Skip to main content

Legal Capsule: General Data Protection Regulation: Impact on India-based businesses by Economic Laws Practice

General Data Protection Regulation (“GDPR”), approved and adopted by European Parliament in April 2016, is a ‘rights based’ data protection model which allows the users to have greater rights over his/her data.  This came into force on May 25, 2018 GDPR and is today an important topic for most businesses, given the extra-territorial reach of these regulations. This article explores some of the key facets of GDPR and highlights pertinent points.

  • Applicability:Primarily, GDPR lays down rules in relation to protection of natural persons with regard to their personal data. The GDPR is applicable not only to organisations located within the European Union (“EU”), but also applies to organisations located outside of the EU if they ‘process’ personal data of EU subjects as a ‘controller’ or a ‘processor’, and where the processing activity relates to (a) offering of goods or services (including for free) to data subjects in EU; or (b) monitoring theirbehaviour if the behaviour takes place within EU.
  • Processing of personal data:‘Processing’ in the context of GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Protection Principles: GDPR lays down specific data protection principles for processing of personal data. Each ‘controller’ and ‘processor’ needs to ensure that the personal data is (a) processed lawfully, fairly and in a transparent manner, (b) collected for a specific, explicit and legitimate purpose, (c) adequate, relevant and necessary in relation to the purposes for which it is collected, and (d) accurate and is kept up to date. There is not only a requirement to comply with the prescribed principles but the ‘controller’ should be able to demonstrate the compliance.
  • Obligation to comply with GDPR: The obligation to comply with the above principles is not only on the entity collecting personal data of EU subjects but also the entity which stores, transmits, alters, uses such personal data on behalf of the data controller.
  • Lawful data processing under GDPR: Data processing will be considered lawful under GDPR if the data subject has given consent to the processing of personal data for one or more specific purposes. But mere consent of the data subject is not sufficient. The controller shall be able to demonstrate that the data subject has provided the consent. The request for consent by the controller shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.[2] The data subject shall also have the right to withdraw his/her consent at any time, and it shall be as easy to withdraw consent as it is to give consent.
  • Sensitive personal data: Information which is considered specifically sensitive such as racial or ethnic origin or physical or mental health condition etc. cannot be obtained, stored, transmitted, processed, unless explicit consent for processing of such personal data has been provided by the data subject for one or more specified purposes.

Thinking Ahead to Minimize Exposure And Liabiities

Key takeaways for India-based organisations

The world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with GDPR, according to consultants Ernst & Young.[3] In light of the significant compliance cost and burden, companies need to start thinking about the impact on their business model and pricing strategies.

GDPR provides the data subjects greater access to ascertain the manner in which their data is processed. Each controller is now required to maintain a record of processing activities under its responsibility and there are stringent conditions prescribed for notification of the personal data breaches. Given the strict compliance norms and the quantum of penalty involved, it has become imperative for organizations to have dedicated teams for ensuring ongoing GDPR compliance.

GDPR’s extra-territorial application could potentially have a significant impact on Indian organisations, making it critical for companies to analyseand assess whether GDPR is applicable to them. The sectors which are most likely to be affected are IT and ITeS services, business process outsourcing (BPO) units, e-commerce companies catering to customers in EU etc. 

Venture Intelligence is India's longest serving provider of data and analysis on Private Company Financials, Transactions (private equity, venture capital and M&A) & their Valuations in India.

Popular posts from this blog

VC Interview: Shailendra Singh of Sequoia Capital India

In a recent interview to Venture Intelligence, Shailendra Singh discussed some of the firm’s newer investments in the early stage segment including in the online payments space, the progress at a few existing portfolio companies and the active role the firm is playing in helping its portfolio companies scale and succeed in India and globally. Prior to joining the firm in 2006, Singh was a strategy consultant at Bain & Company in New York and before that, an entrepreneur in the digital media industry.

Venture Intelligence: How does Sequoia go about identifying potential early stage investments in India? Is there anything different you are doing today than, say, a couple of years back?

Shailendra Singh: There is a lot more focus on technology investing and early stage investing. In general, as you might remember a few years ago, we were doing primarily growth investing but in the past 18-odd months, we have had a very strong focus on early stage and that’s continuing. In terms of how…

KPMG Tops League Table for Financial Advisor to Private Equity Transactions in H1 2018

The transaction advisory unit of KPMG claimed the top position in the Venture Intelligence League Table for Transaction Advisor to Private Equity deals in the first half of 2018, advising deals worth $1.7 Billion. KPMG acted as the financial advisor to NHAI in the $1.5 Billion investment by Macquarie to operate 9 highway projects under the toll-operate-transfer (TOT) model. Ernst &  Young (which advised the $730 million asset sale by Indiabulls Real Estate to Blackstone) and Kotak (which advised the Vishal Megamart - Partners Group deal) accounted for the second and third spots respectively.
The Venture Intelligence League Tables, the first such initiative exclusively tracking transactions involving India-based companies, are based on value of PE and M&A transactions advised by Transaction and Legal Advisory firms.
Arpwood Capital (which advised the $760 million investment by Temasek in the $2.1 Billion Schneider Electric buyout of L&;T Electrical and Automation business) …

"Leveraged stock purchase led Arvind Rao to go astray": Forbes India

Forbes India has an article on the series of events leading to the recent controversial exit of Arvind Rao, Co-founder & CEO of listed Mobile VAS firm OnMobile.

On November 23, 2010, Arvind Rao, the 53-year-old co-founder and CEO of OnMobile, bought approximately 6 lakh shares of his company from the open market, representing a little over 1 percent of the company’s total shares....At Rs 277 a share, he had to pony up nearly Rs 16.5 crore to acquire them....So he went ahead and borrowed money to buy the shares, thinking nothing of the interest it entailed or the fact that he’d need to put up nearly half his existing shareholding as collateral...OnMobile’s shares continued to fall from those levels, while Rao’s interest payments ballooned.

...Motivated by OnMobile’s growth all these years, he had never paid much attention to his salary, most of which went towards the monthly rental on his sea-facing apartment in Mumbai and his BMW 7-Series, both paid directly by the company. He reque…