GDPR

By -


The General Data Protection Regulation and its impact on 

Indian business contracts


Introduction:

The General Data Protection Regulation [2016] (hereinafter referred to as GDPR) is a landmark data protection law enacted by the European Union (hereinafter referred to as 'EU') with a view to protect rights of individuals within the Union. The law was adopted by the EU member states in 2016 but took effect only in May 2018. By adopting the GDPR, the EU has taken a significant step forward with respect to data protection and privacy rights in this modern day and age to keep up with the pace of technological developments. The GDPR [2016] has superseded the Data Protection Directive [1995] - which previously regulated the processing of personal data of EU citizens and protected their privacy rights. It is important to understand that the erstwhile data protection law, ie: the Data Protection Directive [1995] was only a 'directive', which meant that it could be interpreted and implemented differently by each of the 28 EU nations. However, the GDPR is a 'regulation' which will be uniformly applied across all the nations by a single authority- the Data Protection Authority. Through the course of this article, several aspects of the GDPR, the changes brought about by it and its overwhelming impact on Indian businesses will be analyzed. 

Some features of the GDPR:

1.  Wider scope

The EU has incorporated several aspects of data protection, privacy laws and security measures into the GDPR with a view to increase its scope. The primary reason for doing so was to impose data protection obligations on a wider set of companies and to ensure compliance. The EU has expanded the scope of the data protection law in many ways:
  •  Even companies operating outside the EU are now obligated to comply with the GDPR so       long as their users/customers reside within the EU.
  •  Companies are bound by the GDPR even if they only collect data inside the EU but process it outside the geographical boundary of the EU. The regulation defines data controllers as organizations which 'acquire' data from EU citizens first hand. On the other hand, data processors are defined has those who manage, modify, store, or analyse that data for or on behalf of the data controllers. Under the GDPR, both data controllers and data processors are jointly responsible with respect to compliance of the rules there-under. They're also equally liable for non-compliance and breaches. This means that an organisation cannot escape liablity under the GDPR by outsourcing data processing and analysis as all parties are jointly liable under the new regulation.    

2.  Privacy by design

Companies collect personal data from their customers/users for various purposes. However, the privacy by design feature of the GDPR lays down that only data which is absolutely necessary for providing the said service must be collected. The purpose for which the data is collected must also be conveyed to the individuals.                                                                                                                                                                           
3.  Data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

4.  Right to be forgotten

Companies which collect personal data of individuals now cannot retain it for an indefinite period of time. The individuals who permit companies to collect their data now have the right to be forgotten- which means that at the request of the individuals, the companies must delete the respective information. This is also called the individual's 'right to be forgotten' from any and all information databases. However, there are two exceptions to this right, they are: 

a)It will not apply to information where there is a legal requirement to keep, such as medical records and; 
b)It is also a personal right to forget, distinct from the third party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines.

In the aforementioned circumstances, the Right to be forgotten does not apply.

 5.  Definitive consent

The Companies need to obtain clear and affirmative consent from the individuals before private data is collected and processed. Consent is a very important component of the GDPR. The legislative intent behind making consent an important aspect of the GDPR was to empower the individuals with more rights and provide them with the right to decide how and what information they are willing to provide. Companies now need specific permission from their customers and clients before collecting personal details and information.

6.  Limits on the use of profiling

Often, personal data is automatically used to access and analyse personal choices, predict a person’s performance at work, taste of clothes, economic situation, health, location, behaviour, etc. Under GDPR, profiling will be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and requires human intervention.

7.  One-stop solution

It is no surprise that companies now have to spend millions of dollars in compliance costs and security measures in order to comply with the new data protection law. Huge amounts of money will also have to be spent on technology in order to prevent data breaches and hacks to keep information safe. However, in the long run it could turn out to be hugely beneficial for businesses as they will have to deal with only one regulatory body rather than 28(EU comprises of 28 nations), making it simpler and cheaper for companies to do business in the EU.

8.  Data Protection Officers

Some companies might have to appoint a specific person- a Data Protection Officer, and designate all the responsibilities with respect to data protection to him. He must be extremely skilled in the disciplines of IT, law, security, communication and management. The appointment of data protection officers will depend on the type of organization and the sensitivity of the data processed. It is likely that the GDPR will make it mandatory for organizations mentioned below to appoint data protection officers:
  • Public authorities.
  • Organisations involved in high risk processing.
  • Organisations processing special categories of data.

9.   Penalties and fines

The Data Protection Directive [1995] lacked strict enforcement mechanisms. Penalties and fines for non-compliance were not significant. However, the GDPR has adopted a more stringent approach by bringing in strict enforcement mechanisms and imposing hefty penalties for non-compliance. Companies are now obligated to report any data breach to the Data Protection Authority within 72 hours. Fines upto 20 million euros or 4% of the company's global annual turnover (whichever is higher) can be imposed on companies for non-compliance with the law.  

Impact on Indian businesses and their contracts:

Europe is estimated to be a $45-billion potential outsourcing opportunity for Indian technology vendors. Data processing services which are outsourced to India in the fields of banking, insurance, health care, retail and other sectors, will require GDPR compliance.

One of the fundamental changes brought about by the GDPR is the requirement to demonstrate compliance – so it will not suffice if a company merely complies with the GDPR but it must also be able to demonstrate how it is complying with the regulations and what methods are adopted in pursuance of the same.

Indian businesses now need to ensure that their commercial contracts are GDPR compliant and this is a key part of this process. For example, a data controller has 72 hours to report relevant data breaches – therefore every contract with a data processor should include this obligation so that the controller is well equipped to deal with a data breach as quickly as possible. However, contracts that were drafted between processors and controllers under the erstwhile data protection law might not include such an obligation. Therefore, Indian businesses need to amend their contracts so as to include such a provision. 

Additionally, it is evident that the GDPR has empowered individuals with various rights, including the right to be forgotten, the right to restrict processing, data portability and rectification. Therefore, data controllers need to be sure that their contracts with third parties and data processors include clauses which obligate parties to equip themselves technologically and organisationally to meet these newly incurred organisations. 

As mentioned earlier, data processors and data controllers are treated on an equal footing. Which means that both parties are equally liable in case of any any breach/non-compliance. Therefore, having a GDPR compliant commercial contract is imperative for organisations engaging third parties. For instance, Article 28 lays down certain essential elements that must exist in a contract between a data controller and a data processor. It states that the data processor:
  •   will only process data based on the instructions of the controller;
  •  will ensure the persons authorised to process personal data have committed themselves to   confidentiality;
  • will take all required security measures under the GDPR;
  • will assist the controller in ensuring compliance with their obligations under the GDPR. (This would include keeping record of the purposes of the processing, the categories of the personal data, the period for which the personal data will be stored, etc.

Conclusion:

Therefore, not only does Article 28 convey that data controllers and data processors are jointly liable but it has also mandated that data controllers must now incorporate the aforementioned elements into their contracts so as to ensure that their vendors, third party companies and data processors are legally and contractually bound by these obligations. By doing so, the data processors will facilitate in imposing liability equally on all parties concerned. The legislative intent behind Article 28 was to bring about more accountability and transparency in the system with respect to data processing, analysis and storage.  

Comments

Post a Comment

Popular posts from this blog

Vaultedge Contract Analysis - Helping Lawyers, one contract at a time.

By -
Image
Lawyers and Contract management professionals spend copious number of hours in pouring over multiple number of documents for the seemingly daunting and tedious task of due diligence, contract review and compliance requirements. A lawyer doing a transaction due diligence typically spends 3 to 4 hours to review each contract. A contract management professional spends 6 to 8 hours to abstract a contract and create metadata and clause information. Most of this time is spent in converting scanned contracts into text files, reading through the contract, extracting relevant clauses and creating summaries. Only a small amount of time is actually spent in applying legal skills to come up with insights. Vaultedge Contract Analysis (VCA) is a software that automates a large portion of contract review and abstraction job so that lawyers can spend less time doing repetitive tasks and more time in advising clients.  VCA is an Artificial Intelligence (AI) based software that saves upto 8...
Read more

COVID-19 second wave support

By -
Image
  COVID-19 second wave support India is reeling under the impact of Covid. This is a collection of resources and guidelines to help you cope up with the current situation. Preventive Measures [ ] DO NOT GO OUT. STAY HOME. [ ] If you have to go out, ensure you wear N95 mask(well fitting) or You double mask(surgical mask inside, well fitting cloth mask outside) you constantly sanitise your hand with an alcohol based sanitiser [ ] Ensure all eligible members are vaccinated at the earliest Register at https://www.cowin.gov.in/home [ ] Consume Vitamin C, Vitamin D and Zinc supplements (these micro-nutrients help with general health, but not treatment or prevention of COVID) Further read: https://www.fox26houston.com/news/studies-suggest-4-vitamins-to-prevent-severe-cases-of-covid-19 Available as tablet(Ceeplus): https://pharmeasy.in/online-medicine-order/ceeplus-bottle-of-30-tablets-503972 Alternatively Link for Vitamin C and Zinc Supplements: https://www.amazon.in/...
Read more