GDPR comes into force on 25 May: Indian organisations might have to adhere to global and upcoming local data protection laws

Privacy, at its core, promotes the concept that individuals (also referred to as civilians, residents, customer or data subjects) should own their personal data and not the organizations (also referred as the data controller or data processor). Across the globe, government authorities and regulators are defining new regulations and/or strengthening existing laws to protect the personal data of individuals from being misused. Recent data breach incidents have made data privacy, progressively one of the commonly spoken topics. More so because, privacy as a subject either involves or impacts almost every individual. [caption id=“attachment_4240803” align=“alignleft” width=“380”]  Representational Image. Pexels[/caption] Enforceable from 25 May, 2018, an important regulation in the European Union’s General Data Protection Regulation (GDPR) was released on 27 April, 2016. GDPR will replace Data Protection Directive (DPD) 95/46/EC. To step back, the journey of privacy and data protection in the EU region began in 1990 with the first proposal for DPD. With introduction of the World Wide Web, an alternative proposal was tabled in 1992 and it became the basis for further enhancements before Directive 95/46/EC was enacted on 24 October, 1995. DPD comprising of 34 articles, was considered as the first step towards harmonization of privacy requirements across EU region; however, it was fragmented per European member state. DPD was low on penalties and didn’t push towards disclosure of the intended use and duration of storage of the data acquired. GDPR replaces DPD with 99 articles, brings full harmonization of privacy requirements, provides provision for high penalties and mandates disclosure of the intended use. GDPR may be considered as a borderless and sector neutral law. Article 3 of the GDPR - “Territorial scope” - makes it binding on organisations processing the personal data of EU data subjects “regardless of whether the processing takes place in the Union or not”. According to the statistics from the European Commission, the EU is India’s number one trading partner (13.5 percent of India’s overall trade with the world in 2015-16). India was the EU’s 9th trading partner in 2016 (2.2 percent of EU’s overall trade with the world) and the trade in services almost tripled in the past decade, increasing from €10.5 billion in 2005 to €28.1 billion in 2015. Below is a representation of trade in services from 2014 till 2016 (in € billions) sourced from the European Commission  With increasing trade of goods and services, more organisations and service providers in India are likely to fall under the purview of GDPR. It is believed that not many such organizations will be GDPR-ready by the enforcement date. Soon to be released, the result from DSCI-Deloitte GDPR Preparedness Survey will provide a representation of GDPR readiness of India-based organizations. GDPR brings a different dimension to the Indian privacy landscape which till date has been largely governed by The Information Technology Act, 2000 and Reasonable Security Practices and Procedures and Sensitive Personal Data or Information, 2011. GDPR for Indian organisations is being seen as a transformation rather than just another regulation as privacy in India is still maturing to its desired levels to address the needs of the growing digital economy. Privacy landscape in India got significant boost with a historic ruling by the Supreme Court of India on 24 August, 2017. A couple of months later, it was followed with a draft/whitepaper  released by the Ministry of Electronics and Information Technology to propose the outlines of a rigid data protection framework. The compliance process for organisations in India will require adherence to not only the GDPR (if applicable), but also to the upcoming data protection law in India. Once approved by the competent authority, its implementation will mandate organizations to establish a stringent framework (covering governance, people, process and technical aspects) to safeguard personal data of its employees, customers and related data subjects. For its effective implementation – apart from regulatory oversight and enforcement similar to the EU region – it is quite likely that India will require a large pool of professionals (commonly referred as the Data Privacy or Data Protection Officers, (DPOs). This may open a new avenue for professionals to develop knowledge and skills in the field of privacy and data protection and become a DPO. The DPOs will support their organizations in adhering to the ever-increasing privacy requirements. In the last decade, there have been numerous discussions triggered by data breaches on major social media platforms and other service providers. With the recent outrage resulting in legal hearings of leading social media companies, the accountability and responsibility of these data breaches become a major concern. After the implementation of the GDPR and similar upcoming regulations in India, organisations will be expected to continuously monitor their operating environment (including their extended teams, and third parties involved in processing of personal data of data subject) to identify and report breach by notifying to designated authorities within the stipulated time frame (for example, 72 hours as mandated by GDPR). Such provisions make organizations accountable for safekeeping of personal data and avoid its usage beyond the purposes for which the data was collected. Flipping the coin and looking at the other side, GDPR and similar regulations shall be seen as an opportunity to regain the losing trust of the consumer community. (The author is Partner, Deloitte India)