Indian Boards and Directors have to pro-actively ensure transparency and trust among all stakeholders in the data protection space in order to effectively achieve compliance with GDPR (General Data Protection Regulation) and the emerging data protection and privacy regime in IndiaChallenges of identity theft, cybercrime, profile data breaches, and unauthorized extraction and sale of personal...
Indian Boards and Directors have to pro-actively ensure transparency and trust among all stakeholders in the data protection space in order to effectively achieve compliance with GDPR (General Data Protection Regulation) and the emerging data protection and privacy regime in India
Challenges of identity theft, cybercrime, profile data breaches, and unauthorized extraction and sale of personal data have increased the trust deficit between individuals and businesses. While big data is the life line of emerging digital commerce globally, rights of individuals need to be protected as well. While GDPR seeks to achieve the right balance, the Supreme Court of India has also flagged the issue in its landmark judgment on data privacy, setting the ball rolling for the new emerging regime on data protection and privacy in India.
With the European Union's (EU) General Data Protection Regulation (GDPR) coming into effect beginning May 2018, Indian companies need frameworks on Data Protection in place to ensure compliance on GDPR. GDPR would regulate the export of personal data outside EU, in addition to protecting the data of individuals in EU. GDPR further requires any breach of personal data impacting any resident of EU to be reported within 72 hours.
Failure to comply with the same could expose Indian companies to stiff penalties of up to 20 Million Euros or 4 percent of the global turnover, whichever is higher. As a result, all global organizations including Indian companies holding data of residents of EU would be required to comply with new requirements around control, processing, and protection of data. India, therefore, is also in the process of formulating a Data Protection Regime to keep pace with the emerging Global Standards of Data Protection as also set out in GDPR.
With EU's GDPR becoming effective, Boards need to ensure the Data Protection frameworks of Companies are far deeper aligned to data protection regimes in other jurisdictions to meet accountability cast on the Boards under Indian Law
Benefits to Indian Economy
India is embarking on a journey of digital transformation of unprecedented magnitude through the citizen biometric data platform of Aadhaar; e-governance initiative Digital India; fostering presence-less, paperless, and cashless service delivery through IndiaStack; and digitization of citizens' documents via DigiLocker.
Although Aadhaar has strong data protection measures, yet the pace at which India is marching towards the digital space requires comprehensive data protection while empowering citizens at the same time to leverage their own data and is of paramount importance. Enrollment for jobs or skilling initiatives based on documents saved on the cloud platform of DigiLocker could be one such instance.
The need to ensure security and regulatory compliance of the unprecedented number of websites and web applications offering various digital transaction services was felt in the wake of the government's decision of demonetization, which was followed by the Union Budget of 2017, outlining an ambitious goal of achieving 25 billion digital transactions between 2017 and 2018. With the recent advent of the Goods and Services Tax (GST), it is mandatory for all businesses now to maintain electronic invoices on the cloud and India could manifest an over-arching regime of data protection riding on the GDPR mandate. Indian businesses therefore also take cognizance and usher in strong measures of data protection akin to GDPR that will only facilitate robust growth in the long run.
India requires oversight and consideration in one particular domain, viz. electronic consent architecture, which, although is a global first, needs to be built upon and extrapolated further. For instance, citizens of the country should be able to claim penalties if there is an unexplained failure on the part of the business to procure consent to use their personal data. In the realm of digital marketing, a consumer's right to opt out is often neither delineated nor respected, in addition to the age-old question of what constitutes personal and sensitive data. One aspect of looking at this debacle is reviewing the ingredients of the data. If the data deals with a person's identity, details like his name, email id, etc., which is freely available, then the same could be classified as his personal data. On the other hand, if the information constitutes a person's net worth or investment decisions, then the same should be treated as sensitive data which requires more stringent governance and compliance measures. Based on such rules, digital marketers should be given leverage to weigh out the appropriate technology to classify such data.
The rules of portability of customer data, i.e., what can be put out publicly and what cannot be put out with or without the consent of the concerned owner of the data, need to be understood and assessed with the competition or industry at large. Indian enterprises dealing with customer/individual's data also need to store, organize, and provide access control to customer data in their possession in accordance to global norms which is likely to pre-empt any data protection governance and compliance norm(s) that may be implemented by the Government soon.
Interestingly, the provisions of the Companies Act, 2013 have already put the onus on the Boards and Directors of Indian companies to sign off legal compliance and therefore require Indian Boards and Directors to be pro-active and drive compliance of the provisions of GDPR.
This paper seeks to flag major areas where Boards and Directors need to focus in a way to best comply with best GDPR in India.
1. Data Controller/Data Protection Officer
Every Indian company should have a Data Controller/Data Protection Officer (DC/DPO) responsible for data protection in organizations engaged in the handling of individual's data. The DC/DPO should be accountable to the Board, and the Board should clearly set his/her roles and responsibilities.
2. Review of Existing Data Handling Processes
Indian companies should review their processes related to data collection, data storage, and transfer of data, including scope and ambit of consents obtained from individuals in relation to holding and use of data particularly from the perspective of such consent being unambiguous, specific, and informed. Challenges and risks thrown up following the review should be mitigated by organizations by process changes well before GDPR coming into force.
3. Data Protection Advocacy
Indian companies must implement and monitor a structured data protection advocacy program to increase awareness, impart training, and to sensitize their employees and stakeholders on the impact of GDPR on its business to achieve compliance of GDPR.
4. Continuous Mapping of Data Protection Processes
Indian companies must have transparent and verifiable mapping of data protection processes including documentation of compliance to enable regular review by an organization.
5. Conduct Checks for Data Breaches and Data Security
Indian companies need to continuously conduct checks for data breaches and data security to check the effectiveness of data security systems and processes to identify, neutralize, and report any breach well within the reporting timeframe.
6. Compliance by Third Parties
Indian companies must ensure that all third parties engaged by organizations for processing, storage, and management of data comply with GDPR. Some examples - Cloud partners, payroll management agencies, marketing partners, etc. may qualify as such entities. Requisite process should be put in place to ensure compliance of GDPR by such third parties and for review and verification by an organization.
7. Strategic Data Planning on an Ongoing Basis
Boards must ensure that Indian companies have a futuristic approach to data protection issues in the rapidly evolving regulatory regime around the globe. Therefore, continuous and on-going strategic planning and re-calibration of strategies from time to time to meet the emerging regulatory environments and technological challenges should be at the centre of Indian Boards going forward.
8. Meet the "Right to be Forgotten" Norm
Require the company to have effective "right to be forgotten" capability, i.e., ability of a data to be effectively deleted where such a choice has been made by the individual. This would require tracking of data both online and offline and would require data management tools to be upgraded where required to be able to manage and comply with the "right to be forgotten" requirements.
It is therefore essential for organizations to set up data protection frameworks at every level of their businesses and throughout the complete cycle of their processes.
Indian Boards and Directors, therefore, have to pro-actively ensure transparency and trust among all stakeholders in the data protection space in order to effectively achieve compliance with GDPR and the emerging data protection and privacy regime in India. Needless to say, Indian companies need to have internal frameworks and policies in data protection which are far deeper aligned to data protection regimes in other jurisdictions as well in order to effectively insulate the Indian Companies against the risk of financial and non-financial exposures owing to breaches in data handling or non-compliance with data protection laws across jurisdictions. The gaps between data protection laws of different jurisdictions applicable to the same Indian company would no doubt give rise to multiple interpretation issues and compliance challenges for the company, but the framework and policies of the company will have to be capable of enabling the company to meet such challenges.
Disclaimer – The views expressed in this article are the personal views of the author(s) and are purely informative in nature.