GDPR- What and How
Why in news?
- The European Union has declared the deadline for the compliance of General Data Protection Regulation (GDPR).
What is GDPR?
- GDPR redefines the understanding of the individual’s relationship with their personal data.
- It relates to an identifiable living individual and includes names, email IDs, ID card numbers, physical and IP addresses.
- This law grants the citizen substantial rights in his/her interaction with
- Data controllers – Those who determine why and how data is collected such as a government or private news website.
- Data processors – Those who process the data on behalf of controllers, such as an Indian IT firm to which an E.U. firm has outsourced its data analytics.
How GDPR works?
Definition of Data and Entities –
- Any company offering back-end services to companies operating in the EU or elsewhere, if they are receiving EU resident data, may fall within the definition of a processor under the GDPR.
- Under GDPR a data controller will have to provide consent terms that are clearly distinguishable.
- The GDPR also requires data collectors to provide information on the ‘who’ and ‘how.’
- Individuals will also have the right to have personal data deleted under certain conditions.
Stronger obligations –
- Under GDPR, data breaches have to be reported within 72 hours and failure to comply with the new laws could result in a fine up to 4% of global turnover or maximum amount of fine 20 million Euros.
- It mandates the concept of ‘privacy by design and default’ and creates categories of data privacy compliance that never existed earlier.
Higher Autonomy –
- The GDPR has global implications as it applies to those outside the E.U. who either monitors the behavior of EU residents or sell goods and services to them.
- By which it empowers EU statutory authorities to impose heavy administrative fines and to impose bans on data processing, ordering rectification, restriction or erasure of data and suspending transfers to certain countries.
What is the difference between GDPR & Indian IT laws?
- Under India’s existing data protection regime, only one legislation, the Information Technology Act, 2000 (the IT Act) has attempted to deal with data protection in a comprehensive manner.
- The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (The IT-RS Rules) under the IT Act seek to address data privacy issues.
- However, the granularity of detail at which the GDPR addresses data protection compliance is hard to compare to the approach taken by the IT-RS Rules.
- The GDPR commits five detailed provisions to the essentiality of lawful consent for processing data and factors to determine whether consent was lawfully obtained.
- The language of the GDPR indicates that consent is interwoven through most of its important provisions, making it a key foundation of GDPR compliance.
- Thus there are certain aspects of the GDPR which are not reflected anywhere in the IT-RS, such as the adoption of a rights-based approach to data privacy.
What makes GDPR relevant for India?
- The GDPR is being adopted at a time where SC recognized the concept of informational privacy and noted that legislation should be enacted to ensure enforceability against non-State actors (private entities).
- By this there are indications that future data protection legislation in India will share several commonalities with the GDPR.
- From this perspective, GDPR compliance may be considered an opportunity for Indian companies to achieve early compliance with potential Indian data privacy legislation.