Key features of GDPR and their compliance

Synopsis: Every Indian entity handling data of EU citizens should follow GDPR. This article breaks down the main provisions under GDPR and provides tips to Indian entities on staying compliant with the EU law.  

One of the most stringent data protection laws in the world is the people-centric General Data Protection Regulation (GDPR). GDPR aims at ensuring better transparency to help support the rights of individuals and accelerate the growth of the digital economy in a safe and healthy manner.   What makes GDPR compliance the need of the hour is the fact that it is applicable to all companies, government agencies, not-for-profit organisations, and other organisations worldwide that offer goods and services to subjects in the European Union, and even bodies that collect and analyse data related to or involving residents of the European Union. In simple terms, every entity that deals with data related to citizens of the European Union is required to comply with the legislation.   GDPR, which came into force on May 25, 2018, standardises fragmented data protection regulations that existed in the European Union. By introducing a distinct, stringent and people-centered legislation, the European Union believes that it will protect and uphold the rights of its netizens. GDPR returns to individuals full control over their Personally Identifiable Information (PII) and Sensitive Personal Information (SPI) more than it just being a classic European economic agenda of simplifying and standardising laws across its member states.   Key terms under GDPR Some of the key terms introduced under GDPR include the following concepts –

• Data subject – A data subject is an individual who is at the disclosing end of PII. PII includes, without limitation, personal information relating to the individual such as address, contact details, medical conditions, sexual orientation, and any such details that can be traced back to such individual.
• Data controller – The first point of contact of such PII has been defined as a data controller under the GDPR. A data controller essentially determines the purpose for collection of such information and the rationale behind the same.
• Data processor – The second point of contact of data who processes data on behalf of the data controller.

E.g. An e-commerce service provider is a first point of contact of PII and collects the data of its customers or data subjects in order to fulfill its obligations towards them. Hence, the e-commerce entity is a data controller. Assuming that the e-commerce entity in turn outsources certain functions such as ad-campaigning to a third-party pursuant through a contract, the information and contact details of the customers are passed on to the agency who is the data processor.   In essence, GDPR diversifies and widens the accountability of every data controller dealing with European Union data subjects. The extended compliance mechanism is more specifically related to obligations to process data relating to subjects in a secure and safe manner.   Key takeaways of GDPR

1. Reason for data collection

GDPR makes it mandatory to provide information to the data subject as to how, why, in what form and rationale behind collection of data in simple and readable format. The way in which data will be used by the data controller should be clearly defined and processing should take place strictly within the defined scope which was communicated to a data subject.  

2. Choice

GDPR requires the data controller to provide the data subject the choice to indicate the extent of information they wish to disclose prior to providing consent. This essentially means that every data subject should be provided with choice on the nature of data the given subject opts to furnish to a controller. GDPR emphasizes on the requirement of specifying the way the data will be used including transfer of data to a different data controller. E.g. A FMCG (fast moving consumer goods) company running a promotional offer will be required to provide clear insight to every participant as to the exact nature of all the data that they are collecting need for such collection and the mode of usage. Data that is absolutely necessary can be collected, however, the subject should be given an option to opt out of certain terms that may be detrimental to their interests which among others could include aspects such as sexual orientation, medical conditions and any other information that is not relevant to the given scenario.  

3. Justifiability and transparency

GDPR makes it mandatory that collection of data should at all times be on legal and justifiable grounds only. Further, there is emphasis on transparency where the mode of storage and processing of data should be identified clearly. This would essentially mean that a service provider offering a specific set of services such as online food delivery services will be entitled to use the information relating to its end-users strictly in connection with its core services for which prior consent was obtained from its end-users by means of Privacy Policy or End-User License Agreements. The service provider will in no event be entitled to use the information relating to its users for a purpose other than the purposes for which the end-user had consented earlier. Every data controller should offer transparency on how, where and in what form the data will be stored and used and shall obtain consent on the same.  

4. Non-mandatory permissions

Though the legislation does not go to the extent of providing the exact course of action in this regard, it may be inferred that each clause in the terms and conditions, terms governing use or End-User Agreement must be drafted in simple and non-forceful language. The overall services or offering should not get impacted, compromised or limited if the data subject is not willing to provide information, whether relevant or otherwise.  

5. Collection of behavioral data

If a data subject is not willing to furnish certain information, the privacy aspect should be respected. This makes the phase: “I accept all terms and conditions” (unconditionally without knowing the implications behind the same), redundant in toto. It is interesting to note that any act of recording and analysing a person’s (data subject’s) psychological and behavioral characteristics, so as to assess or predict his/her capabilities in a certain sphere or to assist in identifying categories of people by means of profiling without proper rationale, is strongly condemned by the legislation.   E.g. A service provider or a seller saving preferences of its clients or customers based on the nature of services or commodities availed by them and later sending such clients or customers targeted emails or messages in the absence of consent from the client or customer will be deemed to be a breach. Further, the service provider or seller will in no event be allowed to sell or make available data pertaining to its customers or clients or their preferences to third-parties without the prior consent of the customer or client. This essentially means, no more cold calls, unsolicited emails or text messages from the annoying credit card folks, spam emails, ponzi scheme invites or greetings from ‘Nigerian princes’.  

6. Right to modify

The legislation bestows upon data subjects the right to access and rectify their personal data which means the controller must make available a copy of the data provided by the data subjects for the latter’s review and inputs. Further, such subjects must also be provided with an option to alter, modify, cause to alter or cause to be modified such information that is stored by the controllers, pursuant to a valid purpose. However, the legislation is silent on the aspect as to when such data must be furnished i.e. mandatorily after information is obtained or upon request from the concerned data subjects.  

7. Right to be forgotten

The right to be forgotten is yet another notable aspect that is covered under GDPR which entitles every European Union based data subject to direct a controller to delete or erase their PII or withdraw consent at any point in time, and such erasure or deletion must be carried out by the controller without any “undue delay”. These rights can be invoked by a subject in any circumstances like a subject’s wish to withdraw consent for convenience; when the subject has reasonable grounds to believe that the basic purpose behind collection of data has been accomplished; and when the subject has reasonable grounds to believe that their privacy is being compromised by a controller by means of use of data for illegal purposes (as the case may be).   If a data subject exercises his right to be forgotten, this would mean that the data can no longer be used by a controller, thereby protecting the privacy of the data subject. Under all circumstances listed above, the controller is required to notify the concerned data subject of such erasure or deletion of data.  

8. Pseudonymisation

GDPR further goes on to lay emphasis on concepts such as encryption and pseudonymisation of PII and other data relating to data subjects. GDPR defines pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”  A good example of pseudonymisation is the recently introduced UPI number which can be used for online money transactions without having to enter bank/card details. In simple terms, it is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data to ensure non-attribution.  

9. Exception

It is pertinent to note that government and law enforcement agencies have been provided with almost complete immunity from the principles of GDPR in the interest of protection of public interest and for law enforcement purposes. A law enforcement agency or government can summon a controller and obtain data or information in connection with law enforcement or national interest.   Penalty for breach of GDPR It is a well-settled principle under English tort law that an individual, who has a duty of care to ensure that another does not suffer any unreasonable harm or loss if found in breach of that duty, is imposed with a legal liability to compensate the victim for any losses they incur. Though in different contexts, in essence, the same applies in case of breach of GDPR principles. A data controller will be vicariously liable in case of breach in terms by a data processor. GDPR prescribes a hefty penalty for acts of breach committed by entities at the receiving end of PII in the form as administrative fines as well as liability for damages. There are two tiers of administrative fines that can be levied –

• Up to €10 million, or 2% annual global turnover, whichever is higher.
• Up to €20 million, or 4% annual global turnover, whichever is higher.

The GDPR also gives data subjects the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR. In certain cases like large-scale infringements, one can join organisations fighting for data privacy of individuals to bring representative action.   How to be compliant with GDPR It is highly recommended that all business entities with presence in the EU or dealing with PII relating to EU citizens must review and update their security policies in line with GDPR. Where required, an information technology infrastructure upgrade is also strongly recommended more specifically in the area of data security. Use of data encryption techniques (in line with the industry standards or better) is strongly recommended. There are various service providers in the market that offer ready-made or customisable solutions to entities in ensuring compliance with GDPR.   It may be pertinent to note that mode and nature of compliance with GDPR varies from business to business. It is highly recommended that companies consult with their legal counsel (internal or external) to receive a business-specific insight into compliance mechanism based on the line of business. Business entities can also designate an insider as a single point of contact responsible for data protection as appointment of a full-time data protection officer will be an expensive affair. All employees or consultants may approach such designated representative for any queries or to report any breach within the organization. Conducting awareness sessions among employees may also be helpful.   An indicative list of action items for companies can be encapsulated into the following –

1. Know your data subject’s rights – Your customers (data subjects) may raise a request at any time directing you to rectify inaccurate data, alter data in line with their requirements or erase information. Further, the data subjects also have the right to access their data. Any and all requests from the data subjects must be addressed in a timely manner without undue delays. Where required, be prepared to provide the data subjects the rationale behind collection of data, how the same will be used and in what form and location such data will be stored.
2. Be transparent – Your customers should be able to choose to be on your mailing list, as well as exercise control over how you use their data. According to the GDPR, consent must be in the form of a request separate from other terms and conditions. It must also require a positive opt-in in which users must check “Yes.” Opting for a mailing list does not give the business owner the ability to use a customer’s data for something else unless this is outlined. Individuals should also know how to withdraw from your database at any time.
3. Constant review of consent – Schedule regular checks with your subscribers/customers to ensure individuals wish to remain on your mailing list and document any changes to their consent.
4. Review and update commercial agreements, Privacy Policy, Terms of Use and End-User Agreements – It is highly recommended that the existing templates of contracts including any and all drafts received from third-parties; website/mobile application Privacy Policy; website/mobile application Terms of Use and End-User Agreements (if any), must be reviewed in depth and specific provisions governing compliance with GDPR must be made a part of the same, as advised by your counsel.

To ignore or underestimate the GDPR would be an extremely careless and clumsy decision. On another note, from an individual viewpoint, let’s hope that the Indian (Data Privacy and Protection) Bill, 2017, however vaguely worded, comes into force and evolves into something substantial as GDPR.   DISCLAIMER: The information provided in this article is for educational purposes only. The same cannot be construed as legal advice.