General Data Protection Regulation (“GDPR”), approved and adopted by European Parliament in April 2016, is a ‘rights based’ data protection model which allows the users to have greater rights over his/her data. This came into force on May 25, 2018 GDPR and is today an important topic for most businesses, given the extra-territorial reach of these regulations. This article explores some of the key facets of GDPR and highlights pertinent points.
- Applicability:Primarily, GDPR lays down rules in relation to protection of natural persons with regard to their personal data. The GDPR is applicable not only to organisations located within the European Union (“EU”), but also applies to organisations located outside of the EU if they ‘process’ personal data of EU subjects as a ‘controller’ or a ‘processor’, and where the processing activity relates to (a) offering of goods or services (including for free) to data subjects in EU; or (b) monitoring theirbehaviour if the behaviour takes place within EU.
- Processing of personal data:‘Processing’ in the context of GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Protection Principles: GDPR lays down specific data protection principles for processing of personal data. Each ‘controller’ and ‘processor’ needs to ensure that the personal data is (a) processed lawfully, fairly and in a transparent manner, (b) collected for a specific, explicit and legitimate purpose, (c) adequate, relevant and necessary in relation to the purposes for which it is collected, and (d) accurate and is kept up to date. There is not only a requirement to comply with the prescribed principles but the ‘controller’ should be able to demonstrate the compliance.
- Obligation to comply with GDPR: The obligation to comply with the above principles is not only on the entity collecting personal data of EU subjects but also the entity which stores, transmits, alters, uses such personal data on behalf of the data controller.
- Lawful data processing under GDPR: Data processing will be considered lawful under GDPR if the data subject has given consent to the processing of personal data for one or more specific purposes. But mere consent of the data subject is not sufficient. The controller shall be able to demonstrate that the data subject has provided the consent. The request for consent by the controller shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. The data subject shall also have the right to withdraw his/her consent at any time, and it shall be as easy to withdraw consent as it is to give consent.
- Sensitive personal data: Information which is considered specifically sensitive such as racial or ethnic origin or physical or mental health condition etc. cannot be obtained, stored, transmitted, processed, unless explicit consent for processing of such personal data has been provided by the data subject for one or more specified purposes.
Thinking Ahead to Minimize Exposure And Liabiities
Key takeaways for India-based organisations
The world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with GDPR, according to consultants Ernst & Young. In light of the significant compliance cost and burden, companies need to start thinking about the impact on their business model and pricing strategies.
GDPR provides the data subjects greater access to ascertain the manner in which their data is processed. Each controller is now required to maintain a record of processing activities under its responsibility and there are stringent conditions prescribed for notification of the personal data breaches. Given the strict compliance norms and the quantum of penalty involved, it has become imperative for organizations to have dedicated teams for ensuring ongoing GDPR compliance.
GDPR’s extra-territorial application could potentially have a significant impact on Indian organisations, making it critical for companies to analyseand assess whether GDPR is applicable to them. The sectors which are most likely to be affected are IT and ITeS services, business process outsourcing (BPO) units, e-commerce companies catering to customers in EU etc.
Venture Intelligence is India's longest serving provider of data and analysis on Private Company Financials, Transactions (private equity, venture capital and M&A) & their Valuations in India.