Challenges of identity theft, cybercrime, profile data breaches, unauthorized extraction and sale of personal data have increased the trust deficit between individuals and business initiatives. While big data (compared to oil by many thinkers) is the lifeline of the emerging digital commerce globally, rights of individuals clearly need to be protected. The EU’s General Data Protection Regulation (GDPR) seeks to achieve the right balance, and the Supreme Court of India has also flagged the issue in its landmark judgment on data privacy, setting the ball rolling for the emergence of a new regime on data privacy in India.
As the GDPR comes into effect from May 2018, Indian companies will need to put into place effective frameworks for data protection in order to comply with the GDPR. Apart from protecting the data of individuals in the EU, the GDPR also seeks to regulate the export of personal data from the EU.
From May 2018, the GDPR requires any breach of personal data impacting a resident of the EU to be reported within 72 hours. Companies failing to comply with this could face the stiff penalty of a fine up to €20 million (US$23.5 million) or 4% of their global turnover, whichever is higher.
Once the GDPR comes into force, all global organizations holding data of EU residents will have to comply with new requirements around control, processing and protection of data. Countries outside of the EU (including India), therefore, need to update their regulations to match the standards of data protection set out in the GDPR.
In India, the boards of directors of Indian companies have to sign off on compliance issues under the provisions of the Companies Act, 2013. Indian boards and directors, therefore, will need to be proactive and ensure compliance with the GDPR.
Major focus areas for the boards of Indian companies include:
Data controller/data protection officer: Companies that handle individuals’ data must have an officer accountable to the board and responsible for data protection, and clearly set out the roles and responsibilities of this officer.
Data protection advocacy: To comply with the GDPR, companies need to implement and monitor a structured data protection advocacy action plan to train and sensitize employees and stakeholders on the impact of the GDPR on the company’s business.
Review of existing data processes: A review of processes for data collection, storage and transfer must be conducted, including the scope of consents obtained from individuals in relation to holding and use of data, particularly from the perspective of such consent being unambiguous, specific and informed. Challenges and risks exposed by the review should be mitigated by process changes well before the GDPR comes into force.
Mapping of data protection processes: A transparent and verifiable mapping of data protection processes including documentation of compliance is required to enable regular review by the companies.
Ensuring compliance by third parties: All third parties engaged for processing, storage and management of data should be required to comply with the GDPR. Cloud partners, payroll management agencies, marketing partners, etc., may qualify as such entities and a suitable process should be put in place to ensure that such third parties comply with the GDPR. An adequate mechanism for review and verification of the processes implemented by such third parties is also required.
Tests for data breaches and data security: Companies should continuously conduct tests for data breaches and data security to check the effectiveness of data security systems and processes and to identify, neutralize and report any breach well within the reporting time frame.
Implementing the “right to be forgotten”: Companies must have the ability to effectively delete data where such a choice has been made by an individual. This will require tracking of data both online and offline. To manage and comply with the right to be forgotten, companies may need to upgrade data management tools.
Continued strategic data planning: Companies need to have a futuristic approach to data protection issues in the rapidly evolving global regulatory regime. Therefore, continued strategic planning and recalibration of strategies to meet the emerging regulatory environments and technological challenges should be the central focus of companies.
Indian companies and their boards have the task cut out to ensure transparency and develop trust among all those who have a stake in data handling and protection, in addition to ensuring compliance with the GDPR and the emerging legal regime on data protection and privacy in India.
(This article was originally published in India Business Law Journal - https://www.vantageasia.com/boards-must-plan-meet-eu-data-protection-norms/)