• 02 June, 2023
• No Comments

Unpacking GDPR: Navigating its Applicability to Indian Companies

Introduction

The General Data Protection Regulation [GDPR] is a data privacy law that came into effect in the European Union [EU] in May 2018. While the regulation is targeted towards companies operating within the EU, it also applies to Indian companies that target EU residents or monitor their behaviour. The scope of GDPR is extraterritorial, meaning that even if the company is based outside of the EU, it may be subject to GDPR compliance requirements.

For Indian companies, complying with GDPR can be challenging as it requires navigating complex legal requirements & implementing data protection measures. However, non-compliance with GDPR can result in severe consequences, including hefty fines & damage to business reputation. To help Indian companies navigate GDPR compliance requirements, this Journal provides guidance & best practices for understanding the applicability of GDPR, complying with GDPR principles & data subject rights & navigating cross-border data transfers.

Understanding GDPR & its Extraterritorial Reach

The General Data Protection Regulation [GDPR] has a broad scope & territorial applicability. It applies to the processing of personal data within the European Union [EU] & the European Economic Area [EEA].

The General Data Protection Regulation [GDPR] has a broad scope & applies to all companies that process personal data of EU citizens, regardless of whether they are based in the EU or outside it. The regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union. This means that if a company has an establishment in the EU, then the GDPR applies to it.

Even if a company does not have an establishment in the EU, the GDPR can still apply if the company targets EU individuals or monitors their behaviour. For example, if an Indian company offers goods or services to EU citizens, conducts marketing campaigns in the EU or tracks the online behaviour of EU citizens, then it may be subject to GDPR Regulations.

Several key factors determine the applicability of the General Data Protection Regulation [GDPR] to Indian companies. Here are the primary factors to consider:

1. Offering goods or services to individuals in the EU/EEA: If an Indian company offers goods or services to individuals located in the European Union [EU] or the European Economic Area [EEA], it may fall within the scope of GDPR. 
2. Monitoring the behaviour of EU/EEA individuals: GDPR also applies to Indian companies that monitor the behaviour of individuals in the EU/EEA. This refers to the tracking & profiling of EU/EEA individuals’ online activities, such as through the use of cookies or similar technologies. 
3. Processing personal data within the context of an establishment in the EU/EEA: If an Indian company has an establishment, such as a branch, office or subsidiary in the EU/EEA & it processes personal data in the context of the activities of that establishment, GDPR applies to that processing. 

Targeting EU individuals or monitoring their behaviour can have significant implications for Indian companies in relation to the General Data Protection Regulation [GDPR]. Here are the key impacts to consider:

1. Applicability of GDPR: When an Indian company targets individuals in the European Union [EU] or monitors their behaviour, it falls within the scope of GDPR. This means the company is subject to the obligations & requirements of GDPR, even if it is based outside the EU.
2. Legal basis for processing: GDPR requires that personal data be processed on a lawful basis. When targeting EU individuals or monitoring their behaviour, Indian companies must ensure they have a valid legal basis for processing the personal data. 
3. Privacy notices & transparency: GDPR emphasises transparency in data processing. Indian companies targeting EU individuals must provide clear & concise privacy notices that inform individuals about how their personal data is being collected, used & shared.

GDPR Compliance for Indian Companies

Evaluating if your company falls under GDPR jurisdiction: To evaluate if your company falls under GDPR jurisdiction, you need to assess whether your business collects or processes data from individuals who are in the European Union. The GDPR applies to any business, regardless of location, that offers goods or services to EU residents or monitors their behaviour. 

Appointing a representative in the EU, if necessary: The European Union General Data Protection Regulation [GDPR] requires businesses outside the EU that collect personal data of EU individuals to appoint a representative in the EU. This representative should be responsible for GDPR compliance, act as the point of contact for data protection authorities & data subjects & maintain records of processing activities.

Reviewing data transfer mechanisms & adequacy decisions: Reviewing data transfer mechanisms & adequacy decisions is an important step for Indian companies to comply with GDPR regulations. The GDPR requires that any personal data transferred outside of the EU must have adequate protection. 

Complying with GDPR principles & data subject rights: To comply with GDPR principles & data subject rights, Indian companies should take several steps, including:

1. Identify & document all EU personal data processing activities that are carried out by the company.
2. Ensure that all processing activities are carried out in accordance with the GDPR principles, including data minimization, accuracy, retention & accountability.
3. Implement technical & organisational measures to protect personal data from unauthorised access, use or loss, such as access controls & encryption.

 Navigating Cross-Border Data Transfers

The GDPR imposes restrictions on transferring personal data from the European Union [EU] or the European Economic Area [EEA] to third countries that do not ensure an adequate level of data protection. If India does not have an adequacy decision, Indian companies must implement appropriate safeguards to ensure lawful data transfers. These safeguards can include:

1. Standard Contractual Clauses [SCCs]: Use SCCs, which are contractual agreements approved by the European Commission, to ensure that the recipient of the personal data in the third country provides sufficient protection. SCCs are widely used for data transfers & require parties involved to abide by specific data protection obligations.
2. Binding Corporate Rules [BCRs]: BCRs are internal codes of conduct adopted by multinational companies to facilitate intra-group transfers of personal data across borders. They require approval from relevant data protection authorities but provide a comprehensive framework for ensuring data protection & legal compliance.

Special Considerations for Indian Companies

Indian companies operating globally must navigate the complexities of balancing GDPR compliance with Indian data protection laws. It is essential to understand the requirements of both regulatory frameworks & develop strategies that align with the highest standards of data protection. 

Consent & legitimate interests are two legal bases for processing personal data under GDPR. Indian companies need to carefully consider these aspects while collecting & processing personal data. Ensure that consent is obtained freely, specific, informed & unambiguous.

Indian companies must establish robust processes for managing data breaches & incident response in accordance with GDPR requirements. This includes promptly identifying & assessing breaches, notifying the appropriate supervisory authorities & affected individuals within the specified timeframes & taking necessary measures to mitigate the impact of the breach. 

Under certain circumstances, Indian companies may be required to appoint a Data Protection Officer [DPO] as mandated by GDPR. A DPO is responsible for ensuring GDPR compliance, providing guidance on data protection matters & serving as a point of contact for supervisory authorities & individuals.

Compliance Challenges & Best Practices

1. Jurisdictional complexity: Navigating the jurisdictional differences between Indian data protection laws & GDPR can be challenging, requiring careful consideration & compliance with both frameworks.
2. Data mapping & inventory: Understanding & documenting the flow of personal data within the organisation & across borders is crucial for compliance but can be challenging, especially for companies with complex data ecosystems.
3. Consent management: Obtaining valid consent from individuals in a manner that meets GDPR’s stringent requirements can be challenging, especially considering the need for specific, informed & freely given consent.

Best practices for data protection & privacy in cross-border scenarios:

1. Privacy by design: Embed privacy & data protection principles into the design of your products, services & processes from the outset, ensuring that data protection measures are implemented proactively.
2. Data minimisation: Only collect & process the personal data necessary for the intended purpose, reducing the risk & complexity associated with handling excessive or unnecessary data.
3. Vendor management: Conduct due diligence when engaging third-party vendors, ensuring they have adequate data protection measures in place & contractual provisions to safeguard personal data.

Maintaining ongoing compliance & staying updated with regulations:

1. Regular Compliance Audits: Conduct periodic audits to assess compliance with GDPR requirements & identify areas for improvement. This includes reviewing data protection policies, procedures & technical measures.
2. Stay informed: Stay updated with developments in GDPR & Indian data protection laws through regular monitoring of regulatory updates, industry guidelines & legal advice to ensure ongoing compliance.

Consequences of non-compliance

The GDPR empowers supervisory authorities in the EU to impose significant penalties & fines for violations of its provisions. The severity of the penalties depends on the nature, gravity & duration of the infringement. The maximum fines can be up to €20 Million or four percent (4%) of the company’s global annual turnover, whichever is higher, for certain serious violations.

Non-compliance with GDPR can result in significant reputational risks for Indian companies. Data breaches or violations of data subject rights can damage the company’s reputation, erode customer trust & lead to the loss of business opportunities. 

GDPR provides individuals with the right to seek legal remedies & bring claims against organisations for violations of their data protection rights. This includes the right to compensation for damages suffered as a result of non-compliance. Data protection authorities in the EU have enforcement powers, including conducting investigations, imposing fines & issuing corrective measures.

Conclusion

Navigating GDPR can be complex, especially for Indian companies operating in a global context. Seeking legal guidance from experts in data protection & privacy is crucial to ensure compliance & effectively address the unique challenges faced. Adopting a privacy-focused approach that aligns with GDPR’s principles not only helps meet legal obligations but also fosters a culture of data protection & builds trust among customers & partners. The following five (5) summarises on the basic requirements to comply with the EU GDPR Regulation. 

1. Evaluate if your company falls under GDPR jurisdiction based on targeting EU individuals or monitoring their behaviour. 
2. Appoint a representative in the EU if necessary. 
3. Review data transfer mechanisms & adequacy decisions when transferring personal data to third countries. 
4. Ensure compliance with GDPR principles & data subject rights. 
5. Implement data protection measures & security controls to safeguard personal data. 

FAQs:

What are the major impacts of the GDPR?

The major impacts of GDPR include strengthened data protection rights for individuals, stricter consent requirements, increased accountability & compliance obligations for organisations, mandatory data breach notifications & higher penalties for non-compliance.

What is the perspective of GDPR in India?

The perspective of GDPR in India is mixed, with some organisations embracing it as a standard for data protection & privacy, while others face challenges in understanding & implementing its requirements.

What is the impact of data protection laws on business in India?

Data protection laws in India have a significant impact on businesses as they require organisations to adopt robust data protection measures, obtain valid consent & comply with individuals’ data rights, while non-compliance can lead to penalties & reputational damage.

How does GDPR apply to Indian companies?

GDPR applies to Indian companies if they target EU individuals or monitor their behaviour & such companies may need to evaluate their data processing activities, implement appropriate safeguards for data transfers & comply with GDPR principles & data subject rights.

Latest Articles:

ISO 27001 vs PCI DSS: Understanding the Differences Vulnerability Assessment vs Penetration Testing: Understanding the Key Differences Obtaining ISO 27001 Certification for your Organisation PCI DSS Certification – All you need to know 5G IoT Security – What’s in it for CISOs?