a group of companies or businesses engaged in joint economic activities in third countries.

[3] For an Indian company that wishes to engage in cross-border data transactions, it is crucial to have a GDPR-compliant Code of Conduct in the form of BCR. Indian businesses, especially in the information technology and pharmaceutical industries, view the European market as a favorable destination. It is estimated that the Indian IT sector alone is worth $20 billion. Non-compliance with GDPR requirements could result in significant fines, estimated at 10 million euros or 2% of the global turnover of the company [Article 83(4) of GDPR].

[4] To meet the standards set by GDPR, BCR must be legally binding, enforceable by all relevant members of the organization, specify methods for data subjects to exercise their rights under the GDPR, and include the organization’s data processing policy and other necessary information (Article 5 of GDPR).

What is the GDPR Checklist?

In India, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 govern data privacy and protection. Although these laws predate the GDPR, India has sought to align its data protection regulations with those of the GDPR through amendments. The most recent attempt to do so is the fourth edition of the Digital Personal Data Protection Bill, 2022. However, a comparison of India’s domestic data privacy regulations with those set forth by the GDPR reveals differences that may affect the compliance of Indian companies looking to do business in the European Union and the European Economic Area.

The General Data Protection Regulation (GDPR) goes beyond the Information Technology (IT) Act in India in terms of clearly outlining the principle of accountability. It also includes the principle of data integrity, regular revision, protection from unlawful processing or damage, and fairness and transparency in data processing. The GDPR provides clear definitions of important terms such as “consent” and “data processing,” which are lacking in India’s current data protection regime. [5]

In order to meet the stringent standards of the GDPR, Indian corporations must comply with the following requirements that exceed India’s domestic mandate:

  • 1) Implement a process to facilitate a data subject’s request for access and/or deletion
  • 2) Establish a policy defining roles and responsibilities, the types of data, collection methods, and authorization to access data, to ensure data integrity
  • 3) Ensure adequate controls for the storage, transfer, use, and destruction of data
  • 4) Conduct privacy impact assessments
  • 5) Undergo internal and independent audits
  • 6) Incorporate Privacy by Design and Privacy by Default into the information security framework
  • 7) Establish internal mechanisms to monitor and respond to data breaches
  • 8) Maintain oversight throughout the data life cycle.

Therefore, the implementation of the GDPR has caused significant ripples not only within the European Union (EU), but also worldwide. The GDPR has established new, rigorous standards for data protection, with severe financial penalties for non-compliance. In order to tap into the lucrative opportunities of the European market, Indian corporate entities now require a comprehensive information security policy that exceeds the domestic mandate.

Author: Kevin Davis, Research Associate, Law, Rainmaker

Directions and Contributions: Akanksha Arora, AVP-Legal, Rainmaker

References:

  1. General Data Protection Regulation, 2016
  2. European Union, Cambridge Analytica and the impact on Data Protection
  3. Binding Corporate Rules
  4. Comparative Study between Indian data protection laws and the GDPR
  5. GDPR compliance for Indian companies

DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.