For every other business out there, protecting sensitive data continues to be a paramount challenge, specifically in the present era, where there is careless handling of personal data most of the time. By establishing a holistic view of your sensitive data, we at KIPG, help in avoiding data leaks and minimizing the risks of GDPR/PDPB fines. We prepare your business to meet the strongest Data Protection Laws by coming up with the best strategies that identify gaps and vulnerabilities and understand the privacy dimension of your data.
Overview of the GDPR
A Brief Review of the Creation and Background of the GDPR
The GDPR (General Data Protection Regulation) is the new reference text concerning data protection at the European level. It was published in May 2016 and entered into force on 25th May 2018.
Its nature, which consists of a regulation and not a directive, implies its direct application, and, at the same time, in all the Member States of the European Union, without transposition.
Moreover, the GDPR, regulation 679/2016, replaces the previous directive 95/46/ EC (published in 1995), given that technological development required a new and more modern legal framework that could adapt to the new requirements.
Thus, the GDPR aims at allowing the European citizens to control their personal data, once again. All in all, it is extension of an individual’s fundamental ‘Right to Privacy.’
Overview of the PDPB
A Brief Review of the Creation and Background of the PDPB
On 27th July 2018, India took a step forward in aspiring to become a major economic power in the digital space by declaring secrecy a fundamental right. The occasion was the decision of the Honorable Supreme Court in the Justice Puttusamy case against the Union of India. The consequence was the publication of the Personal Data Protection Bill, 2018. The bill draws its influence from the guidelines and the framework of the General Data Protection Regulation (GDPR).
India's PDPB is one of the most comprehensive and strictest data privacy laws worldwide. Moreover, it is even stricter in some aspects than the EU's GDPR. At present, the PDPB is in the draft form and set to be tabled in the Parliament. It shall impose obligations on practically every other business operating in the country. It shall require business firms and organizations to reassess their data processing practices, safeguards, and policies.
Key Definitions and Terminology
GDPR
Personal Data
GDPR's Article 4 sets out the definition of personal data ...
Binding Corporate Rules (BCRs)
It includes the set of internal rules and regulations...
Processing
It refers to a manual or automated action performed on personal data...
Data Controller
He or she is a person who decides the purpose for which any personal data ...
Data Processor
It includes the third parties that process the data on behalf ...
Data Protection Officer
He or she is a person who is given the formal responsibility ...
Data Protection Authority (DPA)
It is a national authority responsible for data ...
Biometric Data
It refers to the personal data resulting from the specific processing corresponding ...
Data Subject
When a piece of data or information relates to a specific individual ...
Right to be Forgotten
The 'right to be forgotten' or the right to the erasure of personal data...
Pseudonymous Data
It includes the sets of data, which can be amended in a way...
Cross-Border Processing
It refers to the processing of personal data when the data controller ...
PDPB
Personal Data
It refers to the information that relates to an individual and can be efficiently ...
Sensitive Personal Data
It includes passwords, financial data, health data, official identifier ...
Data Principal
He or she is the living individual to whom the data ...
Data Fiduciary
It can be a person, business, or organization that decides upon the need ...
Data Processor
It refers to an individual who processes personal data on behalf of a data fiduciary ...
Data Protection Authority (DPA)
It refers to an independent public body whose responsibilities are as follows ...
Scope
GDPR
The GDPR looks forward to determining the treatment of data in an egalitarian way in the entire territory of the European Union.
In particular, the Regulation shall apply to any processing of personal data in the context of the activities of the person in charge of processing or performing whose installation is within the European Union.
The Regulation shall also apply to the processing carried out by a person in charge of the processing or processing of data not installed within the European Union, provided that certain conditions are met by the Regulation.
PDPB
The GDPR looks forward to determining the treatment of data in an egalitarian way in the entire territory of the European Union.
The bill focuses on the processing of personal data and sensitive personal data, on cross-border data transfers, and the establishment of a Data Protection Authority ("DPA"). The bill, once implemented, will control the personal data of 1.3 billion people.
Compliance with the GDPR
The companies shall comply with the principles of transparency in the way data is collected, processed, and stored, and shall be able to prove at all times that they comply with the GDPR.
The actions that companies must take are as follows:
Update/Recognize the processing of personal data
Recording the data
Compliance with the principles that govern the legal processing of data
-
Review of procedures and data protection policies through:
Prior consent of the data subjects for each intended processing purpose
Handling requests
Satisfaction of citizens' rights to access their data or delete it (right to be forgotten)
A study of the impact assessment and audit of potential risks and their consequences on the personal data it manages
Designation of a Data Protection Officer, where provided by law
Comparison Between GDPR and PDPB 2018
FAQs
GDPR
Why is GDPR compliance advisable?
GDPR compliance is advisable as it efficiently improves the protection of the European data subjects' rights and clarifies how the companies can process personal data to safeguard such rights.
Who all must abide by the laws set out in the GDPR?
All the companies, holding and processing the personal data of the EU citizens, are required to abide by the laws set out in the GDPR, irrespective of whether they reside in one of the 28 EU member states or not.
What are the responsibilities of companies under the GDPR?
Under the GDPR, the companies need to ensure that their use of personal data is fair, lawful, and transparent at all times. They must protect the personal data and information from misuse and exploitation. In the scenario where a data breach happens, or information gets stolen or lost, the companies need to report the specific incident to the concerned supervisory authority, that too, within 72 hours of becoming aware of it.
Are there any GDPR compliance tools, which the companies can use?
The companies can use the following three types of tools:
Legal Research Software: Helps in understanding the requirements of a company.
Privacy Office Support Software: Helps in the development and maintenance of a company's privacy program.
Privacy Management Software: Helps a company to document the compliance programs.
In most of the cases, these tools shall prove to be beneficial only if the company owns a complex data processing operation; for instance, if a company works across multiple jurisdictions.
Is it compulsory for a company to have a Data Protection Officer (DPO)?
No, it is not compulsory for a company to appoint a DPO, as the same depends upon several factors. A company, however, should appoint a DPO, if it:
Is a public authority;
Carries out systematic monitoring of individuals like online behavior tracking at large scale; and
Carries out the processing of special categories of data or data concerning criminal offenses and convictions to a great extent.
Any company can appoint a DPO if they are willing to do so. In case a company chooses to appoint a DPO, even if the points mentioned don't hold for the same, it still needs to ensure that it has sufficient staff and skills to carry out the obligations under the GDPR.
PDPB
Why is PDPB compliance advisable?
With most of the companies on a digitalization spree, The PDPB is a valuable and sustainable solution towards strengthening data security concerns in India. It will also give exclusive rights to individuals to manage their personal data well. Consequently, it becomes the duty of companies to safeguard such rights of the individuals.
Are the Non-Indian companies required to comply with the PDPB?
Yes, the PDPB applies well to the Non-Indian companies, based outside India.
In case your company doesn't have any presence in India, the PDPB still applies if:
Your company offers products and services to the individuals in India; or
Your company profiles individuals within India
Your company might offer products and services to individuals in India if any of the following conditions apply:
Your company takes payment in rupees;
Your company ships products to India; or
Your company advertises to the Indian customers
Note: Profiling refers to any activity that predicts or analyzes an individual's attributes, interests, or behavior. Personalized advertising is an example of profiling; hence, if your official business website uses personalized advertising and the same is accessible in India, then you must comply with the PDPB.
Does the PDPB contain any exemptions for small businesses?
The PDPB has only limited exemptions for small entities, including businesses, engaged in manual processing (data processing not performed on a computer or any other automated device).
Small entities are exempted from the following sections of the PDPB:
The obligations of data quality, notice, and data storage limitation
The data principle rights, excluding the basic information under the "right to correction" and "the right of confirmation and access"
The requirements of accountability and transparency, along with the requirement to appoint a Data Protection Officer (DPO) and maintain a Privacy Policy
What are the duties and responsibilities of a Data Protection Officer?
Every company must appoint a Data Protection Officer, who shall be responsible for:
Advising the employees of the company on data protection concerns and issues
Monitoring and evaluating the company's compliance with the PDPB
Cooperating with the Data Protection Authority
Note: The Data Protection Officer can be a person who already works within a company. He or she must be based in India, and the same applies to the Non-Indian companies as well.
What can the companies do to have a solid foundation for implementation when the PDPB becomes law in India?
As a business company, you can efficiently consider taking the following actions to stay prepared:
Review the data processing activities of your company to ensure compliance with the data protection obligations under the PDPB
Review the information provided to the customers when you collect their personal details
Consider how your data processing activities fit well within the grounds of processing under the PDPB
Review how your business operations obtain consent from the customers (if applicable)
Consider how your company shall respond to the data principal rights requests
Come up with a PDPB-compliant Privacy Policy
Review the methods that you employ to keep the personal data safe and secure
Appoint a Data Protection Officer