Contact Us

This Is How Indian Businesses Should Play By The GDPR Rules

This Is How Indian Businesses Should Play By The GDPR Rules

The safety of the people shall be the highest law –Marcus Tullius Cicero

The European Union’s General Data Protection Regulation (GDPR) just goes without a saying a perfect example of above quote. The regulation has been in effect since 25 May 2018.

To Give You A Brief Story:

The GDPR attempts to give EU citizens a complete control over what data (data that is used to identify a person) companies collect, store, and use. This means any business that transacts with EU citizen will have to deal with GDPR.

If a business violates GDPR, it can be fined up to 4% of company’s global turnover or 20 million Euros.

Businesses that want to collect, store, and use EU Citizen cum customer data, have to get explicit permission via legally enforceable contracts that are written in clear language, it has to be intuitive enough for the EU citizen to understand, and withdraw consent or give consent.

The Types Of Data That GDPR Protects:
  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
Throwing Light On How Businesses (Both Data Controllers And Data Processors) Can Play By The Rules Laid Down By GDPR:
  1. Appointment of Data Protection Officer (DPO) – Microsoft is doing this. Precisely speaking any businesses meeting at least one of these criteria has to appoint a (DPO)
    1. Business is a listed one
    2. Business with over 250 employees
    3. Business that process personal data of more than 5,000 subjects in a 12 month period
  2. Implementation of legally enforceable contracts for collecting data at every touch point, note, the contract has to be intuitive and in clear language. Small businesses like Bloggers can implement this under the guidance of an experienced lawyer.
  3. Third party compliance contract – Say if you are a data controller and are complied with GDPR, now there is a third party that processes the data. If the third party processor does not comply with GDPR, then that means even your organization is not in compliance. Cloud providers, SAAS Vendors, or Payroll service providers etc. are good examples of the third party that processes data.
Jumping Into Deeper Meanings Of 9 Major Topics:
  1. Taking Consent from customers :
    • Must be specific, informed and unambiguous
    • Customer should be given choice to take clear affirmative action
    • Consent cannot be inferred from silence
    • Consent cannot be inferred from pre-ticked boxes
    • Consent must b different from ‘Terms and Conditions’
    • Businesses should provide simple ways to withdraw consent
    • Consent has to be verifiable
  1. Taking Children’s personal data:
    • Privacy Notice is written in a clean an plain way that a child can understand
    • Businesses offering ‘information society service’ to children, you may need to obtain consent from a parent or guardian.
  1. Individual’s rights :
    • The right to be informed
    • The right of access
    • The right to rectification
    • The right to erasure
    • The right to restrict processing
    • The right to data portability
    • The right to object
    • Rights in relation to automated decision making and profiling
  1. Information to be covered in Privacy Notice Contract or other legal bases:
    • Identity and contact details of the controller and the DPO
    • Purpose of the processing and the lawful basis for the processing
    • The legitimate interests of the controller or third party
    • Categories of personal data
    • Details of transfers to third country and safeguards
    • Any recipient or categories of recipients of the personal data
    • Details of transfers to third country and safeguards
    • Criteria used to determine the retention period
    • The existence of each of data subject’s rights
    • The right to withdraw consent at any time
    • The right to lodge a complaint with a supervisory authority
    • The source the personal data originates from whether it came from publicly accessible sources
    • Whether the provision of the personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
    • The existence of automated decision making, including profiling and information about how decisions are made, the significance and consequence.
    • Confirmation that their data is being processed, per say
    • Access to their personal data free of charge, you can charge a reasonable fee if accessed multiple times
    • Individuals can have personal data rectified if it is inaccurate
    • Details about the processing of the request to erase data
  1. Information should be shared by:
    • At the time data are obtained, if acquired by the controller, or else
    • Within a reasonable period of having obtained
    • If the data are used to communicate with the individual, at the latest, when the first communication takes place
    • If disclosure to another recipient is envisaged, at the latest
  1. Businesses should demonstrate accountability by:
    1. Implement internal data protection policies such as staff training, internal audits etc
    2. Maintain relevant documentation on processing activities
    3. If appropriate, appoint a data protection officer
    4. Implement measures that meet the principles of data protection by design and data protection by default.
    5. Adhere to approved codes of conduct and or certification schemes
    6. DPIA if required
  1. Breach notification:
    1. GDPR will introduce a duty on all businesses to report certain types of data breach to the relevant supervisory authority, and in some cases to individuals affected
    2. Breach notification should contain details of data that got breached
  1. Before Transfer of data outside EU:
    1. Should comply with the conditions for transfer set out in chapter v of the GDPR
    2. Transfer may happen only if the international organization ensures an adequate level of protection
    3. A legally binding agreement between parties
    4. Binding corporate rules
    5. Standard data protection clauses in the form of template transfer clauses adopted by the commission
    6. Compliance with an approved code of conduct
    7. Certification under an approved certification mechanism
    8. Contractual clauses agreed authorized by the competent supervisory authority
  1. Transfer of data outside EU can happen if:
    1. Made with individuals consent
    2. Under a contract between individuals and business or for pre-contractual steps taken at the individual’s request
    3. Contract made between individual and controller
    4. Necessary for important reasons of public interest
    5. Necessary for the establishment, exercise or defense of legal claims

Leave a Reply

Your email address will not be published. Required fields are marked *