India under the GDPR in 2018
General Data Protection Regulation (GDPR) is the European Union’s latest regulation to address the issue of data privacy. It is a replacement for the 1995 Data Protection Directive, which has, until now, dictated the standards of processing data in the EU. Indian firms, especially technology start-ups, fintech companies, and IT services, with exposure to the EU may feel the impact first. The law is scheduled to be implemented from 25 May 2018.
Mr Parthasarathy, National Leader - Cyber Risk Services, Deloitte, said,“Consumer-driven companies that have exposure to the EU, in areas like IT services and fintech, that support the banking and other regulated sectors, are likely to be affected first, and have to comply,” However, he added that Indian consumers and regulators may not feel the strong impact of the GDPR immediately.
The GDPR comes at a time where India is implementing new laws and starting more discussions regarding data privacy in response to the increasing number of data breaches, the latest involving Facebook where the data of around 87 million users globally, including over 5.6 lakh Indians, was accessed by British political research company Cambridge Analytica through its app, without their consent.
In August 2017, the Supreme Court in Justice Puttaswamy vs Union of India acknowledged privacy as a fundamental right,the concept of informational privacy, and noted that it should be backed up legislation that must be enforced to ensure private entities can be held accountable.
The GDPR contains 99 articles and 173 recitals, and includes crucial requirements that have a direct impact on the implementation of IT security in organisations. It addresses the main principles of security: confidentiality, integrity and availability of data.
Under the GDPR, users have more power to demand companies reveal or delete the personal data they possess. With the GDPR, users will also be able choose the way their data is used by withholding consent. They will be able request access to their personal information from data brokers, or delete personal information from websites altogether.
According to the GDPR, data protection involves a rights-based, consent-driven approach. GDPR functions under the concept of privacy being ‘by design and default’and has created new rules and higher standards of data privacy compliance that previously never existed.
Mr Parthasarathy said GDPR will impact companies with operations in Europe and those that handle vast amounts of customer or client data, the most. He also added that areas like life sciences, manufacturing sector and the government entities will find it much harder to comply with the GDPR.
As quoted in the First Post article, Mr Jaspreet Singh, Partner-Cyber Security, said,"It is imperative for Indian firms to plan and continue their journey towards compliance even after 25 May, to ensure continuity of business within the EU and avoid hefty penalties because of non-compliance”.
India is not present in the list of countries approved for data portability and transfer.
Indian companies working in the EU will be required to change the way they capture, process and use the data of EU nationals. Technology alone will not be able to help companies and organisations understand GDPR, it requires a detailed understanding of a number of data policies and privacy laws.
Indian firms will have to pay heavy fines and face increased regulatory actions if they do not comply with the GDPR.