How is GDPR impacting Indian Data Privacy Laws?

GDPR is a trendsetter in the world of data protection and is widely impacting worldwide data privacy laws. Can we expect something similar in India?

Data privacy is one of the biggest risks that modern businesses face. The use of big data elevates the complexity of this challenge even more. The question is; are you doing enough to fight the risk? If you think installing anti-malware software and conducting an audit every six months is enough to keep your sensitive information safe, you certainly need to revisit your data privacy measures. There have been some mega data breaches in the recent past; at massive business groups such as Verizon, Equifax and even Facebook. These data breaches teach us a very important lesson; no business is completely safe from the risk and cybercriminals are never at rest.

Data privacy is now a matter of universal concern, a serious problem; just like global warming and terrorism. Today, every nation needs stringent data privacy laws and regulations to ensure fair and safe use of sensitive information. With an aim to discuss the various challenges and concerns underlying in the Indian Data Protection Framework, ASSOCHAM recently conducted a Global Data Privacy Summit in Bangalore. The idea behind the summit was to invite views and suggestions from a multi-stakeholder community on the regulatory and judicial processes around nation-wide data privacy concerns.

Several business groups, IT delegates and data privacy enthusiasts from India and other countries participated in the event. The panelists discussed the challenges, opportunities and probable measures on stimulating issues like Big Data, worldwide Data Privacy, and effects of disruptive technologies on Data Protection among many others. Each discussion was followed by an interactive Q&A and networking session.

Estuate too, was a key participant at the event as the GDPR partner. Our Data and Analytics Head, Mr. Vishwas Balakrishna drove the discussion on “The influence of GDPR on global data privacy laws”. “GDPR is a game-changer in the world of data privacy. If nations across the globe get influenced by this revolutionary law and impose similar regulations, the status of worldwide data privacy will be stronger and more resilient in the days to come.” Vishwas stated.

The European Union’s GDPR is a rather bold and revolutionary step against global cyber risk. The law sets stringent restrictions on the usage of personal information of EU citizens. The good thing is, it is not just confined to the European borders, but applies to all companies across the globe. It is a strong, solid measure that strengthens data privacy despite the uncontrollable risk of breaches.

Data privacy is certainly a burning issue in the Indian ecosystem. In order to address this concern, the Personal Data Protection Bill, 2018 has been recently submitted by the Justice BN Srikrishna committee. The proposed bill is similar to GDPR in many ways. It states that “The right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.” It also binds any person processing personal information of Indian citizens to do it in a fair and reasonable manner. Non-compliance would lead to penalties up to Rs. 15 crores or 4% of business turnover.

Although it is still a proposed bill and is awaiting approval by the Ministry of Electronics and Information Technology, it is a huge step in the right direction towards fighting cybercrime. If implemented, it could potentially change the face of the Indian Data Protection Framework for good.

GDPR: What it means for US-based companies

The General Data Protection Regulation (GDPR) is a new law that will come into effect in the European Union (EU) on the 25th of May, 2018. It’s key goal is to reinforce and unify data protection for individuals in the EU. The GDPR replaces the Data Protection Directive from 1995 and marks a major departure in many aspects.​

It is a new legal framework for handling personal data of EU-based individuals, be they customers, prospects, contractors or employees. It is already in force but not yet enforceable-businesses and not-for profit organizations have until May 25, 2018 to comply. Although GDPR originates in the EU, it actually impacts businesses worldwide- if they handle personal data of EU individuals, or do business with organizations that do. GDPR imposes obligations on how that data is treated, even if that personal data has traveled outside the EU and is now stored and handled in a distant corner of the world.

How will GDPR affect US companies
The main objective of GDPR is to give EU citizens greater control over how their personal data is collected, protected and utilized. While the legislation applies to EU companies, it also applies to any company that chooses to do business in the EU. US companies that operate in the EU market and which collect personally identifiable information (PII) are subject to EU-GDPR regulations in all of the EU countries in which they do business.

EU GDPR directly impacts organisations in the U.S. If they

  • have offices or employees in the EU
  • market or sell to EU citizens
  • partner with EU-based organisations
  • may have at one point, or may at some point in the future, process, store, receive, or handle in any way, data pertaining to EU citizens

If your processing activities fall into any of the above categories then you must comply with the EU GDPR guidelines. Basically, this means the rules follow the data, rather than being territorial. In other words, this is applicable to US companies that are not located in the EU but provide goods or services to EU citizens or monitor the behaviors of EU citizens. These companies must be in compliance with GDPR rules on the data privacy of these individuals.

Key points for US-based companies: How do I comply?
After determining that they are subject to the regulation, the next determination a US company has to make is what changes they need to make in order to comply. To truly comply with the new General Data Protection Regulation (GDPR) rules, means being able to see into ALL of the organisation’s data, which will assist in adopting a holistic approach with processes adopted across all industries, geographies and business units and provide a clear strategy on access and classification. Organisations need to know where personal data is stored, in what form it is found and keep track of who is authorised to access it. US-based companies that collect personal information and that operate within the European Union should consider preparing for the GDPR’s implementation by:

  • Developing or revising a privacy program that collects and retains personal information only to the extent necessary (e.g., adhering as closely as possible to the European Union’s “purpose limitation” requirements)
  • Appointing a knowledgeable data protection officer or a chief privacy officer to oversee the company’s privacy practices and ensure compliance with both domestic and international regulations
  • Reviewing and possibly amending contracts with third parties that process, control or maintain collected personal information to ensure proper safeguards and data breach reporting procedures
  • Ensuring that there are updated and tested data breach response policies and programs to ensure timely notification to regulators and consumers in the event of a data breach.

What is the impact?
At this point a US firm that may be subject to the regulation may ask “So what? Why do we care about EU data regulations?” Organizations that fail to comply can be fined up to 20 million Euros or 4% of their worldwide revenue.  Violators will be placed in one of two tiers, with the higher tier costing violators up to over 20 million euros or 4% of the company’s net income.

With the European General Data Protection Regulation (GDPR) taking effect in May 2018, companies doing business in the European Union are scrambling to avoid the severe penalties from non-compliance with these stringent regulations.

Existing in a world with a global marketplace implies that GDPR cannot be overlooked and now is the time to ensure that your company is ready for how the changes may affect them. Consider the parts of the GDPR that will have the most impact on your business and begin with those areas first in your review and overhaul of your policies to ensure you are prepared for implementation ahead of the May 25, 2018 effective date of GDPR.

Get the free e-bookDecoding the 'Right Automation Testing Tool': A Definitive Guide

Learn from our test automation experts how to handpick the right testing tool for fueling business growth.