• (230) 4278861, 4260399

For every other business out there, protecting sensitive data continues to be a paramount challenge, specifically in the present era, where there is careless handling of personal data most of the time. By establishing a holistic view of your sensitive data, we at KIPG, help in avoiding data leaks and minimizing the risks of GDPR/PDPB fines. We prepare your business to meet the strongest Data Protection Laws by coming up with the best strategies that identify gaps and vulnerabilities and understand the privacy dimension of your data.

Overview of the GDPR

A Brief Review of the Creation and Background of the GDPR

The GDPR (General Data Protection Regulation) is the new reference text concerning data protection at the European level. It was published in May 2016 and entered into force on 25th May 2018.

Its nature, which consists of a regulation and not a directive, implies its direct application, and, at the same time, in all the Member States of the European Union, without transposition.

Moreover, the GDPR, regulation 679/2016, replaces the previous directive 95/46/ EC (published in 1995), given that technological development required a new and more modern legal framework that could adapt to the new requirements.

Thus, the GDPR aims at allowing the European citizens to control their personal data, once again. All in all, it is extension of an individual’s fundamental ‘Right to Privacy.’

Overview of the PDPB

A Brief Review of the Creation and Background of the PDPB

On 27th July 2018, India took a step forward in aspiring to become a major economic power in the digital space by declaring secrecy a fundamental right. The occasion was the decision of the Honorable Supreme Court in the Justice Puttusamy case against the Union of India. The consequence was the publication of the Personal Data Protection Bill, 2018. The bill draws its influence from the guidelines and the framework of the General Data Protection Regulation (GDPR).

India's PDPB is one of the most comprehensive and strictest data privacy laws worldwide. Moreover, it is even stricter in some aspects than the EU's GDPR. At present, the PDPB is in the draft form and set to be tabled in the Parliament. It shall impose obligations on practically every other business operating in the country. It shall require business firms and organizations to reassess their data processing practices, safeguards, and policies.

Key Definitions and Terminology

GDPR

GDPR

Personal Data

GDPR's Article 4 sets out the definition of personal data ...

Read More
GDPR

Binding Corporate Rules (BCRs)

It includes the set of internal rules and regulations...

Read More
GDPR

Processing

It refers to a manual or automated action performed on personal data...

Read More
GDPR

Data Controller

He or she is a person who decides the purpose for which any personal data ...

Read More
GDPR

Data Processor

It includes the third parties that process the data on behalf ...

Read More
GDPR

Data Protection Officer

He or she is a person who is given the formal responsibility ...

Read More
GDPR

Data Protection Authority (DPA)

It is a national authority responsible for data ...

Read More
GDPR

Biometric Data

It refers to the personal data resulting from the specific processing corresponding ...

Read More
GDPR

Data Subject

When a piece of data or information relates to a specific individual ...

Read More
GDPR

Right to be Forgotten

The 'right to be forgotten' or the right to the erasure of personal data...

Read More
GDPR

Pseudonymous Data

It includes the sets of data, which can be amended in a way...

Read More
GDPR

Cross-Border Processing

It refers to the processing of personal data when the data controller ...

Read More

PDPB

GDPR

Personal Data

It refers to the information that relates to an individual and can be efficiently ...

Read More
GDPR

Sensitive Personal Data

It includes passwords, financial data, health data, official identifier ...

Read More
GDPR

Data Principal

He or she is the living individual to whom the data ...

Read More
GDPR

Data Fiduciary

It can be a person, business, or organization that decides upon the need ...

Read More
GDPR

Data Processor

It refers to an individual who processes personal data on behalf of a data fiduciary ...

Read More
GDPR

Data Protection Authority (DPA)

It refers to an independent public body whose responsibilities are as follows ...

Read More

Scope

GDPR

The GDPR looks forward to determining the treatment of data in an egalitarian way in the entire territory of the European Union.

In particular, the Regulation shall apply to any processing of personal data in the context of the activities of the person in charge of processing or performing whose installation is within the European Union.

The Regulation shall also apply to the processing carried out by a person in charge of the processing or processing of data not installed within the European Union, provided that certain conditions are met by the Regulation.

PDPB

The GDPR looks forward to determining the treatment of data in an egalitarian way in the entire territory of the European Union.

The bill focuses on the processing of personal data and sensitive personal data, on cross-border data transfers, and the establishment of a Data Protection Authority ("DPA"). The bill, once implemented, will control the personal data of 1.3 billion people.

Compliance with the GDPR

The companies shall comply with the principles of transparency in the way data is collected, processed, and stored, and shall be able to prove at all times that they comply with the GDPR.

The actions that companies must take are as follows:

  1. Update/Recognize the processing of personal data

  2. Recording the data

  3. Compliance with the principles that govern the legal processing of data

  4. Review of procedures and data protection policies through:

    • Prior consent of the data subjects for each intended processing purpose

    • Handling requests

    • Satisfaction of citizens' rights to access their data or delete it (right to be forgotten)

  5. A study of the impact assessment and audit of potential risks and their consequences on the personal data it manages

  6. Designation of a Data Protection Officer, where provided by law

Comparison Between GDPR and PDPB 2018

FAQs

GDPR

GDPR compliance is advisable as it efficiently improves the protection of the European data subjects' rights and clarifies how the companies can process personal data to safeguard such rights.

All the companies, holding and processing the personal data of the EU citizens, are required to abide by the laws set out in the GDPR, irrespective of whether they reside in one of the 28 EU member states or not.

Under the GDPR, the companies need to ensure that their use of personal data is fair, lawful, and transparent at all times. They must protect the personal data and information from misuse and exploitation. In the scenario where a data breach happens, or information gets stolen or lost, the companies need to report the specific incident to the concerned supervisory authority, that too, within 72 hours of becoming aware of it.

The companies can use the following three types of tools:

Legal Research Software: Helps in understanding the requirements of a company.

Privacy Office Support Software: Helps in the development and maintenance of a company's privacy program.

Privacy Management Software: Helps a company to document the compliance programs.

In most of the cases, these tools shall prove to be beneficial only if the company owns a complex data processing operation; for instance, if a company works across multiple jurisdictions.

No, it is not compulsory for a company to appoint a DPO, as the same depends upon several factors. A company, however, should appoint a DPO, if it:

  • Is a public authority;

  • Carries out systematic monitoring of individuals like online behavior tracking at large scale; and

  • Carries out the processing of special categories of data or data concerning criminal offenses and convictions to a great extent.

Any company can appoint a DPO if they are willing to do so. In case a company chooses to appoint a DPO, even if the points mentioned don't hold for the same, it still needs to ensure that it has sufficient staff and skills to carry out the obligations under the GDPR.

PDPB

With most of the companies on a digitalization spree, The PDPB is a valuable and sustainable solution towards strengthening data security concerns in India. It will also give exclusive rights to individuals to manage their personal data well. Consequently, it becomes the duty of companies to safeguard such rights of the individuals.

Yes, the PDPB applies well to the Non-Indian companies, based outside India.

In case your company doesn't have any presence in India, the PDPB still applies if:

  • Your company offers products and services to the individuals in India; or

  • Your company profiles individuals within India

Your company might offer products and services to individuals in India if any of the following conditions apply:

  • Your company takes payment in rupees;

  • Your company ships products to India; or

  • Your company advertises to the Indian customers

Note: Profiling refers to any activity that predicts or analyzes an individual's attributes, interests, or behavior. Personalized advertising is an example of profiling; hence, if your official business website uses personalized advertising and the same is accessible in India, then you must comply with the PDPB.

The PDPB has only limited exemptions for small entities, including businesses, engaged in manual processing (data processing not performed on a computer or any other automated device).

Small entities are exempted from the following sections of the PDPB:

  • The obligations of data quality, notice, and data storage limitation

  • The data principle rights, excluding the basic information under the "right to correction" and "the right of confirmation and access"

  • The requirements of accountability and transparency, along with the requirement to appoint a Data Protection Officer (DPO) and maintain a Privacy Policy

Every company must appoint a Data Protection Officer, who shall be responsible for:

  • Advising the employees of the company on data protection concerns and issues

  • Monitoring and evaluating the company's compliance with the PDPB

  • Cooperating with the Data Protection Authority

Note: The Data Protection Officer can be a person who already works within a company. He or she must be based in India, and the same applies to the Non-Indian companies as well.

As a business company, you can efficiently consider taking the following actions to stay prepared:

  • Review the data processing activities of your company to ensure compliance with the data protection obligations under the PDPB

  • Review the information provided to the customers when you collect their personal details

  • Consider how your data processing activities fit well within the grounds of processing under the PDPB

  • Review how your business operations obtain consent from the customers (if applicable)

  • Consider how your company shall respond to the data principal rights requests

  • Come up with a PDPB-compliant Privacy Policy

  • Review the methods that you employ to keep the personal data safe and secure

  • Appoint a Data Protection Officer