Understanding GDPR

Introduction

General Data Protection Regulation (“GDPR”) came into effect in May, 2018 in the European Union (“EU”) to regulate the collection, usage and processing of EU residents’ personal information..

In addition to providing greater privacy and protection rights to EU residents, the GDPR is designed to harmonise data privacy laws across all of its member countries.GDPR was also created to alter how businesses and other organisations handle the information of those EU residents that interact with them.

This regulation shall be applicable no matter where the business/ organisation collecting the data is located. All businesses that attract EU visitors must comply with the GDPR, even if they do not specifically sell goods or services to EU residents.

Principles of GDPR

At the core of GDPR are seven key principles (laid out in Article 5 of the legislation) which have been designed to guide how EU residents’ data can be handled. GDPR's seven principles are: (a) lawfulness, fairness and transparency; (b) purpose limitation; (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality (security); and (g) accountability.

Applicability

Any company that stores or processes personal information about EU residents within EU states must comply with the GDPR, even if they do not have business presence within the EU. Specific criteria for companies required to comply are:

1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU; or
3. the company, if employing fewer than 250 persons but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. 

Responsibility for Compliance

The GDPR defines several roles that are responsible for ensuring compliance: (a) Data Controller; (b) Data Processor; and (c) the Data Protection Officer (“DPO”). 

The Data Controller determines how the personal data shall be processed and the purposes for which it shall be processed. The Data Controller essentially dictates the “how” and “why” of data usage by the processor. 

For example, if NDTV.com is the data controller, it collects data as to which pages its viewers are visiting; amount of time spent on each article; interactions made, etc.

Now, NDTV, if it has the capacity, may choose to process this data itself to understand better the likes and dislikes of its visitors OR may hire a third party, i.e., Data Processor, like Google Analytics to analyse such data.

Further, the controller shall also be responsible for making sure that outside contractors comply with the GDPR.

Data Processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It is possible, then, that both the controller and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely of the processing partner.

The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU residents’ data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.

Compliance requirements for Indian Companies

1. Personal Data should be collected for specified, explicit and legitimate purposes and not further processed if incompatible with those purposes, and it should be adequate, accurate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal Data should be kept in a form which permits identification of data subjects for no longer than is necessary. Personal Data should be available to the supervisory authority on request. 

“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

2. GDPR also provides for carrying out of data protection impact assessment in certain cases, and designation of a DPO by the controller and the processor in certain prescribed circumstances such as where the processing is carried out by a public authority/body (except for courts); or where the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. There are three conditions under which you are required to appoint a DPO:

• You are a public authority other than a court acting in a judicial capacity.
• Your core activities require you to monitor people systematically and regularly on a large scale.
• Your core activities are large-scale processing of special categories of data listed under the GDPR or data relating to criminal convictions and offences mentioned in the same.

3. Adoption of internal policies and implement appropriate technical and organizational measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
4. Controller is to appoint only those processors who provide sufficient guarantees to implement appropriate technical and organisational measures such that the processing becomes GDPR compliant.
5. A controller is required to maintain a record of processing activities that it is responsible for and containing certain prescribed information. Similarly, each processor is also required to maintain a record of all categories of processing activities carried out on behalf of a controller, containing certain prescribed information.
6. Since processing is based on consent, obtaining of consent should be specific, informed, and unambiguous. This could include ticking a box when visiting an internet website in order to collect the user’s consent, but mere silence, pre-ticked boxes or inactivity would not constitute consent. If the processing has multiple purposes, consent should be taken for all of them. If the consent is given in the context of a written declaration concerning other matters, the consent request should be clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
7. Employee Training: Employees who handle personal data of either customers or other employees must be trained to handle it according to GDPR principles.
8. Other policies and procedures to be followed: to maintain: (a) General Data Protection Policy; (b) Data Subject Access Rights Procedure; (c) Data Retention Policy; (d) Data Breach Escalation and Checklist; (e) Employee Privacy Policy and Notice; (f) Processing Customer Data Policy; (g) Guidance on privacy notices; and (h) Privacy Policy and Terms of Use on websites and applications.
9. Any kind of data breach should be reported to the supervisory authority within 72 hours of becoming aware of it by the Data Controller. The organisation’s privacy policy shall also state that the data subjects should be informed about the data breaches without any unreasonable delay. Only in the event the data is encrypted or otherwise unintelligible, such individuals will not need to be notified. The processor is required to notify the controller without undue delay after becoming aware of a personal data breach.
10. Appointment of a processor - Data controller can appoint the GDPR data processor only under the written and binding GDPR data processor agreement. The data processor agreement should clearly state the obligations and work GDPR data processor is required to adhere to.

Disclaimer:

The content of this article is for information purpose only and does not constitute advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer to relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that the Author / Treelife Consulting is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof.