Lawyers | ||
|---|---|---|
|
View PDF
General Data Protection Regulation (GDPR): A Comprehensive Overview
Introduction
The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, replacing the outdated EU Data Protection Directive 95/46/EC. GDPR aims to regulate data protection and privacy for individuals in the European Union (EU) and the European Economic Area (EEA). It enhances individuals’ control over their personal data and imposes strict requirements on businesses handling such data. The law applies not only to EU-based organizations but also to businesses outside the EU that process EU citizens’ data
Coverage and Application of GDPR
What Does GDPR Govern?
GDPR applies to Data Controllers (entities determining the purpose of data processing) and Data Processors (entities processing data on behalf of controllers). The regulation covers the processing of personal data, which includes:
- Name, home address, email address
- Identification numbers
- Location data and IP addresses
- Cookies and advertising identifiers
- Medical and biometric information
GDPR applies in the following scenarios:
- EU-Based Businesses: If a data controller or processor is established in the EU, GDPR applies regardless of where the processing takes place.
- Non-EU Businesses Handling EU Data: If a company offers goods or services to individuals in the EU or monitors their behavior, GDPR applies.
- Indicators of GDPR Applicability:
- Use of EU languages on websites
- Targeted advertisements to EU residents
- Pricing in EU currency
- Domain names with EU references
Exemptions from GDPR
GDPR does not apply in the following cases:
- Businesses providing services outside the EU to non-EU residents
- Small and medium enterprises (SMEs) processing personal data without posing a high risk
- Legal entity data (non-personal data)
- Personal use of data with no professional connection
- Deceased persons’ data
- National security or law enforcement activities
- Judicial processing to safeguard judicial independence
Obligations and Liabilities of Companies
Key Obligations of Companies
- Establishing an EU Representative: Non-EU companies processing EU citizens’ data must appoint a legal or natural representative within the EU.
- Appointment of a Data Protection Officer (DPO):
- Mandatory for:
- Public authorities (excluding courts)
- Organizations conducting large-scale monitoring of data subjects
- Businesses processing sensitive data (racial, political, religious, biometric, health, criminal records, etc.)
- Mandatory for:
- Rights of Data Subjects:
- Right to transparent information (Art. 12)
- Right to access personal data (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (‘Right to be forgotten’) (Art. 17)
- Right to data portability (Art. 20)
- Right to object to data processing (Art. 21)
- Right to automated decision-making and profiling (Art. 22)
Liabilities for Non-Compliance
GDPR imposes two levels of fines:
- Category A Fines (Administrative Failures):
- Fines up to €10 million or 2% of annual global turnover
- Examples:
- Failure to conduct Privacy Impact Assessments
- Lack of a Data Protection Officer
- Inadequate breach notifications
- Category B Fines (Major Violations):
- Fines up to €20 million or 4% of annual global turnover
- Examples:
- Unlawful data processing
- Violation of data subjects’ rights
- Unauthorized data sharing
Comparison: GDPR vs. Previous Data Protection Directive 95/46/EC
| Feature | Data Protection Directive 95/46/EC | GDPR |
|---|---|---|
| Legal Status | Non-binding Directive | Uniform, binding Regulation |
| Definition of Personal Data | Varied by Member State | Unified and stricter definition |
| Global Impact | Limited to the EU | Applies globally to businesses handling EU data |
| Fines for Non-Compliance | Low or no financial penalties | Up to 4% of global turnover |
| Focus | General data protection | Stronger emphasis on individual rights |
| Responsibility | Controller-only | Controller and Processor jointly liable |
Impact of GDPR on Indian Companies
Indian businesses need GDPR compliance if they:
- Operate in the EU
- Have third-party partners in the EU
- Serve EU customers
Failure to comply may result in penalties. However, compliance can be an opportunity to build trust and expand in global markets.
Impact on Key Sectors
- IT & BPO Sector:
- The EU is a major market for Indian IT services.
- GDPR compliance may create business opportunities but requires investment in data protection measures.
- E-Commerce:
- Companies must analyze data collection processes.
- Ensure data retention policies comply with GDPR.
- Appoint Data Protection Officers and conduct Data Protection Impact Assessments (DPIAs).
Steps for GDPR Compliance
1. Updating Privacy Policies
- Companies must explicitly disclose data collection and processing policies.
- Users must be informed how their data is used, shared, and stored.
2. Educating and Training Staff
- Employees must understand GDPR requirements.
- Businesses should redesign data acquisition, processing, and retention policies.
3. Implementing a Consent Framework
- Consent must be:
- Freely given
- Specific to each purpose
- Unambiguous and informed
- Requests for consent must be clear and distinguishable.
4. Reporting Data Breaches
- Mandatory reporting within 72 hours of a breach.
- Encrypted data breaches may be exempt.
Right to Be Forgotten
Under Article 17, individuals can request the deletion of their personal data if:
- The data is no longer necessary.
- Consent is withdrawn.
- The data was processed unlawfully.
- Legal obligations require deletion.
Companies must erase such data and inform third parties to remove linked information
GDPR’s Influence on Indian Data Protection Laws
India’s current data protection framework relies on:
- IT Act, 2000
- SPDI Rules, 2011
- Aadhaar (Data Security) Regulations, 2016
The Justice B. N. Krishna Committee has recommended a Data Protection Bill aligning with GDPR principles, including:
- Stronger data privacy laws
- User rights enhancement
- Consent-based data processing
- Inclusion of ‘Right to be Forgotten’
GDPR has revolutionized data privacy, affecting businesses globally, including Indian companies handling EU citizens’ data. Compliance is crucial to avoid penalties and build consumer trust. GDPR also influences India’s evolving data protection laws, potentially leading to stronger privacy regulations. While challenges exist, GDPR presents an opportunity for businesses to enhance data security and improve transparency in a rapidly digitalizing world.
